- Timestamp:
- 01/17/12 20:25:41 (4 months ago)
- Location:
- tags/7.0/plugins/phpids/IDS
- Files:
-
- 1 added
- 23 edited
-
.htaccess (added)
-
Caching/Apc.php (modified) (1 diff)
-
Caching/Database.php (modified) (1 diff)
-
Caching/Factory.php (modified) (1 diff)
-
Caching/File.php (modified) (1 diff)
-
Caching/Interface.php (modified) (1 diff)
-
Caching/Memcached.php (modified) (1 diff)
-
Caching/Session.php (modified) (1 diff)
-
Config/Config.ini.php (modified) (2 diffs)
-
Converter.php (modified) (8 diffs)
-
Event.php (modified) (1 diff)
-
Filter.php (modified) (1 diff)
-
Filter/Storage.php (modified) (1 diff)
-
Init.php (modified) (1 diff)
-
Log/Composite.php (modified) (1 diff)
-
Log/Database.php (modified) (7 diffs)
-
Log/Email.php (modified) (2 diffs)
-
Log/File.php (modified) (3 diffs)
-
Log/Interface.php (modified) (1 diff)
-
Monitor.php (modified) (10 diffs)
-
Report.php (modified) (1 diff)
-
Version.php (modified) (2 diffs)
-
default_filter.json (modified) (1 diff)
-
default_filter.xml (modified) (23 diffs)
Legend:
- Unmodified
- Added
- Removed
-
tags/7.0/plugins/phpids/IDS/Caching/Apc.php
r15200 r15889 5 5 * Requirements: PHP5, SimpleXML 6 6 * 7 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)7 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 8 8 * 9 9 * PHPIDS is free software; you can redistribute it and/or modify -
tags/7.0/plugins/phpids/IDS/Caching/Database.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify -
tags/7.0/plugins/phpids/IDS/Caching/Factory.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify -
tags/7.0/plugins/phpids/IDS/Caching/File.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify -
tags/7.0/plugins/phpids/IDS/Caching/Interface.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify -
tags/7.0/plugins/phpids/IDS/Caching/Memcached.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify -
tags/7.0/plugins/phpids/IDS/Caching/Session.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify -
tags/7.0/plugins/phpids/IDS/Config/Config.ini.php
r15200 r15889 25 25 ; define which fields contain html and need preparation before 26 26 ; hitting the PHPIDS rules (new in PHPIDS 0.5) 27 html[] = POST.__wysiwyg27 ;html[] = POST.__wysiwyg 28 28 29 29 ; define which fields contain JSON data and should be treated as such 30 30 ; for fewer false positives (new in PHPIDS 0.5.3) 31 json[] = POST.__jsondata31 ;json[] = POST.__jsondata 32 32 33 33 ; define which fields shouldn't be monitored (a[b]=c should be referenced via a.b) … … 54 54 recipients[] = test@test.com.invalid 55 55 subject = "PHPIDS detected an intrusion attempt!" 56 header = "From: <PHPIDS> info@php -ids.org"56 header = "From: <PHPIDS> info@phpids.org" 57 57 envelope = "" 58 58 safemode = true -
tags/7.0/plugins/phpids/IDS/Converter.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify … … 77 77 78 78 /** 79 * Make sure the value to normalize and monitor doesn't contain80 * possibilities for a regex DoS.81 *82 * @param string $value the value to pre-sanitize83 *84 * @static85 * @return string86 */87 public static function convertFromRepetition($value)88 {89 // remove obvios repetition patterns90 $value = preg_replace(91 '/(?:(.{2,})\1{32,})|(?:[+=|\-@\s]{128,})/',92 'x',93 $value94 );95 return $value;96 }97 98 /**99 79 * Check for comments and erases them if available 100 80 * … … 124 104 $value = preg_replace('/[^\\\:]\/\/(.*)$/m', '/**/$1', $value); 125 105 $value = preg_replace('/([^\-&])#.*[\r\n\v\f]/m', '$1', $value); 106 $value = preg_replace('/([^&\-])#.*\n/m', '$1 ', $value); 107 $value = preg_replace('/^#.*\n/m', ' ', $value); 126 108 127 109 return $value; … … 266 248 // normalize obfuscated protocol handlers 267 249 $value = preg_replace( 268 '/(?:j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t\s* )|(d\s*a\s*t\s*a\s*)/ms',269 'javascript ', $value250 '/(?:j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t\s*:)|(d\s*a\s*t\s*a\s*:)/ms', 251 'javascript:', $value 270 252 ); 271 253 … … 305 287 $matches = array(); 306 288 if(preg_match_all('/(?:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+/im', $value, $matches)) { 307 289 foreach($matches[0] as $match) { 308 290 $converted = ''; 309 291 foreach(str_split($match, 2) as $hex_index) { … … 335 317 $value = preg_replace($pattern, '"=0', $value); 336 318 337 $value = preg_replace('/ \W+\s*like\s*\W+/ims', '1" OR "1"', $value);338 $value = preg_replace('/null [,"\s]/ims', ',0', $value);319 $value = preg_replace('/[^\w\)]+\s*like\s*[^\w\s]+/ims', '1" OR "1"', $value); 320 $value = preg_replace('/null([,"\s])/ims', '0$1', $value); 339 321 $value = preg_replace('/\d+\./ims', ' 1', $value); 340 322 $value = preg_replace('/,null/ims', ',0', $value); 341 $value = preg_replace('/(?:between |mod)/ims', 'or', $value);323 $value = preg_replace('/(?:between)/ims', 'or', $value); 342 324 $value = preg_replace('/(?:and\s+\d+\.?\d*)/ims', '', $value); 343 325 $value = preg_replace('/(?:\s+and\s+)/ims', ' or ', $value); 344 345 $pattern = array('/[^\w,(]null|\\\n|true|false|utc_time|' .346 'localtime(?:stamp)?|current_\w+|binary|' .347 '(?:(?:ascii|soundex|find_in_set|' .348 'md5|r?like)[+\s]*\([^()]+\))|(?:-+\d)/ims');349 $value = preg_replace($pattern, 0, $value);350 326 351 327 $pattern = array('/(?:not\s+between)|(?:is\s+not)|(?:not\s+in)|' . … … 376 352 chr(6), chr(7), chr(8), chr(11), chr(12), chr(14), 377 353 chr(15), chr(16), chr(17), chr(18), chr(19), chr(24), 378 chr(25), chr(192), chr(193), chr(238), chr(255) 354 chr(25), chr(192), chr(193), chr(238), chr(255), '\\0' 379 355 ); 380 356 … … 514 490 public static function convertFromUTF7($value) 515 491 { 516 if(preg_match('/\+A\w+- /m', $value)) {492 if(preg_match('/\+A\w+-?/m', $value)) { 517 493 if (function_exists('mb_convert_encoding')) { 518 494 if(version_compare(PHP_VERSION, '5.2.8', '<')) { -
tags/7.0/plugins/phpids/IDS/Event.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify -
tags/7.0/plugins/phpids/IDS/Filter.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify -
tags/7.0/plugins/phpids/IDS/Filter/Storage.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify -
tags/7.0/plugins/phpids/IDS/Init.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify -
tags/7.0/plugins/phpids/IDS/Log/Composite.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify -
