Changeset 14722 for trunk/plugins

Timestamp:

12/06/10 21:55:02 (18 months ago)

Author:

Alexander Trofimov

Message:

Ticket #2312

Location:

trunk/plugins/phpids/IDS

Files:

• Caching/Apc.php (added)
• Caching/Database.php (modified) (7 diffs)
• Caching/Factory.php (modified) (1 diff)
• Caching/File.php (modified) (2 diffs)
• Caching/Memcached.php (modified) (3 diffs)
• Caching/Session.php (modified) (2 diffs)
• Config/Config.ini.php (added)
• Converter.php (modified) (16 diffs)
• Event.php (modified) (1 diff)
• Filter.php (modified) (3 diffs)
• Log/Database.php (modified) (8 diffs)
• Log/Email.php (modified) (3 diffs)
• Log/File.php (modified) (4 diffs)
• Monitor.php (modified) (9 diffs)
• Report.php (modified) (1 diff)
• Version.php (modified) (1 diff)
• default_filter.json (modified) (1 diff)
• default_filter.xml (modified) (22 diffs)

trunk/plugins/phpids/IDS/Caching/Database.php

@@ -107 +107 @@
      *
      * @param string $type caching type
-     * @param array  $init the IDS_Init object
+     * @param object $init the IDS_Init object
      * 
      * @return void
@@ -122 +122 @@
      * Returns an instance of this class
      *
-     * @param string $type caching type
-     * @param array  $init the IDS_Init object
+     * @static
+     * @param  string $type caching type
+     * @param  object $init the IDS_Init object
      * 
      * @return object $this
@@ -194 +195 @@
 
         } catch (PDOException $e) {
-            die('PDOException: ' . $e->getMessage());
+            throw new PDOException('PDOException: ' . $e->getMessage());
         }
         return false;
@@ -202 +203 @@
      * Connect to database and return a handle
      *
-     * @return object dbh
+     * @return object PDO
+     * @throws Exception if connection parameters are faulty
      * @throws PDOException if a db error occurred
      */
@@ -227 +229 @@
             );
             $handle->setAttribute(
-                PDO::MYSQL_ATTR_USE_BUFFERED_QUERY, true
+                PDO::MYSQL_ATTR_USE_BUFFERED_QUERY, true
             );
 
         } catch (PDOException $e) {
-            die('PDOException: ' . $e->getMessage());
+            throw new PDOException('PDOException: ' . $e->getMessage());
         }
         return $handle;
@@ -242 +244 @@
      * @param array  $data   the caching data
      * 
-     * @return object dbh
+     * @return object PDO
      * @throws PDOException if a db error occurred
      */    
@@ -276 +278 @@
     
         } catch (PDOException $e) {
-            die('PDOException: ' . $e->getMessage());
+            throw new PDOException('PDOException: ' . $e->getMessage());
         }    
     }

trunk/plugins/phpids/IDS/Caching/Factory.php

@@ -55 +55 @@
      * Factory method
      *
-     * @param array  $init the IDS_Init object
-     * @param string $type the caching type
+     * @param  object $init the IDS_Init object
+     * @param  string $type the caching type
      * 
      * @return object the caching facility

trunk/plugins/phpids/IDS/Caching/File.php

@@ -84 +84 @@
      * Constructor
      *
-     * @param string $type caching type
-     * @param array  $init the IDS_Init object
+     * @param  string $type caching type
+     * @param  object $init the IDS_Init object
      * 
      * @return void
@@ -106 +106 @@
      * Returns an instance of this class
      *
-     * @param string $type caching type
-     * @param array  $init the IDS_Init object
+     * @param  string $type caching type
+     * @param  object $init the IDS_Init object
      * 
      * @return object $this

trunk/plugins/phpids/IDS/Caching/Memcached.php

@@ -92 +92 @@
      * Constructor
      *
-     * @param string $type caching type
-     * @param array  $init the IDS_Init object
+     * @param  string $type caching type
+     * @param  array  $init the IDS_Init object
      * 
-     * @throws Exception if necessary files aren't writeable
      * @return void
      */
@@ -110 +109 @@
      * Returns an instance of this class
      *
-     * @param string $type caching type
-     * @param array  $init the IDS_Init object
+     * @param  string $type caching type
+     * @param  object $init the IDS_Init object
      * 
      * @return object $this
@@ -128 +127 @@
      * Writes cache data
      *
-     * @param array $data the caching data
+     * @param  array $data the caching data
      * 
-     * @throws Exception if necessary files aren't writeable
      * @return object $this
      */

trunk/plugins/phpids/IDS/Caching/Session.php

@@ -77 +77 @@
      * Constructor
      *
-     * @param string $type caching type
-     * @param array  $init the IDS_Init object
+     * @param  string $type caching type
+     * @param  object $init the IDS_Init object
      * 
      * @return void
@@ -91 +91 @@
      * Returns an instance of this class
      *
-     * @param string $type   caching type
-     * @param array  $init the IDS_Init object
+     * @param  string $type   caching type
+     * @param  object $init the IDS_Init object
      * 
      * @return object $this

trunk/plugins/phpids/IDS/Converter.php

@@ -87 +87 @@
     public static function convertFromRepetition($value) 
     {
-        // remove obvios repetition patterns
+        // remove obvios repetition patterns
         $value = preg_replace(
             '/(?:(.{2,})\1{32,})|(?:[+=|\-@\s]{128,})/', 
@@ -135 +135 @@
      * @return string
      */
-    public static function convertFromNewLines($value)
+    public static function convertFromWhiteSpace($value)
     {
         //check for inline linebreaks
         $search = array('\r', '\n', '\f', '\t', '\v');
         $value  = str_replace($search, ';', $value);
+
+        // replace replacement characters regular spaces
+        $value = str_replace('�', ' ', $value);
 
         //convert real linebreaks
@@ -260 +263 @@
             $value    .= "\n" . str_replace(';;', ';', $converted);
         }
-
+        // normalize obfuscated protocol handlers
+        $value = preg_replace(
+            '/(?:j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t\s*)|(d\s*a\s*t\s*a\s*)/ms', 
+            'javascript', $value
+        );
+        
         return $value;
     }
@@ -295 +303 @@
     {
         $matches = array();
-        if(preg_match_all('/(?:0x[a-f\d]{2,}[a-f\d]*)+/im', $value, $matches)) {
-            foreach($matches[0] as $match) {
+        if(preg_match_all('/(?:(?:\A|[^\d])0x[a-f\d]{2,}[a-f\d]*)+/im', $value, $matches)) {
+            foreach($matches[0] as $match) {
                 $converted = '';
                 foreach(str_split($match, 2) as $hex_index) {
@@ -325 +333 @@
             '(?:(?:^|\W)IN[+\s]*\([\s\d"]+[^()]*\))/ims');
         $value   = preg_replace($pattern, '"=0', $value);
-        $value   = preg_replace('/\W+\s+like\s+\W+/', ' 1 like 1 ', $value);
-        $value   = preg_replace('/null[,\s]/ims', ',0', $value);
+        $value   = preg_replace('/\W+\s*like\s*\W+/ims', '1" OR "1"', $value);
+        $value   = preg_replace('/null[,"\s]/ims', ',0', $value);
+        $value   = preg_replace('/\d+\./ims', ' 1', $value);
         $value   = preg_replace('/,null/ims', ',0', $value);
         $value   = preg_replace('/(?:between|mod)/ims', 'or', $value);
@@ -333 +342 @@
         $pattern = array('/[^\w,(]NULL|\\\N|TRUE|FALSE|UTC_TIME|' .
                          'LOCALTIME(?:STAMP)?|CURRENT_\w+|BINARY|' .
-                         '(?:(?:ASCII|SOUNDEX|' .
+                         '(?:(?:ASCII|SOUNDEX|FIND_IN_SET|' .
                          'MD5|R?LIKE)[+\s]*\([^()]+\))|(?:-+\d)/ims');
         $value   = preg_replace($pattern, 0, $value);
         $pattern = array('/(?:NOT\s+BETWEEN)|(?:IS\s+NOT)|(?:NOT\s+IN)|' .
-                         '(?:XOR|\WDIV\W|\WNOT\W|<>|RLIKE(?:\s+BINARY)?)|' .
+                         '(?:XOR|\WDIV\W|<>|RLIKE(?:\s+BINARY)?)|' .
                          '(?:REGEXP\s+BINARY)|' .
                          '(?:SOUNDS\s+LIKE)/ims');
@@ -361 +370 @@
             chr(0), chr(1), chr(2), chr(3), chr(4), chr(5),
             chr(6), chr(7), chr(8), chr(11), chr(12), chr(14),
-            chr(15), chr(16), chr(17), chr(18), chr(19),
-            chr(192), chr(193), chr(238), chr(255)
+            chr(15), chr(16), chr(17), chr(18), chr(19), chr(24), 
+            chr(25), chr(192), chr(193), chr(238), chr(255)
         );
         
         $value = str_replace($search, '%00', $value);
-        $urlencoded = urlencode($value);
 
         //take care for malicious unicode characters
@@ -419 +427 @@
         foreach ($matches[1] as $item) {
             if (isset($item) && !preg_match('/[a-f0-9]{32}/i', $item)) {
-                $base64_item = base64_decode($item);
+                $base64_item = base64_decode($item);
                 $value = str_replace($item, $base64_item, $value);
             }
@@ -440 +448 @@
         foreach ($values as $item) {
             if (ord($item) >= 127) {
-                $value = str_replace($item, 'U', $value);
+                $value = str_replace($item, ' ', $value);
             }
         }
@@ -482 +490 @@
         if (!empty($matches[0])) {
             foreach ($matches[0] as $match) {
-                $chr = chr(hexdec(substr($match, 2, 4))); 
+                $chr = chr(hexdec(substr($match, 2, 4))); 
                 $value = str_replace($match, $chr, $value);
             }
@@ -490 +498 @@
         return $value;
     }
-
 
     /**
@@ -608 +615 @@
      * This method collects and decodes proprietary encoding types
      *
-     * @param string      $value   the value to convert
-     * @param IDS_Monitor $monitor the monitor object
+     * @param string $value the value to convert
      *
      * @static
@@ -653 +659 @@
         $value = preg_replace('/(\w\s)&\s(\w)/', '$1$2', $value);
         
-        //normalize JS backspace linebreaks
-        $value = preg_replace('/^\/|\/$|,\/\n|\/,|[\\\]+\s{4}/', null, $value);
+        //normalize escaped RegExp modifiers
+        $value = preg_replace('/\/\\\(\w)/', '/$1', $value);        
         
         return $value;
@@ -671 +677 @@
     {
         $threshold = 3.49;
-
         if (strlen($value) > 25) {
             
@@ -677 +682 @@
             $tmp_value = preg_replace('/\s{4}|==$/m', null, $value);
             $tmp_value = preg_replace(
-                '/\s{4}|[\p{L}\d\+\-,.%()]{8,}/m', 
+                '/\s{4}|[\p{L}\d\+\-=,.%()]{8,}/m', 
                 'aaa', 
                 $tmp_value
@@ -686 +691 @@
             $tmp_value = preg_replace('/"[\p{L}\d\s]+"/m', null, $tmp_value);
 
-            $stripped_length = strlen(preg_replace('/[\d\s\p{L}\.:,%&\/><\-)!]+/m',
+            $stripped_length = strlen(preg_replace('/[\d\s\p{L}\.:,%&\/><\-)!|]+/m',
                 null, $tmp_value));
             $overall_length  = strlen(

trunk/plugins/phpids/IDS/Event.php

@@ -219 +219 @@
      * Returns an iterator to iterate over the appended filters.
      *
-     * @return Iterator|IteratorAggregate
+     * @return ArrayObject the filter collection
      */
     public function getIterator() 

trunk/plugins/phpids/IDS/Filter.php

@@ -84 +84 @@
      * Constructor
      *
+     * @param integer $id          filter id
      * @param mixed   $rule        filter rule
      * @param string  $description filter description
@@ -93 +94 @@
     public function __construct($id, $rule, $description, array $tags, $impact) 
     {
-        $this->id          = $id;
+        $this->id          = $id;
         $this->rule        = $rule;
         $this->tags        = $tags;
@@ -174 +175 @@
     public function getId() 
     {
-        return $this->id;
+        return $this->id;
     }
 }

trunk/plugins/phpids/IDS/Log/Database.php

@@ -45 +45 @@
       `value` text NOT null,
       `page` varchar(255) NOT null,
+      `tags` varchar(128) NOT null,
       `ip` varchar(15) NOT null,
       `impact` int(11) unsigned NOT null,
@@ -143 +144 @@
      * 
      * @return void
+     * @throws PDOException if a db error occurred
      */
     protected function __construct($config) 
@@ -161 +163 @@
 
         // determine correct IP address
-        if ($_SERVER['REMOTE_ADDR'] != '127.0.0.1') {
+        if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+            $this->ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+        } else {
             $this->ip = $_SERVER['REMOTE_ADDR'];
-        } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
-            $this->ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
         }
 
@@ -179 +181 @@
                     value,
                     page,
+                    tags,
                     ip,
                     impact,
@@ -188 +191 @@
                     :value,
                     :page,
+                    :tags,
                     :ip,
                     :impact,
@@ -196 +200 @@
 
         } catch (PDOException $e) {
-            die('PDOException: ' . $e->getMessage());
+            throw new PDOException('PDOException: ' . $e->getMessage());
         }
     }
@@ -206 +210 @@
      * an array.
      *
-     * @param mixed $config IDS_Init | array
-     * @param string the class name to use
+     * @param  mixed  $config    IDS_Init | array
+     * @param  string $classname the class name to use
      * 
      * @return object $this
@@ -261 +265 @@
             $value  = $event->getValue();
             $impact = $event->getImpact();
+            $tags   = implode(', ', $event->getTags());
 
             $this->statement->bindParam('name', $name);
             $this->statement->bindParam('value', $value);
             $this->statement->bindParam('page', $page);
+            $this->statement->bindParam('tags', $tags);
             $this->statement->bindParam('ip', $ip);
             $this->statement->bindParam('impact', $impact);

trunk/plugins/phpids/IDS/Log/Email.php

@@ -176 +176 @@
      * IDS_Init or an array.
      *
-     * @param mixed  $config IDS_Init | array
-     * @param string the class name to use
+     * @param  mixed  $config    IDS_Init | array
+     * @param  string $classname the class name to use
      *
      * @return object $this
@@ -282 +282 @@
             $attackedParameters .= $event->getName() . '=' .
                 ((!isset($this->urlencode) ||$this->urlencode) 
-                    ? urlencode($event->getValue()) 
-                    : $event->getValue()) . ", ";
+                    ? urlencode($event->getValue()) 
+                    : $event->getValue()) . ", ";
         }
 
@@ -293 +293 @@
                        $this->ip,
                        date('c'),
-                       $event->getImpact(),
+                       $data->getImpact(),
                        join(' ', $data->getTags()),
                        trim($attackedParameters),
-                       urlencode($_SERVER['REQUEST_URI']),
+                       htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES, 'UTF-8'),
                        $_SERVER['SERVER_ADDR']);
     }

trunk/plugins/phpids/IDS/Log/File.php

@@ -88 +88 @@
 
         // determine correct IP address
-        if ($_SERVER['REMOTE_ADDR'] != '127.0.0.1') {
+        if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+            $this->ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+        } else {
             $this->ip = $_SERVER['REMOTE_ADDR'];
-        } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
-            $this->ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
         }
 
@@ -104 +104 @@
      * instance for each file can be initiated.
      *
-     * @param mixed $config IDS_Init or path to a file
-     * @param string the class name to use
+     * @param  mixed  $config    IDS_Init or path to a file
+     * @param  string $classname the class name to use
      * 
      * @return object $this
@@ -159 +159 @@
                               $this->ip,
                               date('c'),
-                              $event->getImpact(),
+                              $data->getImpact(),
                               join(' ', $data->getTags()),
                               trim($attackedParameters),
@@ -171 +171 @@
      * Stores given data into a file
      *
-     * @param object $data IDS_Report
+     * @param  object $data IDS_Report
      * 
      * @throws Exception if the logfile isn't writeable
-     * @return mixed
+     * @return boolean
      */
     public function execute(IDS_Report $data) 

trunk/plugins/phpids/IDS/Monitor.php

@@ -304 +304 @@
 
         // check if this field is part of the exceptions
-        if (is_array($this->exceptions)
-            && in_array($key, $this->exceptions, true)) {
-            return false;
+        if (is_array($this->exceptions)) {
+            foreach($this->exceptions as $exception) {
+                $matches = array();
+                if(preg_match('/(\/.*\/[^eE]*)$/', $exception, $matches)) {
+                    if(isset($matches[1]) && preg_match($matches[1], $key)) {
+                        return false;
+                    } 
+                } else {
+                    if($exception === $key) {
+                        return false;
+                    }
+                }
+            }
         }
 