tags/7.0/plugins/phpids/IDS/Log/Database.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify … … 47 47 `tags` varchar(128) NOT null, 48 48 `ip` varchar(15) NOT null, 49 `ip2` varchar(15) NOT null, 49 50 `impact` int(11) unsigned NOT null, 50 51 `origin` varchar(15) NOT null, … … 162 163 } 163 164 164 // determine correct IP address 165 if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { 166 $this->ip = $_SERVER['HTTP_X_FORWARDED_FOR']; 167 } else { 168 $this->ip = $_SERVER['REMOTE_ADDR']; 169 } 165 // determine correct IP address and concat them if necessary 166 $this->ip = $_SERVER['REMOTE_ADDR']; 167 $this->ip2 = isset($_SERVER['HTTP_X_FORWARDED_FOR']) 168 ? $_SERVER['HTTP_X_FORWARDED_FOR'] 169 : ''; 170 170 171 171 try { … … 181 181 value, 182 182 page, 183 183 tags, 184 184 ip, 185 ip2, 185 186 impact, 186 187 origin, … … 191 192 :value, 192 193 :page, 193 194 :tags, 194 195 :ip, 196 :ip2, 195 197 :impact, 196 198 :origin, … … 261 263 $page = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : ''; 262 264 $ip = $this->ip; 265 $ip2 = $this->ip2; 263 266 264 267 $name = $event->getName(); … … 272 275 $this->statement->bindParam('tags', $tags); 273 276 $this->statement->bindParam('ip', $ip); 277 $this->statement->bindParam('ip2', $ip2); 274 278 $this->statement->bindParam('impact', $impact); 275 279 $this->statement->bindParam('origin', $_SERVER['SERVER_ADDR']); -
tags/7.0/plugins/phpids/IDS/Log/Email.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify … … 216 216 * delete garbage files 217 217 */ 218 $dir 218 $dir = $this->tmp_path; 219 219 $numPrefixChars = strlen($this->file_prefix); 220 $files 220 $files = scandir($dir); 221 221 foreach ($files as $file) { 222 if (is_file($dir . $file)) {222 if (is_file($dir . DIRECTORY_SEPARATOR . $file)) { 223 223 if (substr($file, 0, $numPrefixChars) == $this->file_prefix) { 224 $lastModified = filemtime($dir . $file); 225 226 if (( 227 time() - $lastModified) > 3600) { 228 unlink($dir . $file); 224 $lastModified = filemtime($dir . DIRECTORY_SEPARATOR . $file); 225 if ((time() - $lastModified) > 3600) { 226 unlink($dir . DIRECTORY_SEPARATOR . $file); 229 227 } 230 228 } -
tags/7.0/plugins/phpids/IDS/Log/File.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify … … 87 87 { 88 88 89 // determine correct IP address 90 if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { 91 $this->ip = $_SERVER['HTTP_X_FORWARDED_FOR']; 92 } else { 93 $this->ip = $_SERVER['REMOTE_ADDR']; 94 } 89 // determine correct IP address and concat them if necessary 90 $this->ip = $_SERVER['REMOTE_ADDR'] . 91 (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? 92 ' (' . $_SERVER['HTTP_X_FORWARDED_FOR'] . ')' : ''); 95 93 96 94 $this->logfile = $logfile; … … 157 155 158 156 $dataString = sprintf($format, 159 $this->ip, 160 date('c'), 161 $data->getImpact(), 162 join(' ', $data->getTags()), 163 trim($attackedParameters), 164 urlencode($_SERVER['REQUEST_URI']), 165 $_SERVER['SERVER_ADDR']); 157 urlencode($this->ip), 158 date('c'), 159 $data->getImpact(), 160 join(' ', $data->getTags()), 161 urlencode(trim($attackedParameters)), 162 urlencode($_SERVER['REQUEST_URI']), 163 $_SERVER['SERVER_ADDR'] 164 ); 166 165 167 166 return $dataString; -
tags/7.0/plugins/phpids/IDS/Log/Interface.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify -
tags/7.0/plugins/phpids/IDS/Monitor.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify … … 235 235 public function run() 236 236 { 237 237 238 if (!empty($this->request)) { 238 239 foreach ($this->request as $key => $value) { … … 240 241 } 241 242 } 242 243 243 244 return $this->getReport(); 244 245 } … … 287 288 private function _detect($key, $value) 288 289 { 289 290 290 291 // define the pre-filter 291 $prefilter = '/[^\w\s\/@!?\.]+|(?:\.\/)|(?:@@\w+)/'; 292 $prefilter = '/[^\w\s\/@!?\.]+|(?:\.\/)|(?:@@\w+)' 293 . '|(?:\+ADw)|(?:union\s+select)/i'; 292 294 293 295 // to increase performance, only start detection if value … … 302 304 } 303 305 } 304 306 305 307 // check if this field is part of the exceptions 306 308 if (is_array($this->exceptions)) { … … 323 325 && get_magic_quotes_gpc()) { 324 326 $value = stripslashes($value); 327 } 328 if(function_exists('get_magic_quotes_gpc') 329 && !get_magic_quotes_gpc() 330 && version_compare(PHP_VERSION, '5.3.0', '>=')) { 331 $value = preg_replace('/\\\(["\'\/])/im', '$1', $value); 325 332 } 326 333 … … 489 496 $purified = preg_replace('/\s+alt="[^"]*"/m', null, $purified); 490 497 $purified = preg_replace('/=?\s*"\s*"/m', null, $purified); 491 492 498 $original = preg_replace('/\s+alt="[^"]*"/m', null, $original); 493 499 $original = preg_replace('/=?\s*"\s*"/m', null, $original); 494 500 $original = preg_replace('/style\s*=\s*([^"])/m', 'style = "$1', $original); 501 502 # deal with oversensitive CSS normalization 503 $original = preg_replace('/(?:([\w\-]+:)+\s*([^;]+;\s*))/m', '$1$2', $original); 495 504 496 505 # strip whitespace between tags … … 514 523 * and the purified string. 515 524 */ 516 $array_1 = str_split(html_entity_decode(urldecode($original)));517 $array_2 = str_split($purified);525 $array_1 = preg_split('/(?<!^)(?!$)/u', html_entity_decode(urldecode($original))); 526 $array_2 = preg_split('/(?<!^)(?!$)/u', $purified); 518 527 519 528 // create an array containing the single character differences … … 529 538 $diff = trim(join('', $differences)); 530 539 } else { 531 $diff = substr(trim(join('', $differences)), 0, strlen($original));540 $diff = mb_substr(trim(join('', $differences)), 0, strlen($original)); 532 541 } 533 542 … … 539 548 '|applet|base|img|style)/m', '<$1', $diff); 540 549 541 if ( strlen($diff) < 4) {550 if (mb_strlen($diff) < 4) { 542 551 return null; 543 552 } -
tags/7.0/plugins/phpids/IDS/Report.php
r15200 r15889 6 6 * Requirements: PHP5, SimpleXML 7 7 * 8 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)8 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 9 9 * 10 10 * PHPIDS is free software; you can redistribute it and/or modify -
tags/7.0/plugins/phpids/IDS/Version.php
r15200 r15889 5 5 * Requirements: PHP5, SimpleXML 6 6 * 7 * Copyright (c) 2008 PHPIDS group (http ://php-ids.org)7 * Copyright (c) 2008 PHPIDS group (https://phpids.org) 8 8 * 9 9 * PHPIDS is free software; you can redistribute it and/or modify … … 46 46 abstract class IDS_Version 47 47 { 48 const VERSION = ' 0.5.6';48 const VERSION = '@@phpIdsVersion@@'; 49 49 } -
tags/7.0/plugins/phpids/IDS/default_filter.json