@@ -372 +382 @@
      * @param  mixed $value
      * @since  0.5
+     * @throws Exception
      *
      * @return array
@@ -405 +416 @@
         }
 
+        $value = preg_replace('/[\x0b-\x0c]/', ' ', $value);
+        $key = preg_replace('/[\x0b-\x0c]/', ' ', $key);   
+
         $purified_value = $this->htmlpurifier->purify($value);
         $purified_key   = $this->htmlpurifier->purify($key);
@@ -475 +489 @@
         $purified = preg_replace('/\s+alt="[^"]*"/m', null, $purified);
         $purified = preg_replace('/=?\s*"\s*"/m', null, $purified);
-
+        
+        $original = preg_replace('/\s+alt="[^"]*"/m', null, $original);
         $original = preg_replace('/=?\s*"\s*"/m', null, $original);
-        $original = preg_replace('/\s+alt=?/m', null, $original);
-
-        // check which string is longer
-        $length = (strlen($original) - strlen($purified));
+        $original = preg_replace('/style\s*=\s*([^"])/m', 'style = "$1', $original);
+        
+        # strip whitespace between tags
+        $original = trim(preg_replace('/>\s*</m', '><', $original));
+        $purified = trim(preg_replace('/>\s*</m', '><', $purified));
+        
+        $original = preg_replace(
+            '/(=\s*(["\'`])[^>"\'`]*>[^>"\'`]*["\'`])/m', 'alt$1', $original
+        );
+
+        // no purified html is left
+        if (!$purified) {
+            return $original;
+        }
+        
+        // calculate the diff length
+        $length = mb_strlen($original) - mb_strlen($purified);
+
         /*
          * Calculate the difference between the original html input
          * and the purified string.
          */
-        if ($length > 0) {
-            $array_2 = str_split($original);
-            $array_1 = str_split($purified);
+        $array_1 = str_split(html_entity_decode(urldecode($original)));
+        $array_2 = str_split($purified);
+
+        // create an array containing the single character differences
+        $differences = array();
+        foreach ($array_1 as $key => $value) {
+            if (!isset($array_2[$key]) || $value !== $array_2[$key]) {
+                $differences[] = $value;
+            }
+        }
+
+        // return the diff - ready to hit the converter and the rules
+        if(intval($length) <= 10) {
+            $diff = trim(join('', $differences));
         } else {
-            $array_1 = str_split($original);
-            $array_2 = str_split($purified);
-        }
-        foreach ($array_2 as $key => $value) {
-            if ($value !== $array_1[$key]) {
-                $array_1   = array_reverse($array_1);
-                $array_1[] = $value;
-                $array_1   = array_reverse($array_1);
-            }
-        }
-
-        // return the diff - ready to hit the converter and the rules
-        $diff = trim(join('', array_reverse(
-            (array_slice($array_1, 0, $length)))));
+            $diff = substr(trim(join('', $differences)), 0, strlen($original));
+        }
 
         // clean up spaces between tag delimiters
@@ -511 +539 @@
             '|applet|base|img|style)/m', '<$1', $diff);
 
-        if ($original == $purified && !$redux) {
+        if (strlen($diff) < 4) {
             return null;
         }
@@ -538 +566 @@
             $value = $this->tmpJsonString;
         } else {
-            $this->tmpJsonString .=  " " . $tmp_value . "\n";
+            $this->tmpJsonString .=  " " . $tmp_value . "\n";
         }
 
@@ -545 +573 @@
             $key = $this->tmpJsonString;
         } else {
-            $this->tmpJsonString .=  " " . $tmp_key . "\n";
+            $this->tmpJsonString .=  " " . $tmp_key . "\n";
         }
 
@@ -566 +594 @@
             $this->tmpJsonString .=  $key . " " . $value . "\n";
         } else {
-            $this->_jsonDecodeValues(
-                json_encode($key), json_encode($value)
-            );
+            $this->_jsonDecodeValues(
+                json_encode($key), json_encode($value)
+            );
         }
     }
@@ -683 +711 @@
      * Adds a value to the json array
      *
-     * @since 0.5.3
+     * @param  string the value containing JSON data
+     * @since  0.5.3
      *
      * @return void

trunk/plugins/phpids/IDS/Report.php

@@ -224 +224 @@
      * use foreach() to iterate through all stored IDS_Event objects.
      *
-     * @return Iterator
+     * @return ArrayObject the event collection
      */
     public function getIterator()

trunk/plugins/phpids/IDS/Version.php

@@ -46 +46 @@
 abstract class IDS_Version
 {
-    const VERSION = '0.6.3.1';
+    const VERSION = '0.5.6';
 }

trunk/plugins/phpids/IDS/default_filter.json

@@ -1 @@
-<html><head></head><body>{"filters":{"filter":[{"id":"1","rule":"(?:\"[^\"]*[^-]?&gt;)|(?:[^\\w\\s]\\s*\\\/&gt;)|(?:&gt;\")","description":"finds html breaking injections including whitespace attacks","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"2","rule":"(?:\"+.*[&lt;=]\\s*\"[^\"]+\")|(?:\"\\w+\\s*=)|(?:&gt;\\w=\\\/)|(?:#.+\\)[\"\\s]*&gt;)|(?:\"\\s*(?:src|style|on\\w+)\\s*=\\s*\")|(?:[^\"]?\"[,;\\s]+\\w*[\\[\\(])","description":"finds attribute breaking injections including whitespace attacks","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"69","rule":"(?:[\\s\\d\\\/\"]+(?:on\\w+|style)=[$\"\\w])","description":"finds malicious attribute injection attempts","tags":{"tag":["xss","csrf"]},"impact":"6"},{"id":"3","rule":"(?:^&gt;[\\w\\s]*&lt;\\\/?\\w{2,}&gt;)","description":"finds unquoted attribute breaking injections","tags":{"tag":["xss","csrf"]},"impact":"2"},{"id":"4","rule":"(?:[+\\\/]\\s*name[\\W\\d]*[)+])|(?:;\\W*url\\s*=)|(?:[^\\w\\s\\\/?:&gt;]\\s*(?:location|referrer|name)\\s*[^\\\/\\w\\s-])","description":"Detects url-, name-, JSON, and referrer-contained payload attacks","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"5","rule":"(?:\\W\\s*hash\\s*[^\\w\\s-])|(?:\\w+=\\W*[^,]*,[^\\s(]\\s*\\()|(?:\\?\"[^\\s\"]\":)|(?:(?<!--\\\/)__[a-z]+__)|(?:(?:^|[\\s)\\]\\}])(?:s|g)etter\\s*=)","description":"Detects hash-contained xss payload attacks, setter usage and property overloading","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"6","rule":"(?:with\\s*\\(\\s*.+\\s*\\)\\s*\\w+\\s*\\()|(?:(?:do|while|for)\\s*\\([^)]*\\)\\s*\\{)|(?:\\\/[\\w\\s]*\\[\\W*\\w)","description":"Detects self contained xss via with(), common loops and regex to string conversion","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"7","rule":"(?:\\d\\s*[|&]{2}\\s*\\w)|(?:[=(].+\\?.+:)|(?:with\\([^)]*\\)\\))|(?:\\.\\s*source\\W)|(?:\\?[^:=]+:[^;]+(;|$))","description":"Detects JavaScript with(), ternary operators and XML predicate attacks","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"8","rule":"(?:\\([\\w\\s]+\\([\\w\\s]+\\)[\\w\\s]+\\))|(?:(?<!(?:mozilla\\\/\\d\\.\\d\\s))\\([^)[]+\\[[^\\]]+\\][^)]*\\))|(?:[^\\s!][{([][^({[]+[{([][^}\\])]+[}\\])][\\s+\",\\d]*[}\\])])|(?:\"\\)?\\]\\W*\\[)|(?:=\\s*[^\\s:;]+\\s*[{([][^}\\])]+[}\\])];)","description":"Detects self-executing JavaScript functions","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"9","rule":"(?:\\\\u00[a-f0-9]{2})|(?:\\\\x0*[a-f0-9]{2})|(?:\\\\\\d{2,3})","description":"Detects the IE octal, hex and unicode entities","tags":{"tag":["xss","csrf"]},"impact":"2"},{"id":"10","rule":"(?:(?:\\\/|\\\\)?\\.+(\\\/|\\\\)(?:\\.+)?)|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\\/[\\w*-]+\\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\\/(?:%2e){2})","description":"Detects basic directory traversal","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"11","rule":"(?:%c0%ae\\\/)|(?:(?:\\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\\/|\\\\))|(?:(?:\\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)","description":"Detects specific directory and path traversal","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"12","rule":"(?:etc\\\/\\W*passwd)","description":"Detects etc\/passwd inclusion attempts","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"13","rule":"(?:%u(?:ff|00|e\\d)\\w\\w)|(?:(?:%(?:e\\w|c[^3\\W]|))(?:%\\w\\w)(?:%\\w\\w)?)","description":"Detects halfwidth\/fullwidth encoded unicode HTML breaking attempts","tags":{"tag":["xss","csrf"]},"impact":"3"},{"id":"14","rule":"(?:\\w+script:|@import[^\\w]|;base64|base64,)|(?:\\w+\\s*\\([\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+\\))","description":"Detects possible includes and packed functions","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"5"},{"id":"15","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@-->\\-\\|])(\\s*return\\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\\wettimeout|option|useragent)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.+\\-]))","description":"Detects JavaScript DOM\/miscellaneous properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"6"},{"id":"16","rule":"([^*\\s\\w,.\\\/?+-]\\s*)?(?<!--[a-mo-z]-->\\-\\|])(\\s*return\\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.:\\\/+\\-]))","description":"Detects possible includes and typical script methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"5"},{"id":"17","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<!--[a-z]-->\\|])(\\s*return\\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\\w%\"]|(?:\\s*[^@\\\/\\s\\w%,.+\\-]))","description":"Detects JavaScript object properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"18","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<!--[a-z]-->\\-\\|])(\\s*return\\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%,.+\\-]))","description":"Detects JavaScript array properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"19","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<!--[a-z]-->\\-\\|])(\\s*return\\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\\w+codeuri\\w*)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%,.+\\-]))","description":"Detects JavaScript string properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"20","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<!--[a-z]-->\\|])(\\s*return\\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.+\\-]))","description":"Detects JavaScript language constructs","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"21","rule":"(?:,\\s*(?:alert|showmodaldialog|eval)\\s*,)|(?::\\s*eval\\s*[^\\s])|([^:\\s\\w,.\\\/?+-]\\s*)?(?<!--[a-z\\\/_@]-->]*)t(?!rong))|(?:\\<scri)|(>&lt;\\w+:\\w+)","description":"Detects obfuscated script tags and XML wrapped HTML","tags":{"tag":"xss"},"impact":"4"},{"id":"34","rule":"(?:\\&lt;\\\/\\w+\\s\\w+)|(?:@(?:cc_on|set)[\\s@,\"=])","description":"Detects attributes in closing tags and conditional compilation tokens","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"35","rule":"(?:--[^\\n]*$)|(?:\\<!--|-->)|(?:[^*]\\\/\\*|\\*\\\/[^*])|(?:(?:[\\W\\d]#|--|{)$)|(?:\\\/{3,}.*$)|(?:<!--\\[\\W)|(?:\\]-->)","description":"Detects common comment types","tags":{"tag":["xss","csrf","id"]},"impact":"3"},{"id":"37","rule":"(?:\\<base\\s+)|(?:><!--(?:element|entity|\\[CDATA))","description":"Detects base href injections and XML entity injections","tags":{"tag":["xss","csrf","id"]},"impact":"5"},{"id":"38","rule":"(?:\\<[\\\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\\w+|image|im(?:g|port)))","description":"Detects possibly malicious html elements including some attributes","tags":{"tag":["xss","csrf","id","rfe","lfi"]},"impact":"4"},{"id":"39","rule":"(?:\\\\x[01fe][\\db-ce-f])|(?:%[01fe][\\db-ce-f])|(?:&#[01fe][\\db-ce-f])|(?:\\\\[01fe][\\db-ce-f])|(?:&#x[01fe][\\db-ce-f])","description":"Detects nullbytes and other dangerous characters","tags":{"tag":["id","rfe","xss"]},"impact":"5"},{"id":"40","rule":"(?:\"\\s*(?:#|--|{))|(?:\\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*\\(\\s*\\d)|(?:(?:(n?and|x?or|not)\\s+|\\|\\||\\&\\&)\\s*\\w+\\()","description":"Detects MySQL comments, conditions and ch(a)r injections","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"41","rule":"(?:\\)\\s*like\\s*\\()|(?:having\\s+[\\d\\w\\-\"]+\\s*[(=<-->~])|(?:if\\s?\\([\\d\\w]\\s*[=&lt;&gt;~])","description":"Detects conditional SQL injection attempts","tags":{"tag":["sqli","id","lfi"]},"impact":"4"},{"id":"42","rule":"(?:\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:^.*\\\\\".+(?<!--\\\\)\")|(?:(?:^[\"\\\\]*(?:[\\d\"]+|[^\"]+\"))+\\s*(?:n?and|x?or|not|\\|\\||\\&\\&)\\s*[\\w\"[+&!@(),.-])|(?:[^\\w\\s]\\w+\\s*[|-]\\s*\"\\s*\\w)|(?:@\\w+\\s+(and|or)\\s*[\"\\d]+)|(?:@[\\w-]+\\s(and|or)\\s*[^\\w\\s])|(?:[^\\w\\s:]\\s*\\d\\W+[^\\w\\s]\\s*\".)","description":"Detects classic SQL injection probings 1\/2","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"43","rule":"(?:\"\\s*\\*.