r15200 r15889 1 {"filters":{"filter":[{"id":"1","rule":"(?:\"[^\"]*[^-]?>)|(?:[^\\w\\s]\\s*\\\/>)|(?:>\")","description":"finds html breaking injections including whitespace attacks","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"2","rule":"(?:\"+.*[<=]\\s*\"[^\"]+\")|(?:\"\\ w+\\s*=)|(?:>\\w=\\\/)|(?:#.+\\)[\"\\s]*>)|(?:\"\\s*(?:src|style|on\\w+)\\s*=\\s*\")|(?:[^\"]?\"[,;\\s]+\\w*[\\[\\(])","description":"finds attribute breaking injections including whitespace attacks","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"69","rule":"(?:[\\s\\d\\\/\"]+(?:on\\w+|style|poster|background)=[$\"\\w])","description":"finds malicious attribute injection attempts","tags":{"tag":["xss","csrf"]},"impact":"6"},{"id":"3","rule":"(?:^>[\\w\\s]*<\\\/?\\w{2,}>)","description":"finds unquoted attribute breaking injections","tags":{"tag":["xss","csrf"]},"impact":"2"},{"id":"4","rule":"(?:[+\\\/]\\s*name[\\W\\d]*[)+])|(?:;\\W*url\\s*=)|(?:[^\\w\\s\\\/?:>]\\s*(?:location|referrer|name)\\s*[^\\\/\\w\\s-])","description":"Detects url-, name-, JSON, and referrer-contained payload attacks","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"5","rule":"(?:\\W\\s*hash\\s*[^\\w\\s-])|(?:\\w+=\\W*[^,]*,[^\\s(]\\s*\\()|(?:\\?\"[^\\s\"]\":)|(?:(?<!\\\/)__[a-z]+__)|(?:(?:^|[\\s)\\]\\}])(?:s|g)etter\\s*=)","description":"Detects hash-contained xss payload attacks, setter usage and property overloading","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"6","rule":"(?:with\\s*\\(\\s*.+\\s*\\)\\s*\\w+\\s*\\()|(?:(?:do|while|for)\\s*\\([^)]*\\)\\s*\\{)|(?:\\\/[\\w\\s]*\\[\\W*\\w)","description":"Detects self contained xss via with(), common loops and regex to string conversion","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"7","rule":"(?:[=(].+\\?.+:)|(?:with\\([^)]*\\)\\))|(?:\\.\\s*source\\W)","description":"Detects JavaScript with(), ternary operators and XML predicate attacks","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"8","rule":"(?:\\\/\\w*\\s*\\)\\s*\\()|(?:\\(.*\\\/.+\\\/\\w*\\s*\\))|(?:\\([\\w\\s]+\\([\\w\\s]+\\)[\\w\\s]+\\))|(?:(?<!(?:mozilla\\\/\\d\\.\\d\\s))\\([^)[]+\\[[^\\]]+\\][^)]*\\))|(?:[^\\s!][{([][^({[]+[{([][^}\\])]+[}\\])][\\s+\",\\d]*[}\\])])|(?:\"\\)?\\]\\W*\\[)|(?:=\\s*[^\\s:;]+\\s*[{([][^}\\])]+[}\\])];)","description":"Detects self-executing JavaScript functions","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"9","rule":"(?:\\\\u00[a-f0-9]{2})|(?:\\\\x0*[a-f0-9]{2})|(?:\\\\\\d{2,3})","description":"Detects the IE octal, hex and unicode entities","tags":{"tag":["xss","csrf"]},"impact":"2"},{"id":"10","rule":"(?:(?:\\\/|\\\\)?\\.+(\\\/|\\\\)(?:\\.+)?)|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\\/[\\w*-]+\\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\\/(?:%2e){2})","description":"Detects basic directory traversal","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"11","rule":"(?:%c0%ae\\\/)|(?:(?:\\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\\/|\\\\))|(?:(?:\\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)","description":"Detects specific directory and path traversal","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"12","rule":"(?:etc\\\/\\W*passwd)","description":"Detects etc\/passwd inclusion attempts","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"13","rule":"(?:%u(?:ff|00|e\\d)\\w\\w)|(?:(?:%(?:e\\w|c[^3\\W]|))(?:%\\w\\w)(?:%\\w\\w)?)","description":"Detects halfwidth\/fullwidth encoded unicode HTML breaking attempts","tags":{"tag":["xss","csrf"]},"impact":"3"},{"id":"14","rule":"(?:#@~\\^\\w+)|(?:\\w+script:|@import[^\\w]|;base64|base64,)|(?:\\w+\\s*\\([\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+\\))","description":"Detects possible includes, VBSCript\/JScript encodeed and packed functions","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"5"},{"id":"15","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@>\\-\\|])(\\s*return\\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\\wettimeout|option|useragent)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.+\\-]))","description":"Detects JavaScript DOM\/miscellaneous properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"6"},{"id":"16","rule":"([^*\\s\\w,.\\\/?+-]\\s*)?(?<![a-mo-z]>])(\\s*return\\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.:\\\/+\\-]))","description":"Detects possible includes and typical script methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"5"},{"id":"17","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]>])(\\s*return\\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\\w%\"]|(?:\\s*[^@\\\/\\s\\w%.+\\-]))","description":"Detects JavaScript object properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"18","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]>\\-\\|])(\\s*return\\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%,.+\\-]))","description":"Detects JavaScript array properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"19","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]>\\-\\|])(\\s*return\\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\\w+codeuri\\w*)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%,.+\\-]))","description":"Detects JavaScript string properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"20","rule":"(?:\\)\\s*\\[)|(?:\\\/\\w*\\s*\\)\\s*\\W)|([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]>\\|])(\\s*return\\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\".+\\-]))","description":"Detects JavaScript language constructs","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"21","rule":"(?:,\\s*(?:alert|showmodaldialog|eval)\\s*,)|(?::\\s*eval\\s*[^\\s])|([^:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z\\\/_@]>]*)t(?!rong))|(?:\\<scri)|(<\\w+:\\w+)","description":"Detects obfuscated script tags and XML wrapped HTML","tags":{"tag":"xss"},"impact":"4"},{"id":"34","rule":"(?:\\<\\\/\\w+\\s\\w+)|(?:@(?:cc_on|set)[\\s@,\"=])","description":"Detects attributes in closing tags and conditional compilation tokens","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"35","rule":"(?:--[^\\n]*$)|(?:\\<!-|-->)|(?:[^*]\\\/\\*|\\*\\\/[^*])|(?:(?:[\\W\\d]#|--|{)$)|(?:\\\/{3,}.*$)|(?:<!\\[\\W)|(?:\\]!>)","description":"Detects common comment types","tags":{"tag":["xss","csrf","id"]},"impact":"3"},{"id":"37","rule":"(?:\\<base\\s+)|(?:<!(?:element|entity|\\[CDATA))","description":"Detects base href injections and XML entity injections","tags":{"tag":["xss","csrf","id"]},"impact":"5"},{"id":"38","rule":"(?:\\<[\\\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\\w+|image|im(?:g|port)))","description":"Detects possibly malicious html elements including some attributes","tags":{"tag":["xss","csrf","id","rfe","lfi"]},"impact":"4"},{"id":"39","rule":"(?:\\\\x[01fe][\\db-ce-f])|(?:%[01fe][\\db-ce-f])|(?:&#[01fe][\\db-ce-f])|(?:\\\\[01fe][\\db-ce-f])|(?:&#x[01fe][\\db-ce-f])","description":"Detects nullbytes and other dangerous characters","tags":{"tag":["id","rfe","xss"]},"impact":"5"},{"id":"40","rule":"(?:\\)\\s*when\\s*\\d+\\s*then)|(?:\"\\s*(?:#|--|{))|(?:\\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*\\(\\s*\\d)|(?:(?:(n?and|x?or|not)\\s+|\\|\\||\\&\\&)\\s*\\w+\\()","description":"Detects MySQL comments, conditions and ch(a)r injections","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"41","rule":"(?:[\\s()]case\\s*\\()|(?:\\)\\s*like\\s*\\()|(?:having\\s*[^\\s]+\\s*[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*[=<>~])","description":"Detects conditional SQL injection attempts","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"42","rule":"(?:\"\\s*or\\s*\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:^.