+(?:or|id)\\W*\"\\d)|(?:\\^\")|(?:^[\\w\\s\"-]+(?<=and\\s)(?<=or\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:\"[\\s\\d]*[^\\w\\s]+\\W*\\d\\W*.*[\"\\d])|(?:\"\\s*[^\\w\\s?]+\\s*[^\\w\\s]+\\s*\")|(?:\"\\s*[^\\w\\s]+\\s*[\\W\\d].*(?:#|--))|(?:\".*\\*\\s*\\d)|(?:\"\\s*or\\s[\\w-]+.*\\d)|(?:[()*<-->%+-][\\w-]+[^\\w\\s]+\"[^,])","description":"Detects classic SQL injection probings 2\/2","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"44","rule":"(?:\\d\"\\s+\"\\s+\\d)|(?:^admin\\s*\"|(\\\/\\*)+\"+\\s?(?:--|#|\\\/\\*|{)?)|(?:\"\\s*or[\\w\\s-]+\\s*[+&lt;&gt;=(),-]\\s*[\\d\"])|(?:\"\\s*[^\\w\\s]?=\\s*\")|(?:\"\\W*[+=]+\\W*\")|(?:\"\\s*[!=|][\\d\\s!=+-]+.*[\"(].*$)|(?:\"\\s*[!=|][\\d\\s!=]+.*\\d+$)|(?:\"\\s*like\\W+[\\w\"(])|(?:\\sis\\s*0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:\"[&lt;&gt;~]+\")","description":"Detects basic SQL authentication bypass attempts 1\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"45","rule":"(?:union\\s*(?:all|distinct|[(!@]*)?\\s*[([]\\s*select)|(?:\\w+\\s+like\\s+\\\")|(?:like\\s*\"\\%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&amp;\\&amp;)\\s+[\\s\\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:\"\\s*[^?\\w\\s=.,;)(]+\\s*[(@\"]*\\s*\\w+\\W+\\w)|(?:select\\s*[\\[\\]()\\s\\w\\.,-]+from)","description":"Detects basic SQL authentication bypass attempts 2\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"46","rule":"(?:(?:n?and|x?or|not |\\|\\||\\&amp;\\&amp;)\\s+[\\s\\w+]+(?:regexp\\s*\\(|sounds\\s+like\\s*\"|[=\\d]+x))|(\"\\s*\\d\\s*(?:--|#))|(?:\"[%&amp;&lt;&gt;^=]+\\d\\s*(=|or))|(?:\"\\W+[\\w+-]+\\s*=\\s*\\d\\W+\")|(?:\"\\s*is\\s*\\d.+\"?\\w)|(?:\"\\|?[\\w-]{3,}[^\\w\\s.,]+\")|(?:\"\\s*is\\s*[\\d.]+\\s*\\W.*\")","description":"Detects basic SQL authentication bypass attempts 3\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"47","rule":"(?:^\\s*[;&gt;\"]\\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:concat|char|load_file)\\s?\\(?)|(?:end\\s*\\);)|(\"\\s+regexp\\W)","description":"Detects concatenated basic SQL injection and SQLLFI attempts","tags":{"tag":["sqli","id","lfi"]},"impact":"5"},{"id":"48","rule":"(?:\\\/\\w+;?\\s+(?:having|and|or|select))|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|(?:(?:;|#|--)\\s*(?:update|insert)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:n?and|x?or|not |\\|\\||\\&amp;\\&amp;)\\s+\\w+[!=+]+[\\s\\d]*[\"=(])","description":"Detects chained SQL injection attempts 1\/2","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"49","rule":"(?:\\*\\\/from)|(?:\\+\\s*\\d+\\s*\\+\\s*@)|(?:\\w\"\\s*(?:[-+=|@]+\\s*)+[\\d(])|(?:coalesce\\s*\\(|@@\\w+\\s*[^\\w\\s])|(?:\\W!+\"\\w)|(?:\";\\s*(?:if|while|begin))|(?:\"[\\s\\d]+=\\s*\\d)|(?:order\\s+by\\s+if\\w*\\s*\\()","description":"Detects chained SQL injection attempts 2\/2","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"50","rule":"(?:(select|;)\\s+(?:benchmark|if|sleep)\\s?\\(\\s?\\(?\\s?\\w+)","description":"Detects SQL benchmark and sleep injection attempts including conditional queries","tags":{"tag":["sqli","id"]},"impact":"4"},{"id":"51","rule":"(?:create\\s+function\\s+\\w+\\s+returns)|(?:;\\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*[\\[(]?\\w{2,})","description":"Detects MySQL UDF injection and other data\/structure manipulation attempts","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"52","rule":"(?:alter\\s*\\w+.*character\\s+set\\s+\\w+)|(\";\\s*waitfor\\s+time\\s+\")|(?:\";.*:\\s*goto)","description":"Detects MySQL charset switch and MSSQL DoS attempts","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"53","rule":"(?:procedure\\s+analyse\\s*\\()|(?:;\\s*(declare|open)\\s+[\\w-]+)|(?:create\\s+(procedure|function)\\s*\\w+\\s*\\(\\s*\\)\\s*-)|(?:declare[^\\w]+[@#]\\s*\\w+)|(exec\\s*\\(\\s*@)","description":"Detects MySQL and PostgreSQL stored procedure\/function injections","tags":{"tag":["sqli","id"]},"impact":"7"},{"id":"54","rule":"(?:select\\s*pg_sleep)|(?:waitfor\\s*delay\\s?\"+\\s?\\d)|(?:;\\s*shutdown\\s*(?:;|--|#|\\\/\\*|{))","description":"Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"55","rule":"(?:from\\s+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*\\([^\\)]*)|(?:\";?\\s*(?:select|union|having)\\s*[\"(\\d])|(?:\\wiif\\s*\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*select)|(?:select.*\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*\")","description":"Detects MSSQL code execution and information gathering attempts","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"56","rule":"(?:merge.*using\\s*\\()|(execute\\s*immediate\\s*\")|(?:\\W+\\d*\\s+having\\s+\\d)|(?:match\\s*[\\w(),+-]+\\s*against\\s*\\()","description":"Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"57","rule":"(?:select\\s*\\*\\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*\\(\\s*space\\s*\\()","description":"Detects MySQL comment-\/space-obfuscated injections","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"58","rule":"(?:@[\\w-]+\\s*\\()|(?:]\\s*\\(\\s*[\"!]\\s*\\w)|(?:&lt;[?%](?:php)?.*(?:[?%]&gt;)?)|(?:;[\\s\\w|]*\\$\\w+\\s*=)|(?:\\$\\w+\\s*=(?:(?:\\s*\\$?\\w+\\s*[(;])|\\s*\".*\"))|(?:;\\s*\\{\\W*\\w+\\s*\\()","description":"Detects code injection attempts 1\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"59","rule":"(?:(?:[;]+|(&lt;[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\\w+|execute)\\s*[\"(@])","description":"Detects code injection attempts 2\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"60","rule":"(?:(?:[;]+|(&lt;[?%](?:php)?)).*[^\\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\\s*rm\\s+-\\w+\\s+)|(?:;.*{.*\\$\\w+\\s*=)|(?:\\$\\w+\\s*\\[\\]\\s*=\\s*)","description":"Detects code injection attempts 3\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"61","rule":"(?:\\w+]?(?<!--href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\\{\\s*\\$\\s*\\{)","description":"Detects url injections and RFE attempts","tags":{"tag":["id","rfe","lfi"]},"impact":"5"},{"id":"62","rule":"(?:function[^(]*\\([^)]*\\))|(?:(?:delete|void|throw|instanceof|new|typeof)\\W+\\w+\\s*[([])|([)\\]]\\s*\\.\\s*\\w+\\s*=)|(?:\\(\\s*new\\s+\\w+\\s*\\)\\.)","description":"Detects common function declarations and special JS operators","tags":{"tag":["id","rfe","lfi"]},"impact":"5"},{"id":"63","rule":"(?:[\\w.-]+@[\\w.-]+%(?:[01][\\db-ce-f])+\\w+:)","description":"Detects common mail header injections","tags":{"tag":["id","spam"]},"impact":"5"},{"id":"64","rule":"(?:\\.pl\\?\\w+=\\w?\\|\\w+;)|(?:\\|\\(\\w+=\\*)|(?:\\*\\s*\\)+\\s*;)","description":"Detects perl echo shellcode injection and LDAP vectors","tags":{"tag":["lfi","rfe"]},"impact":"5"},{"id":"65","rule":"(?:(^|\\W)const\\s+[\\w\\-]+\\s*=)|(?:(?:do|for|while)\\s*\\([^;]+;+\\))|(?:(?:^|\\W)on\\w+\\s*=[\\w\\W]*(?:on\\w+|alert|eval|print|confirm|prompt))|(?:groups=\\d+\\(\\w+\\))|(?:(.)\\1{128,})","description":"Detects basic XSS DoS attempts","tags":{"tag":["rfe","dos"]},"impact":"5"},{"id":"67","rule":"(?:\\({2,}\\+{2,}:{2,})|(?:\\({2,}\\+{2,}:+)|(?:\\({3,}\\++:{2,})|(?:\\$\\[!!!\\])","description":"Detects unknown attack vectors based on PHPIDS Centrifuge detection","tags":{"tag":["xss","csrf","id","rfe","lfi"]},"impact":"7"},{"id":"68","rule":"(?:[\\s\\\/\"]+[-\\w\\\/\\\\\\*]+\\s*=.+(?:\\\/\\s*-->))","description":"finds attribute breaking injections including obfuscated attributes","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"69","rule":"(?:(?:msgbox|eval)\\s*\\+|(?:language\\s*=\\*vbscript))","description":"finds basic VBScript injection attempts","tags":{"tag":["xss","csrf"]},"impact":"4"}]}}</base\\s+)|(?:></scri)|(></body></html>
+{"filters":{"filter":[{"id":"1","rule":"(?:\"[^\"]*[^-]?>)|(?:[^\\w\\s]\\s*\\\/>)|(?:>\")","description":"finds html breaking injections including whitespace attacks","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"2","rule":"(?:\"+.*[<=]\\s*\"[^\"]+\")|(?:\"\\w+\\s*=)|(?:>\\w=\\\/)|(?:#.+\\)[\"\\s]*>)|(?:\"\\s*(?:src|style|on\\w+)\\s*=\\s*\")|(?:[^\"]?\"[,;\\s]+\\w*[\\[\\(])","description":"finds attribute breaking injections including whitespace attacks","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"69","rule":"(?:[\\s\\d\\\/\"]+(?:on\\w+|style|poster|background)=[$\"\\w])","description":"finds malicious attribute injection attempts","tags":{"tag":["xss","csrf"]},"impact":"6"},{"id":"3","rule":"(?:^>[\\w\\s]*<\\\/?\\w{2,}>)","description":"finds unquoted attribute breaking injections","tags":{"tag":["xss","csrf"]},"impact":"2"},{"id":"4","rule":"(?:[+\\\/]\\s*name[\\W\\d]*[)+])|(?:;\\W*url\\s*=)|(?:[^\\w\\s\\\/?:>]\\s*(?:location|referrer|name)\\s*[^\\\/\\w\\s-])","description":"Detects url-, name-, JSON, and referrer-contained payload attacks","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"5","rule":"(?:\\W\\s*hash\\s*[^\\w\\s-])|(?:\\w+=\\W*[^,]*,[^\\s(]\\s*\\()|(?:\\?\"[^\\s\"]\":)|(?:(?<!\\\/)__[a-z]+__)|(?:(?:^|[\\s)\\]\\}])(?:s|g)etter\\s*=)","description":"Detects hash-contained xss payload attacks, setter usage and property overloading","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"6","rule":"(?:with\\s*\\(\\s*.+\\s*\\)\\s*\\w+\\s*\\()|(?:(?:do|while|for)\\s*\\([^)]*\\)\\s*\\{)|(?:\\\/[\\w\\s]*\\[\\W*\\w)","description":"Detects self contained xss via with(), common loops and regex to string conversion","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"7","rule":"(?:[=(].+\\?.+:)|(?:with\\([^)]*\\)\\))|(?:\\.\\s*source\\W)","description":"Detects JavaScript with(), ternary operators and XML predicate attacks","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"8","rule":"(?:\\\/\\w*\\s*\\)\\s*\\()|(?:\\(.*\\\/.+\\\/\\w*\\s*\\))|(?:\\([\\w\\s]+\\([\\w\\s]+\\)[\\w\\s]+\\))|(?:(?<!(?:mozilla\\\/\\d\\.\\d\\s))\\([^)[]+\\[[^\\]]+\\][^)]*\\))|(?:[^\\s!][{([][^({[]+[{([][^}\\])]+[}\\])][\\s+\",\\d]*[}\\])])|(?:\"\\)?\\]\\W*\\[)|(?:=\\s*[^\\s:;]+\\s*[{([][^}\\])]+[}\\])];)","description":"Detects self-executing JavaScript functions","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"9","rule":"(?:\\\\u00[a-f0-9]{2})|(?:\\\\x0*[a-f0-9]{2})|(?:\\\\\\d{2,3})","description":"Detects the IE octal, hex and unicode entities","tags":{"tag":["xss","csrf"]},"impact":"2"},{"id":"10","rule":"(?:(?:\\\/|\\\\)?\\.+(\\\/|\\\\)(?:\\.+)?)|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\\/[\\w*-]+\\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\\/(?:%2e){2})","description":"Detects basic directory traversal","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"11","rule":"(?:%c0%ae\\\/)|(?:(?:\\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\\/|\\\\))|(?:(?:\\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)","description":"Detects specific directory and path traversal","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"12","rule":"(?:etc\\\/\\W*passwd)","description":"Detects etc\/passwd inclusion attempts","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"13","rule":"(?:%u(?:ff|00|e\\d)\\w\\w)|(?:(?:%(?:e\\w|c[^3\\W]|))(?:%\\w\\w)(?:%\\w\\w)?)","description":"Detects halfwidth\/fullwidth encoded unicode HTML breaking attempts","tags":{"tag":["xss","csrf"]},"impact":"3"},{"id":"14","rule":"(?:#@~\\^\\w+)|(?:\\w+script:|@import[^\\w]|;base64|base64,)|(?:\\w+\\s*\\([\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+\\))","description":"Detects possible includes, VBSCript\/JScript encodeed and packed functions","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"5"},{"id":"15","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@>\\-\\|])(\\s*return\\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\\wettimeout|option|useragent)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.+\\-]))","description":"Detects JavaScript DOM\/miscellaneous properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"6"},{"id":"16","rule":"([^*\\s\\w,.\\\/?+-]\\s*)?(?<![a-mo-z]>])(\\s*return\\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.:\\\/+\\-]))","description":"Detects possible includes and typical script methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"5"},{"id":"17","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]>])(\\s*return\\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\\w%\"]|(?:\\s*[^@\\\/\\s\\w%.+\\-]))","description":"Detects JavaScript object properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"18","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]>\\-\\|])(\\s*return\\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%,.+\\-]))","description":"Detects JavaScript array properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"19","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]>\\-\\|])(\\s*return\\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\\w+codeuri\\w*)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%,.+\\-]))","description":"Detects JavaScript string properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"20","rule":"(?:\\)\\s*\\[)|(?:\\\/\\w*\\s*\\)\\s*\\W)|([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]>\\|])(\\s*return\\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\".+\\-]))","description":"Detects JavaScript language constructs","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"21","rule":"(?:,\\s*(?:alert|showmodaldialog|eval)\\s*,)|(?::\\s*eval\\s*[^\\s])|([^:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z\\\/_@]>]*)t(?!rong))|(?:\\<scri)|(<\\w+:\\w+)","description":"Detects obfuscated script tags and XML wrapped HTML","tags":{"tag":"xss"},"impact":"4"},{"id":"34","rule":"(?:\\<\\\/\\w+\\s\\w+)|(?:@(?:cc_on|set)[\\s@,\"=])","description":"Detects attributes in closing tags and conditional compilation tokens","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"35","rule":"(?:--[^\\n]*$)|(?:\\<!-|-->)|(?:[^*]\\\/\\*|\\*\\\/[^*])|(?:(?:[\\W\\d]#|--|{)$)|(?:\\\/{3,}.*$)|(?:<!\\[\\W)|(?:\\]!>)","description":"Detects common comment types","tags":{"tag":["xss","csrf","id"]},"impact":"3"},{"id":"37","rule":"(?:\\<base\\s+)|(?:<!(?:element|entity|\\[CDATA))","description":"Detects base href injections and XML entity injections","tags":{"tag":["xss","csrf","id"]},"impact":"5"},{"id":"38","rule":"(?:\\<[\\\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\\w+|image|im(?:g|port)))","description":"Detects possibly malicious html elements including some attributes","tags":{"tag":["xss","csrf","id","rfe","lfi"]},"impact":"4"},{"id":"39","rule":"(?:\\\\x[01fe][\\db-ce-f])|(?:%[01fe][\\db-ce-f])|(?:&#[01fe][\\db-ce-f])|(?:\\\\[01fe][\\db-ce-f])|(?:&#x[01fe][\\db-ce-f])","description":"Detects nullbytes and other dangerous characters","tags":{"tag":["id","rfe","xss"]},"impact":"5"},{"id":"40","rule":"(?:\\)\\s*when\\s*\\d+\\s*then)|(?:\"\\s*(?:#|--|{))|(?:\\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*\\(\\s*\\d)|(?:(?:(n?and|x?or|not)\\s+|\\|\\||\\&\\&)\\s*\\w+\\()","description":"Detects MySQL comments, conditions and ch(a)r injections","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"41","rule":"(?:[\\s()]case\\s*\\()|(?:\\)\\s*like\\s*\\()|(?:having\\s*[^\\s]+\\s*[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*[=<>~])","description":"Detects conditional SQL injection attempts","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"42","rule":"(?:\"\\s*or\\s*\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:^.*\\\\\".+(?<!\\\\)\")|(?:(?:^[\"\\\\]*(?:[\\d\"]+|[^\"]+\"))+\\s*(?:n?and|x?or|not|\\|\\||\\&\\&)\\s*[\\w\"[+&!@(),.-])|(?:[^\\w\\s]\\w+\\s*[|-]\\s*\"\\s*\\w)|(?:@\\w+\\s+(and|or)\\s*[\"\\d]+)|(?:@[\\w-]+\\s(and|or)\\s*[^\\w\\s])|(?:[^\\w\\s:]\\s*\\d\\W+[^\\w\\s]\\s*\".)","description":"Detects classic SQL injection probings 1\/2","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"43","rule":"(?:\"\\s*\\*.