*\\\\\".+(?<!\\\\)\")|(?:(?:^[\"\\\\]*(?:[\\d\"]+|[^\"]+\"))+\\s*(?:n?and|x?or|not|\\|\\||\\&\\&)\\s*[\\w\"[+&!@(),.-])|(?:[^\\w\\s]\\w+\\s*[|-]\\s*\"\\s*\\w)|(?:@\\w+\\s+(and|or)\\s*[\"\\d]+)|(?:@[\\w-]+\\s(and|or)\\s*[^\\w\\s])|(?:[^\\w\\s:]\\s*\\d\\W+[^\\w\\s]\\s*\".)","description":"Detects classic SQL injection probings 1\/2","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"43","rule":"(?:\"\\s*\\*.+(?:or|id)\\W*\"\\d)|(?:\\^\")|(?:^[\\w\\s\"-]+(?<=and\\s)(?<=or\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:\"[\\s\\d]*[^\\w\\s]+\\W*\\d\\W*.*[\"\\d])|(?:\"\\s*[^\\w\\s?]+\\s*[^\\w\\s]+\\s*\")|(?:\"\\s*[^\\w\\s]+\\s*[\\W\\d].*(?:#|--))|(?:\".*\\*\\s*\\d)|(?:\"\\s*or\\s[\\w-]+.*\\d)|(?:[()*<>%+-][\\w-]+[^\\w\\s]+\"[^,])","description":"Detects classic SQL injection probings 2\/2","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"44","rule":"(?:\\d\"\\s+\"\\s+\\d)|(?:^admin\\s*\"|(\\\/\\*)+\"+\\s?(?:--|#|\\\/\\*|{)?)|(?:\"\\s*or[\\w\\s-]+\\s*[+<>=(),-]\\s*[\\d\"])|(?:\"\\s*[^\\w\\s]?=\\s*\")|(?:\"\\W*[+=]+\\W*\")|(?:\"\\s*[!=|][\\d\\s!=+-]+.*[\"(].*$)|(?:\"\\s*[!=|][\\d\\s!=]+.*\\d+$)|(?:\"\\s*like\\W+[\\w\"(])|(?:\\sis\\s*0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:\"[<>~]+\")","description":"Detects basic SQL authentication bypass attempts 1\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"45","rule":"(?:union\\s*(?:all|distinct|[(!@]*)?\\s*[([]*\\s*select)|(?:\\w+\\s+like\\s+\\\")|(?:like\\s*\"\\%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:\"\\s*[^?\\w\\s=.,;)(]+\\s*[(@\"]*\\s*\\w+\\W+\\w)|(?:select\\s*[\\[\\]()\\s\\w\\.,-]+from)","description":"Detects basic SQL authentication bypass attempts 2\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"46","rule":"(?:in\\s*\\(+\\s*select)|(?:(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*\\(|sounds\\s+like\\s*\"|[=\\d]+x))|(\"\\s*\\d\\s*(?:--|#))|(?:\"[%&<>^=]+\\d\\s*(=|or))|(?:\"\\W+[\\w+-]+\\s*=\\s*\\d\\W+\")|(?:\"\\s*is\\s*\\d.+\"?\\w)|(?:\"\\|?[\\w-]{3,}[^\\w\\s.,]+\")|(?:\"\\s*is\\s*[\\d.]+\\s*\\W.*\")","description":"Detects basic SQL authentication bypass attempts 3\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"47","rule":"(?:[\\d\\W]\\s+as\\s*[\"\\w]+\\s*from)|(?:^[\\W\\d]+\\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:concat|char|load_file)\\s?\\(?)|(?:end\\s*\\);)|(\"\\s+regexp\\W)|(?:[\\s(]load_file\\s*\\()","description":"Detects concatenated basic SQL injection and SQLLFI attempts","tags":{"tag":["sqli","id","lfi"]},"impact":"5"},{"id":"48","rule":"(?:\\d+\\s*or\\s*\\d+\\s*[\\-+])|(?:\\\/\\w+;?\\s+(?:having|and|or|select))|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|(?:(?:;|#|--)\\s*(?:update|insert)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:n?and|x?or|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*[!=+]+[\\s\\d]*[\"=()])","description":"Detects chained SQL injection attempts 1\/2","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"49","rule":"(?:\"\\s+and\\s*=\\W)|(?:\\(\\s*select\\s*\\w+\\s*\\()|(?:\\*\\\/from)|(?:\\+\\s*\\d+\\s*\\+\\s*@)|(?:\\w\"\\s*(?:[-+=|@]+\\s*)+[\\d(])|(?:coalesce\\s*\\(|@@\\w+\\s*[^\\w\\s])|(?:\\W!+\"\\w)|(?:\";\\s*(?:if|while|begin))|(?:\"[\\s\\d]+=\\s*\\d)|(?:order\\s+by\\s+if\\w*\\s*\\()|(?:[\\s(]+case\\d*\\W.+[tw]hen[\\s(])","description":"Detects chained SQL injection attempts 2\/2","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"50","rule":"(?:(select|;)\\s+(?:benchmark|if|sleep)\\s*?\\(\\s*\\(?\\s*\\w+)","description":"Detects SQL benchmark and sleep injection attempts including conditional queries","tags":{"tag":["sqli","id"]},"impact":"4"},{"id":"51","rule":"(?:create\\s+function\\s+\\w+\\s+returns)|(?:;\\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*[\\[(]?\\w{2,})","description":"Detects MySQL UDF injection and other data\/structure manipulation attempts","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"52","rule":"(?:alter\\s*\\w+.*character\\s+set\\s+\\w+)|(\";\\s*waitfor\\s+time\\s+\")|(?:\";.*:\\s*goto)","description":"Detects MySQL charset switch and MSSQL DoS attempts","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"53","rule":"(?:procedure\\s+analyse\\s*\\()|(?:;\\s*(declare|open)\\s+[\\w-]+)|(?:create\\s+(procedure|function)\\s*\\w+\\s*\\(\\s*\\)\\s*-)|(?:declare[^\\w]+[@#]\\s*\\w+)|(exec\\s*\\(\\s*@)","description":"Detects MySQL and PostgreSQL stored procedure\/function injections","tags":{"tag":["sqli","id"]},"impact":"7"},{"id":"54","rule":"(?:select\\s*pg_sleep)|(?:waitfor\\s*delay\\s?\"+\\s?\\d)|(?:;\\s*shutdown\\s*(?:;|--|#|\\\/\\*|{))","description":"Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"55","rule":"(?:\\sexec\\s+xp_cmdshell)|(?:\"\\s*!\\s*[\"\\w])|(?:from\\s+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*\\([^\\)]*)|(?:\";?\\s*(?:select|union|having)\\s*[^\\s])|(?:\\wiif\\s*\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*select)|(?:select.*\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*\")","description":"Detects MSSQL code execution and information gathering attempts","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"56","rule":"(?:merge.*using\\s*\\()|(execute\\s*immediate\\s*\")|(?:\\W+\\d*\\s*having\\s*[^\\s])|(?:match\\s*[\\w(),+-]+\\s*against\\s*\\()","description":"Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"57","rule":"(?:select\\s*\\*\\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*\\(\\s*space\\s*\\()","description":"Detects MySQL comment-\/space-obfuscated injections","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"58","rule":"(?:@[\\w-]+\\s*\\()|(?:]\\s*\\(\\s*[\"!]\\s*\\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\\s\\w|]*\\$\\w+\\s*=)|(?:\\$\\w+\\s*=(?:(?:\\s*\\$?\\w+\\s*[(;])|\\s*\".*\"))|(?:;\\s*\\{\\W*\\w+\\s*\\()","description":"Detects code injection attempts 1\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"59","rule":"(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\\w+|execute)\\s*[\"(@])","description":"Detects code injection attempts 2\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"60","rule":"(?:(?:[;]+|(<[?%](?:php)?)).*[^\\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\\s*rm\\s+-\\w+\\s+)|(?:;.*{.*\\$\\w+\\s*=)|(?:\\$\\w+\\s*\\[\\]\\s*=\\s*)","description":"Detects code injection attempts 3\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"61","rule":"(?:\\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\\{\\s*\\$\\s*\\{)","description":"Detects url injections and RFE attempts","tags":{"tag":["id","rfe","lfi"]},"impact":"5"},{"id":"62","rule":"(?:function[^(]*\\([^)]*\\))|(?:(?:delete|void|throw|instanceof|new|typeof)\\W+\\w+\\s*[([])|([)\\]]\\s*\\.\\s*\\w+\\s*=)|(?:\\(\\s*new\\s+\\w+\\s*\\)\\.)","description":"Detects common function declarations and special JS operators","tags":{"tag":["id","rfe","lfi"]},"impact":"5"},{"id":"63","rule":"(?:[\\w.-]+@[\\w.-]+%(?:[01][\\db-ce-f])+\\w+:)","description":"Detects common mail header injections","tags":{"tag":["id","spam"]},"impact":"5"},{"id":"64","rule":"(?:\\.pl\\?\\w+=\\w?\\|\\w+;)|(?:\\|\\(\\w+=\\*)|(?:\\*\\s*\\)+\\s*;)","description":"Detects perl echo shellcode injection and LDAP vectors","tags":{"tag":["lfi","rfe"]},"impact":"5"},{"id":"65","rule":"(?:(^|\\W)const\\s+[\\w\\-]+\\s*=)|(?:(?:do|for|while)\\s*\\([^;]+;+\\))|(?:(?:^|\\W)on\\w+\\s*=[\\w\\W]*(?:on\\w+|alert|eval|print|confirm|prompt))|(?:groups=\\d+\\(\\w+\\))|(?:(.)\\1{128,})","description":"Detects basic XSS DoS attempts","tags":{"tag":["rfe","dos"]},"impact":"5"},{"id":"67","rule":"(?:\\({2,}\\+{2,}:{2,})|(?:\\({2,}\\+{2,}:+)|(?:\\({3,}\\++:{2,})|(?:\\$\\[!!!\\])","description":"Detects unknown attack vectors based on PHPIDS Centrifuge detection","tags":{"tag":["xss","csrf","id","rfe","lfi"]},"impact":"7"},{"id":"68","rule":"(?:[\\s\\\/\"]+[-\\w\\\/\\\\\\*]+\\s*=.+(?:\\\/\\s*>))","description":"finds attribute breaking injections including obfuscated attributes","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"69","rule":"(?:(?:msgbox|eval)\\s*\\+|(?:language\\s*=\\*vbscript))","description":"finds basic VBScript injection attempts","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"70","rule":"(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\\])","description":"finds basic MongoDB SQL injection attempts","tags":{"tag":"sqli"},"impact":"4"}]}}1 {"filters":{"filter":[{"id":"1","rule":"(?:\"[^\"]*[^-]?>)|(?:[^\\w\\s]\\s*\\\/>)|(?:>\")","description":"finds html breaking injections including whitespace attacks","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"2","rule":"(?:\"+.*[<=]\\s*\"[^\"]+\")|(?:\"\\s*\\w+\\s*=)|(?:>\\w=\\\/)|(?:#.+\\)[\"\\s]*>)|(?:\"\\s*(?:src|style|on\\w+)\\s*=\\s*\")|(?:[^\"]?\"[,;\\s]+\\w*[\\[\\(])","description":"finds attribute breaking injections including whitespace attacks","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"3","rule":"(?:^>[\\w\\s]*<\\\/?\\w{2,}>)","description":"finds unquoted attribute breaking injections","tags":{"tag":["xss","csrf"]},"impact":"2"},{"id":"4","rule":"(?:[+\\\/]\\s*name[\\W\\d]*[)+])|(?:;\\W*url\\s*=)|(?:[^\\w\\s\\\/?:>]\\s*(?:location|referrer|name)\\s*[^\\\/\\w\\s-])","description":"Detects url-, name-, JSON, and referrer-contained payload attacks","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"5","rule":"(?:\\W\\s*hash\\s*[^\\w\\s-])|(?:\\w+=\\W*[^,]*,[^\\s(]\\s*\\()|(?:\\?\"[^\\s\"]\":)|(?:(?<!\\\/)__[a-z]+__)|(?:(?:^|[\\s)\\]\\}])(?:s|g)etter\\s*=)","description":"Detects hash-contained xss payload attacks, setter usage and property overloading","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"6","rule":"(?:with\\s*\\(\\s*.+\\s*\\)\\s*\\w+\\s*\\()|(?:(?:do|while|for)\\s*\\([^)]*\\)\\s*\\{)|(?:\\\/[\\w\\s]*\\[\\W*\\w)","description":"Detects self contained xss via with(), common loops and regex to string conversion","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"7","rule":"(?:[=(].+\\?.+:)|(?:with\\([^)]*\\)\\))|(?:\\.\\s*source\\W)","description":"Detects JavaScript with(), ternary operators and XML predicate attacks","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"8","rule":"(?:\\\/\\w*\\s*\\)\\s*\\()|(?:\\([\\w\\s]+\\([\\w\\s]+\\)[\\w\\s]+\\))|(?:(?<!(?:mozilla\\\/\\d\\.\\d\\s))\\([^)[]+\\[[^\\]]+\\][^)]*\\))|(?:[^\\s!][{([][^({[]+[{([][^}\\])]+[}\\])][\\s+\",\\d]*[}\\])])|(?:\"\\)?\\]\\W*\\[)|(?:=\\s*[^\\s:;]+\\s*[{([][^}\\])]+[}\\])];)","description":"Detects self-executing JavaScript functions","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"9","rule":"(?:\\\\u00[a-f0-9]{2})|(?:\\\\x0*[a-f0-9]{2})|(?:\\\\\\d{2,3})","description":"Detects the IE octal, hex and unicode entities","tags":{"tag":["xss","csrf"]},"impact":"2"},{"id":"10","rule":"(?:(?:\\\/|\\\\)?\\.+(\\\/|\\\\)(?:\\.+)?)|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\\/[\\w*-]+\\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\\/(?:%2e){2})","description":"Detects basic directory traversal","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"11","rule":"(?:%c0%ae\\\/)|(?:(?:\\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\\/|\\\\))|(?:(?:\\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)","description":"Detects specific directory and path traversal","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"12","rule":"(?:etc\\\/\\W*passwd)","description":"Detects etc\/passwd inclusion attempts","tags":{"tag":["dt","id","lfi"]},"impact":"5"},{"id":"13","rule":"(?:%u(?:ff|00|e\\d)\\w\\w)|(?:(?:%(?:e\\w|c[^3\\W]|))(?:%\\w\\w)(?:%\\w\\w)?)","description":"Detects halfwidth\/fullwidth encoded unicode HTML breaking attempts","tags":{"tag":["xss","csrf"]},"impact":"3"},{"id":"14","rule":"(?:#@~\\^\\w+)|(?:\\w+script:|@import[^\\w]|;base64|base64,)|(?:\\w+\\s*\\([\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+\\))","description":"Detects possible includes, VBSCript\/JScript encodeed and packed functions","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"5"},{"id":"15","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@\\-\\|])(\\s*return\\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\\wettimeout|(?:ms)?setimmediate|option|useragent)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.+\\-]))","description":"Detects JavaScript DOM\/miscellaneous properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"6"},{"id":"16","rule":"([^*\\s\\w,.\\\/?+-]\\s*)?(?<![a-mo-z]\\s)(?<![a-z\\\/_@])(\\s*return\\s*)?(?:alert|inputbox|showmod(?:al|eless)dialog|showhelp|infinity|isnan|isnull|iterator|msgbox|executeglobal|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.:\\\/+\\-]))","description":"Detects possible includes and typical script methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"5"},{"id":"17","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@])(\\s*return\\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\\w%\"]|(?:\\s*[^@\\\/\\s\\w%.+\\-]))","description":"Detects JavaScript object properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"18","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@\\-\\|])(\\s*return\\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%,.