+(?:or|id)\\W*\"\\d)|(?:\\^\")|(?:^[\\w\\s\"-]+(?<=and\\s)(?<=or\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:\"[\\s\\d]*[^\\w\\s]+\\W*\\d\\W*.*[\"\\d])|(?:\"\\s*[^\\w\\s?]+\\s*[^\\w\\s]+\\s*\")|(?:\"\\s*[^\\w\\s]+\\s*[\\W\\d].*(?:#|--))|(?:\".*\\*\\s*\\d)|(?:\"\\s*or\\s[\\w-]+.*\\d)|(?:[()*<>%+-][\\w-]+[^\\w\\s]+\"[^,])","description":"Detects classic SQL injection probings 2\/2","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"44","rule":"(?:\\d\"\\s+\"\\s+\\d)|(?:^admin\\s*\"|(\\\/\\*)+\"+\\s?(?:--|#|\\\/\\*|{)?)|(?:\"\\s*or[\\w\\s-]+\\s*[+<>=(),-]\\s*[\\d\"])|(?:\"\\s*[^\\w\\s]?=\\s*\")|(?:\"\\W*[+=]+\\W*\")|(?:\"\\s*[!=|][\\d\\s!=+-]+.*[\"(].*$)|(?:\"\\s*[!=|][\\d\\s!=]+.*\\d+$)|(?:\"\\s*like\\W+[\\w\"(])|(?:\\sis\\s*0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:\"[<>~]+\")","description":"Detects basic SQL authentication bypass attempts 1\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"45","rule":"(?:union\\s*(?:all|distinct|[(!@]*)?\\s*[([]*\\s*select)|(?:\\w+\\s+like\\s+\\\")|(?:like\\s*\"\\%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:\"\\s*[^?\\w\\s=.,;)(]+\\s*[(@\"]*\\s*\\w+\\W+\\w)|(?:select\\s*[\\[\\]()\\s\\w\\.,-]+from)","description":"Detects basic SQL authentication bypass attempts 2\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"46","rule":"(?:in\\s*\\(+\\s*select)|(?:(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*\\(|sounds\\s+like\\s*\"|[=\\d]+x))|(\"\\s*\\d\\s*(?:--|#))|(?:\"[%&<>^=]+\\d\\s*(=|or))|(?:\"\\W+[\\w+-]+\\s*=\\s*\\d\\W+\")|(?:\"\\s*is\\s*\\d.+\"?\\w)|(?:\"\\|?[\\w-]{3,}[^\\w\\s.,]+\")|(?:\"\\s*is\\s*[\\d.]+\\s*\\W.*\")","description":"Detects basic SQL authentication bypass attempts 3\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"47","rule":"(?:[\\d\\W]\\s+as\\s*[\"\\w]+\\s*from)|(?:^[\\W\\d]+\\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:concat|char|load_file)\\s?\\(?)|(?:end\\s*\\);)|(\"\\s+regexp\\W)|(?:[\\s(]load_file\\s*\\()","description":"Detects concatenated basic SQL injection and SQLLFI attempts","tags":{"tag":["sqli","id","lfi"]},"impact":"5"},{"id":"48","rule":"(?:\\d+\\s*or\\s*\\d+\\s*[\\-+])|(?:\\\/\\w+;?\\s+(?:having|and|or|select))|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|(?:(?:;|#|--)\\s*(?:update|insert)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:n?and|x?or|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*[!=+]+[\\s\\d]*[\"=()])","description":"Detects chained SQL injection attempts 1\/2","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"49","rule":"(?:\"\\s+and\\s*=\\W)|(?:\\(\\s*select\\s*\\w+\\s*\\()|(?:\\*\\\/from)|(?:\\+\\s*\\d+\\s*\\+\\s*@)|(?:\\w\"\\s*(?:[-+=|@]+\\s*)+[\\d(])|(?:coalesce\\s*\\(|@@\\w+\\s*[^\\w\\s])|(?:\\W!+\"\\w)|(?:\";\\s*(?:if|while|begin))|(?:\"[\\s\\d]+=\\s*\\d)|(?:order\\s+by\\s+if\\w*\\s*\\()|(?:[\\s(]+case\\d*\\W.+[tw]hen[\\s(])","description":"Detects chained SQL injection attempts 2\/2","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"50","rule":"(?:(select|;)\\s+(?:benchmark|if|sleep)\\s*?\\(\\s*\\(?\\s*\\w+)","description":"Detects SQL benchmark and sleep injection attempts including conditional queries","tags":{"tag":["sqli","id"]},"impact":"4"},{"id":"51","rule":"(?:create\\s+function\\s+\\w+\\s+returns)|(?:;\\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*[\\[(]?\\w{2,})","description":"Detects MySQL UDF injection and other data\/structure manipulation attempts","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"52","rule":"(?:alter\\s*\\w+.*character\\s+set\\s+\\w+)|(\";\\s*waitfor\\s+time\\s+\")|(?:\";.*:\\s*goto)","description":"Detects MySQL charset switch and MSSQL DoS attempts","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"53","rule":"(?:procedure\\s+analyse\\s*\\()|(?:;\\s*(declare|open)\\s+[\\w-]+)|(?:create\\s+(procedure|function)\\s*\\w+\\s*\\(\\s*\\)\\s*-)|(?:declare[^\\w]+[@#]\\s*\\w+)|(exec\\s*\\(\\s*@)","description":"Detects MySQL and PostgreSQL stored procedure\/function injections","tags":{"tag":["sqli","id"]},"impact":"7"},{"id":"54","rule":"(?:select\\s*pg_sleep)|(?:waitfor\\s*delay\\s?\"+\\s?\\d)|(?:;\\s*shutdown\\s*(?:;|--|#|\\\/\\*|{))","description":"Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"55","rule":"(?:\\sexec\\s+xp_cmdshell)|(?:\"\\s*!\\s*[\"\\w])|(?:from\\s+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*\\([^\\)]*)|(?:\";?\\s*(?:select|union|having)\\s*[^\\s])|(?:\\wiif\\s*\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*select)|(?:select.*\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*\")","description":"Detects MSSQL code execution and information gathering attempts","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"56","rule":"(?:merge.*using\\s*\\()|(execute\\s*immediate\\s*\")|(?:\\W+\\d*\\s*having\\s*[^\\s])|(?:match\\s*[\\w(),+-]+\\s*against\\s*\\()","description":"Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"57","rule":"(?:select\\s*\\*\\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*\\(\\s*space\\s*\\()","description":"Detects MySQL comment-\/space-obfuscated injections","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"58","rule":"(?:@[\\w-]+\\s*\\()|(?:]\\s*\\(\\s*[\"!]\\s*\\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\\s\\w|]*\\$\\w+\\s*=)|(?:\\$\\w+\\s*=(?:(?:\\s*\\$?\\w+\\s*[(;])|\\s*\".*\"))|(?:;\\s*\\{\\W*\\w+\\s*\\()","description":"Detects code injection attempts 1\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"59","rule":"(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\\w+|execute)\\s*[\"(@])","description":"Detects code injection attempts 2\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"60","rule":"(?:(?:[;]+|(<[?%](?:php)?)).*[^\\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\\s*rm\\s+-\\w+\\s+)|(?:;.*{.*\\$\\w+\\s*=)|(?:\\$\\w+\\s*\\[\\]\\s*=\\s*)","description":"Detects code injection attempts 3\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"61","rule":"(?:\\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\\{\\s*\\$\\s*\\{)","description":"Detects url injections and RFE attempts","tags":{"tag":["id","rfe","lfi"]},"impact":"5"},{"id":"62","rule":"(?:function[^(]*\\([^)]*\\))|(?:(?:delete|void|throw|instanceof|new|typeof)\\W+\\w+\\s*[([])|([)\\]]\\s*\\.\\s*\\w+\\s*=)|(?:\\(\\s*new\\s+\\w+\\s*\\)\\.)","description":"Detects common function declarations and special JS operators","tags":{"tag":["id","rfe","lfi"]},"impact":"5"},{"id":"63","rule":"(?:[\\w.-]+@[\\w.-]+%(?:[01][\\db-ce-f])+\\w+:)","description":"Detects common mail header injections","tags":{"tag":["id","spam"]},"impact":"5"},{"id":"64","rule":"(?:\\.pl\\?\\w+=\\w?\\|\\w+;)|(?:\\|\\(\\w+=\\*)|(?:\\*\\s*\\)+\\s*;)","description":"Detects perl echo shellcode injection and LDAP vectors","tags":{"tag":["lfi","rfe"]},"impact":"5"},{"id":"65","rule":"(?:(^|\\W)const\\s+[\\w\\-]+\\s*=)|(?:(?:do|for|while)\\s*\\([^;]+;+\\))|(?:(?:^|\\W)on\\w+\\s*=[\\w\\W]*(?:on\\w+|alert|eval|print|confirm|prompt))|(?:groups=\\d+\\(\\w+\\))|(?:(.)\\1{128,})","description":"Detects basic XSS DoS attempts","tags":{"tag":["rfe","dos"]},"impact":"5"},{"id":"67","rule":"(?:\\({2,}\\+{2,}:{2,})|(?:\\({2,}\\+{2,}:+)|(?:\\({3,}\\++:{2,})|(?:\\$\\[!!!\\])","description":"Detects unknown attack vectors based on PHPIDS Centrifuge detection","tags":{"tag":["xss","csrf","id","rfe","lfi"]},"impact":"7"},{"id":"68","rule":"(?:[\\s\\\/\"]+[-\\w\\\/\\\\\\*]+\\s*=.+(?:\\\/\\s*>))","description":"finds attribute breaking injections including obfuscated attributes","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"69","rule":"(?:(?:msgbox|eval)\\s*\\+|(?:language\\s*=\\*vbscript))","description":"finds basic VBScript injection attempts","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"70","rule":"(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\\])","description":"finds basic MongoDB SQL injection attempts","tags":{"tag":"sqli"},"impact":"4"}]}}