+\\-]))","description":"Detects JavaScript array properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"19","rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@\\-\\|])(\\s*return\\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\\w+codeuri\\w*)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%,.+\\-]))","description":"Detects JavaScript string properties and methods","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"20","rule":"(?:\\)\\s*\\[)|([^*\":\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z_@\\|])(\\s*return\\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\\s*(?:each)?|elseif|case|switch|regex|boolean|location|(?:ms)?setimmediate|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\".+\\-\\\/]))","description":"Detects JavaScript language constructs","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"21","rule":"(?:,\\s*(?:alert|showmodaldialog|eval)\\s*,)|(?::\\s*eval\\s*[^\\s])|([^:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z\\\/_@])(\\s*return\\s*)?(?:(?:document\\s*\\.)?(?:.+\\\/)?(?:alert|eval|msgbox|showmod(?:al|eless)dialog|showhelp|prompt|write(?:ln)?|confirm|dialog|open))\\s*(?:[^.a-z\\s\\-]|(?:\\s*[^\\s\\w,.@\\\/+-]))|(?:java[\\s\\\/]*\\.[\\s\\\/]*lang)|(?:\\w\\s*=\\s*new\\s+\\w+)|(?:&\\s*\\w+\\s*\\)[^,])|(?:\\+[\\W\\d]*new\\s+\\w+[\\W\\d]*\\+)|(?:document\\.\\w)","description":"Detects very basic XSS probings","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"3"},{"id":"22","rule":"(?:=\\s*(?:top|this|window|content|self|frames|_content))|(?:\\\/\\s*[gimx]*\\s*[)}])|(?:[^\\s]\\s*=\\s*script)|(?:\\.\\s*constructor)|(?:default\\s+xml\\s+namespace\\s*=)|(?:\\\/\\s*\\+[^+]+\\s*\\+\\s*\\\/)","description":"Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"5"},{"id":"23","rule":"(?:\\.\\s*\\w+\\W*=)|(?:\\W\\s*(?:location|document)\\s*\\W[^({[;]+[({[;])|(?:\\(\\w+\\?[:\\w]+\\))|(?:\\w{2,}\\s*=\\s*\\d+[^&\\w]\\w+)|(?:\\]\\s*\\(\\s*\\w+)","description":"Detects JavaScript location\/document property access and window access obfuscation","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"24","rule":"(?:[\".]script\\s*\\()|(?:\\$\\$?\\s*\\(\\s*[\\w\"])|(?:\\\/[\\w\\s]+\\\/\\.)|(?:=\\s*\\\/\\w+\\\/\\s*\\.)|(?:(?:this|window|top|parent|frames|self|content)\\[\\s*[(,\"]*\\s*[\\w\\$])|(?:,\\s*new\\s+\\w+\\s*[,;)])","description":"Detects basic obfuscated JavaScript script injections","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"25","rule":"(?:=\\s*[$\\w]\\s*[\\(\\[])|(?:\\(\\s*(?:this|top|window|self|parent|_?content)\\s*\\))|(?:src\\s*=s*(?:\\w+:|\\\/\\\/))|(?:\\w+\\[(\"\\w+\"|\\w+\\|\\|))|(?:[\\d\\W]\\|\\|[\\d\\W]|\\W=\\w+,)|(?:\\\/\\s*\\+\\s*[a-z\"])|(?:=\\s*\\$[^([]*\\()|(?:=\\s*\\(\\s*\")","description":"Detects obfuscated JavaScript script injections","tags":{"tag":["xss","csrf"]},"impact":"5"},{"id":"26","rule":"(?:[^:\\s\\w]+\\s*[^\\w\\\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\\w])","description":"Detects JavaScript cookie stealing and redirection attempts","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"27","rule":"(?:(?:vbs|vbscript|data):.*[,+])|(?:\\w+\\s*=\\W*(?!https?)\\w+:)|(jar:\\w+:)|(=\\s*\"?\\s*vbs(?:ript)?:)|(language\\s*=\\s?\"?\\s*vbs(?:ript)?)|on\\w+\\s*=\\*\\w+\\-\"?","description":"Detects data: URL injections, VBS injections and common URI schemes","tags":{"tag":["xss","rfe"]},"impact":"5"},{"id":"28","rule":"(?:firefoxurl:\\w+\\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\\s*:\\s*[%&#xu\\\/]+)|(wyciwyg|firefoxurl\\s*:\\s*\\\/\\s*\\\/)","description":"Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion\/execution","tags":{"tag":["xss","rfe","lfi","csrf"]},"impact":"5"},{"id":"29","rule":"(?:binding\\s?=|moz-binding|behavior\\s?=)|(?:[\\s\\\/]style\\s*=\\s*[-\\\\])","description":"Detects bindings and behavior injections","tags":{"tag":["xss","csrf","rfe"]},"impact":"4"},{"id":"30","rule":"(?:=\\s*\\w+\\s*\\+\\s*\")|(?:\\+=\\s*\\(\\s\")|(?:!+\\s*[\\d.,]+\\w?\\d*\\s*\\?)|(?:=\\s*\\[s*\\])|(?:\"\\s*\\+\\s*\")|(?:[^\\s]\\[\\s*\\d+\\s*\\]\\s*[;+])|(?:\"\\s*[&|]+\\s*\")|(?:\\\/\\s*\\?\\s*\")|(?:\\\/\\s*\\)\\s*\\[)|(?:\\d\\?.+:\\d)|(?:]\\s*\\[\\W*\\w)|(?:[^\\s]\\s*=\\s*\\\/)","description":"Detects common XSS concatenation patterns 1\/2","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"31","rule":"(?:=\\s*\\d*\\.\\d*\\?\\d*\\.\\d*)|(?:[|&]{2,}\\s*\")|(?:!\\d+\\.\\d*\\?\")|(?:\\\/:[\\w.]+,)|(?:=[\\d\\W\\s]*\\[[^]]+\\])|(?:\\?\\w+:\\w+)","description":"Detects common XSS concatenation patterns 2\/2","tags":{"tag":["xss","csrf","id","rfe"]},"impact":"4"},{"id":"32","rule":"(?:[^\\w\\s=]on(?!g\\>)\\w+[^=_+-]*=[^$]+(?:\\W|\\>)?)","description":"Detects possible event handlers","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"33","rule":"(?:\\<\\w*:?\\s(?:[^\\>]*)t(?!rong))|(?:\\<scri)|(<\\w+:\\w+)","description":"Detects obfuscated script tags and XML wrapped HTML","tags":{"tag":"xss"},"impact":"4"},{"id":"34","rule":"(?:\\<\\\/\\w+\\s\\w+)|(?:@(?:cc_on|set)[\\s@,\"=])","description":"Detects attributes in closing tags and conditional compilation tokens","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"35","rule":"(?:--[^\\n]*$)|(?:\\<!-|-->)|(?:[^*]\\\/\\*|\\*\\\/[^*])|(?:(?:[\\W\\d]#|--|{)$)|(?:\\\/{3,}.*$)|(?:<!\\[\\W)|(?:\\]!>)","description":"Detects common comment types","tags":{"tag":["xss","csrf","id"]},"impact":"3"},{"id":"37","rule":"(?:\\<base\\s+)|(?:<!(?:element|entity|\\[CDATA))","description":"Detects base href injections and XML entity injections","tags":{"tag":["xss","csrf","id"]},"impact":"5"},{"id":"38","rule":"(?:\\<[\\\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\\w+|image|im(?:g|port)))","description":"Detects possibly malicious html elements including some attributes","tags":{"tag":["xss","csrf","id","rfe","lfi"]},"impact":"4"},{"id":"39","rule":"(?:\\\\x[01fe][\\db-ce-f])|(?:%[01fe][\\db-ce-f])|(?:&#[01fe][\\db-ce-f])|(?:\\\\[01fe][\\db-ce-f])|(?:&#x[01fe][\\db-ce-f])","description":"Detects nullbytes and other dangerous characters","tags":{"tag":["id","rfe","xss"]},"impact":"5"},{"id":"40","rule":"(?:\\)\\s*when\\s*\\d+\\s*then)|(?:\"\\s*(?:#|--|{))|(?:\\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*\\(\\s*\\d)|(?:(?:(n?and|x?or|not)\\s+|\\|\\||\\&\\&)\\s*\\w+\\()","description":"Detects MySQL comments, conditions and ch(a)r injections","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"41","rule":"(?:[\\s()]case\\s*\\()|(?:\\)\\s*like\\s*\\()|(?:having\\s*[^\\s]+\\s*[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*[=<>~])","description":"Detects conditional SQL injection attempts","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"42","rule":"(?:\"\\s*or\\s*\"?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:(?:^[\"\\\\]*(?:[\\d\"]+|[^\"]+\"))+\\s*(?:n?and|x?or|not|\\|\\||\\&\\&)\\s*[\\w\"[+&!@(),.-])|(?:[^\\w\\s]\\w+\\s*[|-]\\s*\"\\s*\\w)|(?:@\\w+\\s+(and|or)\\s*[\"\\d]+)|(?:@[\\w-]+\\s(and|or)\\s*[^\\w\\s])|(?:[^\\w\\s:]\\s*\\d\\W+[^\\w\\s]\\s*\".)|(?:\\Winformation_schema|table_name\\W)","description":"Detects classic SQL injection probings 1\/2","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"43","rule":"(?:\"\\s*\\*.+(?:or|id)\\W*\"\\d)|(?:\\^\")|(?:^[\\w\\s\"-]+(?<=and\\s)(?<=or\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:\"[\\s\\d]*[^\\w\\s]+\\W*\\d\\W*.*[\"\\d])|(?:\"\\s*[^\\w\\s?]+\\s*[^\\w\\s]+\\s*\")|(?:\"\\s*[^\\w\\s]+\\s*[\\W\\d].*(?:#|--))|(?:\".*\\*\\s*\\d)|(?:\"\\s*or\\s[^\\d]+[\\w-]+.*\\d)|(?:[()*<>%+-][\\w-]+[^\\w\\s]+\"[^,])","description":"Detects classic SQL injection probings 2\/2","tags":{"tag":["sqli","id","lfi"]},"impact":"6"},{"id":"44","rule":"(?:\\d\"\\s+\"\\s+\\d)|(?:^admin\\s*\"|(\\\/\\*)+\"+\\s?(?:--|#|\\\/\\*|{)?)|(?:\"\\s*or[\\w\\s-]+\\s*[+<>=(),-]\\s*[\\d\"])|(?:\"\\s*[^\\w\\s]?=\\s*\")|(?:\"\\W*[+=]+\\W*\")|(?:\"\\s*[!=|][\\d\\s!=+-]+.*[\"(].*$)|(?:\"\\s*[!=|][\\d\\s!=]+.*\\d+$)|(?:\"\\s*like\\W+[\\w\"(])|(?:\\sis\\s*0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:\"[<>~]+\")","description":"Detects basic SQL authentication bypass attempts 1\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"45","rule":"(?:union\\s*(?:all|distinct|[(!@]*)?\\s*[([]*\\s*select)|(?:\\w+\\s+like\\s+\\\")|(?:like\\s*\"\\%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:\"\\s*[^?\\w\\s=.,;)(]+\\s*[(@\"]*\\s*\\w+\\W+\\w)|(?:select\\s*[\\[\\]()\\s\\w\\.,\"-]+from)|(?:find_in_set\\s*\\()","description":"Detects basic SQL authentication bypass attempts 2\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"46","rule":"(?:in\\s*\\(+\\s*select)|(?:(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*\\(|sounds\\s+like\\s*\"|[=\\d]+x))|(\"\\s*\\d\\s*(?:--|#))|(?:\"[%&<>^=]+\\d\\s*(=|or))|(?:\"\\W+[\\w+-]+\\s*=\\s*\\d\\W+\")|(?:\"\\s*is\\s*\\d.+\"?\\w)|(?:\"\\|?[\\w-]{3,}[^\\w\\s.,]+\")|(?:\"\\s*is\\s*[\\d.]+\\s*\\W.*\")","description":"Detects basic SQL authentication bypass attempts 3\/3","tags":{"tag":["sqli","id","lfi"]},"impact":"7"},{"id":"47","rule":"(?:[\\d\\W]\\s+as\\s*[\"\\w]+\\s*from)|(?:^[\\W\\d]+\\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:(?:group_)concat|char|load_file)\\s?\\(?)|(?:end\\s*\\);)|(\"\\s+regexp\\W)|(?:[\\s(]load_file\\s*\\()","description":"Detects concatenated basic SQL injection and SQLLFI attempts","tags":{"tag":["sqli","id","lfi"]},"impact":"5"},{"id":"48","rule":"(?:@.+=\\s*\\(\\s*select)|(?:\\d+\\s*or\\s*\\d+\\s*[\\-+])|(?:\\\/\\w+;?\\s+(?:having|and|or|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|(?:(?:;|#|--)\\s*(?:update|insert)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:n?and|x?or|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*[!=+]+[\\s\\d]*[\"=()])","description":"Detects chained SQL injection attempts 1\/2","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"49","rule":"(?:\"\\s+and\\s*=\\W)|(?:\\(\\s*select\\s*\\w+\\s*\\()|(?:\\*\\\/from)|(?:\\+\\s*\\d+\\s*\\+\\s*@)|(?:\\w\"\\s*(?:[-+=|@]+\\s*)+[\\d(])|(?:coalesce\\s*\\(|@@\\w+\\s*[^\\w\\s])|(?:\\W!+\"\\w)|(?:\";\\s*(?:if|while|begin))|(?:\"[\\s\\d]+=\\s*\\d)|(?:order\\s+by\\s+if\\w*\\s*\\()|(?:[\\s(]+case\\d*\\W.+[tw]hen[\\s(])","description":"Detects chained SQL injection attempts 2\/2","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"50","rule":"(?:(select|;)\\s+(?:benchmark|if|sleep)\\s*?\\(\\s*\\(?\\s*\\w+)","description":"Detects SQL benchmark and sleep injection attempts including conditional queries","tags":{"tag":["sqli","id"]},"impact":"4"},{"id":"51","rule":"(?:create\\s+function\\s+\\w+\\s+returns)|(?:;\\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*[\\[(]?\\w{2,})","description":"Detects MySQL UDF injection and other data\/structure manipulation attempts","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"52","rule":"(?:alter\\s*\\w+.*character\\s+set\\s+\\w+)|(\";\\s*waitfor\\s+time\\s+\")|(?:\";.*:\\s*goto)","description":"Detects MySQL charset switch and MSSQL DoS attempts","tags":{"tag":["sqli","id"]},"impact":"6"},{"id":"53","rule":"(?:procedure\\s+analyse\\s*\\()|(?:;\\s*(declare|open)\\s+[\\w-]+)|(?:create\\s+(procedure|function)\\s*\\w+\\s*\\(\\s*\\)\\s*-)|(?:declare[^\\w]+[@#]\\s*\\w+)|(exec\\s*\\(\\s*@)","description":"Detects MySQL and PostgreSQL stored procedure\/function injections","tags":{"tag":["sqli","id"]},"impact":"7"},{"id":"54","rule":"(?:select\\s*pg_sleep)|(?:waitfor\\s*delay\\s?\"+\\s?\\d)|(?:;\\s*shutdown\\s*(?:;|--|#|\\\/\\*|{))","description":"Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"55","rule":"(?:\\sexec\\s+xp_cmdshell)|(?:\"\\s*!\\s*[\"\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*\\([^\\)]*)|(?:\";?\\s*(?:select|union|having)\\s*[^\\s])|(?:\\wiif\\s*\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*select)|(?:select.*\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*\")","description":"Detects MSSQL code execution and information gathering attempts","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"56","rule":"(?:merge.*using\\s*\\()|(execute\\s*immediate\\s*\")|(?:\\W+\\d*\\s*having\\s*[^\\s\\-])|(?:match\\s*[\\w(),+-]+\\s*against\\s*\\()","description":"Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"57","rule":"(?:,.*[)\\da-f\"]\"(?:\".*\"|\\Z|[^\"]+))|(?:\\Wselect.+\\W*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*\\(\\s*space\\s*\\()","description":"Detects MySQL comment-\/space-obfuscated injections and backtick termination","tags":{"tag":["sqli","id"]},"impact":"5"},{"id":"58","rule":"(?:@[\\w-]+\\s*\\()|(?:]\\s*\\(\\s*[\"!]\\s*\\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\\s\\w|]*\\$\\w+\\s*=)|(?:\\$\\w+\\s*=(?:(?:\\s*\\$?\\w+\\s*[(;])|\\s*\".*\"))|(?:;\\s*\\{\\W*\\w+\\s*\\()","description":"Detects code injection attempts 1\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"59","rule":"(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\\w+|execute)\\s*[\"(@])","description":"Detects code injection attempts 2\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"60","rule":"(?:(?:[;]+|(<[?%](?:php)?)).*[^\\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\\s*rm\\s+-\\w+\\s+)|(?:;.*{.*\\$\\w+\\s*=)|(?:\\$\\w+\\s*\\[\\]\\s*=\\s*)","description":"Detects code injection attempts 3\/3","tags":{"tag":["id","rfe","lfi"]},"impact":"7"},{"id":"61","rule":"(?:\\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\\{\\s*\\$\\s*\\{)","description":"Detects url injections and RFE attempts","tags":{"tag":["id","rfe","lfi"]},"impact":"5"},{"id":"62","rule":"(?:function[^(]*\\([^)]*\\))|(?:(?:delete|void|throw|instanceof|new|typeof)[^\\w.]+\\w+\\s*[([])|([)\\]]\\s*\\.\\s*\\w+\\s*=)|(?:\\(\\s*new\\s+\\w+\\s*\\)\\.)","description":"Detects common function declarations and special JS operators","tags":{"tag":["id","rfe","lfi"]},"impact":"5"},{"id":"63","rule":"(?:[\\w.