trunk/plugins/phpids/IDS/default_filter.xml

@@ -22 +22 @@
     <filter>
         <id>69</id>
-        <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style)=[$"\w])]]></rule>
+        <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])]]></rule>
         <description>finds malicious attribute injection attempts</description>
         <tags>
@@ -61 +61 @@
     </filter>
     <filter>
+        <id>6</id>
+        <rule><![CDATA[(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)]]></rule>
+        <description>Detects self contained xss via with(), common loops and regex to string conversion</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
         <id>7</id>
-        <rule><![CDATA[(?:\d\s*[|&]{2}\s*\w)|(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)|(?:\?[^:=]+:[^;]+(;|$))]]></rule>
+        <rule><![CDATA[(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)]]></rule>
         <description>Detects JavaScript with(), ternary operators and XML predicate attacks</description>
         <tags>
@@ -72 +82 @@
     <filter>
         <id>8</id>
-        <rule><![CDATA[(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule>
+        <rule><![CDATA[(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule>
         <description>Detects self-executing JavaScript functions</description>
         <tags>
@@ -135 +145 @@
     <filter>
         <id>14</id>
-        <rule><![CDATA[(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))]]></rule>
-        <description>Detects possible includes and packed functions</description>
+        <rule><![CDATA[(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))]]></rule>
+        <description>Detects possible includes, VBSCript/JScript encodeed and packed functions</description>
         <tags>
             <tag>xss</tag>
@@ -159 +169 @@
     <filter>
         <id>16</id>
-        <rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule>
+        <rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule>
         <description>Detects possible includes and typical script methods</description>
         <tags>
@@ -171 +181 @@
     <filter>
         <id>17</id>
-        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%,.+\-]))]]></rule>
+        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%.+\-]))]]></rule>
         <description>Detects JavaScript object properties and methods</description>
         <tags>
@@ -207 +217 @@
     <filter>
         <id>20</id>
-        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]></rule>
+        <rule><![CDATA[(?:\)\s*\[)|(?:\/\w*\s*\)\s*\W)|([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%".+\-]))]]></rule>
         <description>Detects JavaScript language constructs</description>
         <tags>
@@ -219 +229 @@
     <filter>
         <id>21</id>
-        <rule><![CDATA[(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?(1)[^\w]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)]]></rule>
+        <rule><![CDATA[(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)]]></rule>
         <description>Detects very basic XSS probings</description>
         <tags>
@@ -231 +241 @@
     <filter>
         <id>22</id>
-        <rule><![CDATA[(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule>
+        <rule><![CDATA[(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule>
         <description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description>
         <tags>
@@ -316 +326 @@
     <filter>
         <id>30</id>
-        <rule><![CDATA[(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)]]></rule>
+        <rule><![CDATA[(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)]]></rule>
         <description>Detects common XSS concatenation patterns 1/2</description>
         <tags>
@@ -379 +389 @@
     </filter>
     <filter>
-        <id>36</id>
-        <rule><![CDATA[(?:--.*[^-]>)|(?:opera\s*\.\s*\w+\s*\()]]></rule>
-        <description>Detects comments to exploit firefox' faulty rendering and proprietary opera attacks</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>3</impact>
-    </filter>
-    <filter>
         <id>37</id>
         <rule><![CDATA[(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))]]></rule>
@@ -414 +413 @@
     </filter>   
     <filter>
+        <id>39</id>
+        <rule><![CDATA[(?:\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])]]></rule>
+        <description>Detects nullbytes and other dangerous characters</description>
+        <tags>
+            <tag>id</tag>
+            <tag>rfe</tag>
+            <tag>xss</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>   
+    <filter>
         <id>40</id>
-        <rule><![CDATA[(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule>
+        <rule><![CDATA[(?:\)\s*when\s*\d+\s*then)|(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule>
         <description>Detects MySQL comments, conditions and ch(a)r injections</description>
         <tags>
@@ -426 +436 @@
     <filter>
         <id>41</id>
-        <rule><![CDATA[(?:\)\s*like\s*\()|(?:having\s+[\d\w\-"]+\s*[(=<>~])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule>
+        <rule><![CDATA[(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule>
         <description>Detects conditional SQL injection attempts</description>
         <tags>
@@ -433 +443 @@
             <tag>lfi</tag>
         </tags>
-        <impact>4</impact>
+        <impact>6</impact>
     </filter>   
     <filter>
         <id>42</id>
-        <rule><![CDATA[(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule>
+        <rule><![CDATA[(?:"\s*or\s*\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule>
         <description>Detects classic SQL injection probings 1/2</description>
         <tags>
@@ -456 +466 @@
         </tags>
         <impact>6</impact>
-    </filter>
+    </filter> 
+    <filter>
+        <id>44</id>
+        <rule><![CDATA[(?:\d"\s+"\s+\d)|(?:^admin\s*"|(\/\*)+"+\s?(?:--|#|\/\*|{)?)|(?:"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*like\W+[\w"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:"[<>~]+")]]></rule>
+        <description>Detects basic SQL authentication bypass attempts 1/3</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>7</impact>
+    </filter> 
+    <filter>
+        <id>45</id>
+        <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)]]></rule>
+        <description>Detects basic SQL authentication bypass attempts 2/3</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>7</impact>
+    </filter>
+     <filter>
+        <id>46</id>
+        <rule><![CDATA[(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule>
+        <description>Detects basic SQL authentication bypass attempts 3/3</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>7</impact>
+    </filter> 
     <filter>
         <id>47</id>
-        <rule><![CDATA[(?:^\s*[;>"]\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)]]></rule>
+        <rule><![CDATA[(?:[\d\W]\s+as\s*["\w]+\s*from)|(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule>
         <description>Detects concatenated basic SQL injection and SQLLFI attempts</description>
         <tags>
@@ -470 +513 @@
     <filter>
         <id>48</id>
-        <rule><![CDATA[(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+\w+[!=+]+[\s\d]*["=(])]]></rule>
+        <rule><![CDATA[(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule>
         <description>Detects chained SQL injection attempts 1/2</description>
         <tags>
@@ -480 +523 @@
     <filter>
         <id>49</id>
-        <rule><![CDATA[(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()]]></rule>
+        <rule><![CDATA[(?:"\s+and\s*=\W)|(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])]]></rule>
         <description>Detects chained SQL injection attempts 2/2</description>
         <tags>
@@ -490 +533 @@
     <filter>
         <id>50</id>
-        <rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s?\(\s?\(?\s?\w+)]]></rule>
+        <rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)]]></rule>
         <description>Detects SQL benchmark and sleep injection attempts including conditional queries</description>
         <tags>
@@ -528 +571 @@
         <impact>7</impact>
     </filter>
-
-    <!-- cut: not releted injections -->
-
+    <filter>
+        <id>54</id>
+        <rule><![CDATA[(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))]]></rule>
+        <description>Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>55</id>
+        <rule><![CDATA[(?:\sexec\s+xp_cmdshell)|(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule>
+        <description>Detects MSSQL code execution and information gathering attempts</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
     <filter>
         <id>56</id>
-        <rule><![CDATA[(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s+having\s+\d)|(?:match\s*[\w(),+-]+\s*against\s*\()]]></rule>
+        <rule><![CDATA[(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()]]></rule>
         <description>Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections</description>
         <tags>
@@ -636 +696 @@
         <impact>5</impact>
     </filter>
-    <!--        
     <filter>
         <id>67</id>
@@ -650 +709 @@
         <impact>7</impact>
     </filter>
-    -->    
     <filter>
         <id>68</id>
@@ -670 +728 @@
         </tags>
         <impact>4</impact>
-    </filter>   
+    </filter>
+    <filter>
+        <id>70</id>
+        <rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule>
+        <description>finds basic MongoDB SQL injection attempts</description>
+        <tags>
+            <tag>sqli</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>      
 </filters>