-]+@[\\w.-]+%(?:[01][\\db-ce-f])+\\w+:)","description":"Detects common mail header injections","tags":{"tag":["id","spam"]},"impact":"5"},{"id":"64","rule":"(?:\\.pl\\?\\w+=\\w?\\|\\w+;)|(?:\\|\\(\\w+=\\*)|(?:\\*\\s*\\)+\\s*;)","description":"Detects perl echo shellcode injection and LDAP vectors","tags":{"tag":["lfi","rfe"]},"impact":"5"},{"id":"65","rule":"(?:(^|\\W)const\\s+[\\w\\-]+\\s*=)|(?:(?:do|for|while)\\s*\\([^;]+;+\\))|(?:(?:^|\\W)on\\w+\\s*=[\\w\\W]*(?:on\\w+|alert|eval|print|confirm|prompt))|(?:groups=\\d+\\(\\w+\\))|(?:(.)\\1{128,})","description":"Detects basic XSS DoS attempts","tags":{"tag":["rfe","dos"]},"impact":"5"},{"id":"67","rule":"(?:\\({2,}\\+{2,}:{2,})|(?:\\({2,}\\+{2,}:+)|(?:\\({3,}\\++:{2,})|(?:\\$\\[!!!\\])","description":"Detects unknown attack vectors based on PHPIDS Centrifuge detection","tags":{"tag":["xss","csrf","id","rfe","lfi"]},"impact":"7"},{"id":"68","rule":"(?:[\\s\\\/\"]+[-\\w\\\/\\\\\\*]+\\s*=.+(?:\\\/\\s*>))","description":"Finds attribute breaking injections including obfuscated attributes","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"69","rule":"(?:(?:msgbox|eval)\\s*\\+|(?:language\\s*=\\*vbscript))","description":"Finds basic VBScript injection attempts","tags":{"tag":["xss","csrf"]},"impact":"4"},{"id":"70","rule":"(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\\])","description":"Finds basic MongoDB SQL injection attempts","tags":{"tag":"sqli"},"impact":"4"},{"id":"71","rule":"(?:[\\s\\d\\\/\"]+(?:on\\w+|style|poster|background)=[$\"\\w])|(?:-type\\s*:\\s*multipart)","description":"finds malicious attribute injection attempts and MHTML attacks","tags":{"tag":["xss","csrf"]},"impact":"6"},{"id":"72","rule":"(?:(sleep\\((\\s*)(\\d*)(\\s*)\\)|benchmark\\((.*)\\,(.*)\\)))","description":"Detects blind sqli tests using sleep() or benchmark().","tags":{"tag":["sqli","id"]},"impact":"4"},{"id":"73","rule":"(?i:(\\%SYSTEMROOT\\%))","description":"An attacker is trying to locate a file to read or write.","tags":{"tag":["files","id"]},"impact":"4"},{"id":"74","rule":"(?i:(ping(.*)[\\-(.*)\\w|\\w(.*)\\-]))","description":"Detects remote code exectuion tests. Will match \"ping -n 3 localhost\" and \"ping localhost -n 3\"","tags":{"tag":["Command Execution","id"]},"impact":"5"},{"id":"75","rule":"(?:(((.*)\\%[c|d|i|e|f|g|o|s|u|x|p|n]){8}))","description":"Looking for a format string attack","tags":{"tag":"format string"},"impact":"4"},{"id":"76","rule":"(?:(union(.*)select(.*)from))","description":"Looking for basic sql injection. Common attack string for mysql, oracle and others.","tags":{"tag":["sqli","id"]},"impact":"3"},{"id":"77","rule":"(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|1e309)$)","description":"Looking for intiger overflow attacks, these are taken from skipfish, except 2.2250738585072007e-308 is the \"magic number\" crash","tags":{"tag":["sqli","id"]},"impact":"3"}]}} -
tags/7.0/plugins/phpids/IDS/default_filter.xml
r15200 r15889 12 12 <filter> 13 13 <id>2</id> 14 <rule><![CDATA[(?:"+.*[<=]\s*"[^"]+")|(?:"\ w+\s*=)|(?:>\w=\/)|(?:#.+\)["\s]*>)|(?:"\s*(?:src|style|on\w+)\s*=\s*")|(?:[^"]?"[,;\s]+\w*[\[\(])]]></rule>14 <rule><![CDATA[(?:"+.*[<=]\s*"[^"]+")|(?:"\s*\w+\s*=)|(?:>\w=\/)|(?:#.+\)["\s]*>)|(?:"\s*(?:src|style|on\w+)\s*=\s*")|(?:[^"]?"[,;\s]+\w*[\[\(])]]></rule> 15 15 <description>finds attribute breaking injections including whitespace attacks</description> 16 16 <tags> … … 72 72 <filter> 73 73 <id>8</id> 74 <rule><![CDATA[(?:\/\w*\s*\)\s*\()|(?:\( .*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule>74 <rule><![CDATA[(?:\/\w*\s*\)\s*\()|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule> 75 75 <description>Detects self-executing JavaScript functions</description> 76 76 <tags> … … 147 147 <filter> 148 148 <id>15</id> 149 <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@ >\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]></rule>149 <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|(?:ms)?setimmediate|option|useragent)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]></rule> 150 150 <description>Detects JavaScript DOM/miscellaneous properties and methods</description> 151 151 <tags> … … 159 159 <filter> 160 160 <id>16</id> 161 <rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@ >])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule>161 <rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@])(\s*return\s*)?(?:alert|inputbox|showmod(?:al|eless)dialog|showhelp|infinity|isnan|isnull|iterator|msgbox|executeglobal|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule> 162 162 <description>Detects possible includes and typical script methods</description> 163 163 <tags> … … 171 171 <filter> 172 172 <id>17</id> 173 <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@ >])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%.+\-]))]]></rule>173 <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%.+\-]))]]></rule> 174 174 <description>Detects JavaScript object properties and methods</description> 175 175 <tags> … … 183 183 <filter> 184 184 <id>18</id> 185 <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@ >\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule>185 <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule> 186 186 <description>Detects JavaScript array properties and methods</description> 187 187 <tags> … … 195 195 <filter> 196 196 <id>19</id> 197 <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@ >\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule>197 <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule> 198 198 <description>Detects JavaScript string properties and methods</description> 199 199 <tags> … … 207 207 <filter> 208 208 <id>20</id> 209 <rule><![CDATA[(?:\)\s*\[)|( ?:\/\w*\s*\)\s*\W)|([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%".+\-]))]]></rule>209 <rule><![CDATA[(?:\)\s*\[)|([^*":\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|(?:ms)?setimmediate|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%".+\-\/]))]]></rule> 210 210 <description>Detects JavaScript language constructs</description> 211 211 <tags> … … 219 219 <filter> 220 220 <id>21</id> 221 <rule><![CDATA[(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmod aldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s\-]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)]]></rule>221 <rule><![CDATA[(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmod(?:al|eless)dialog|showhelp|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^.a-z\s\-]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)]]></rule> 222 222 <description>Detects very basic XSS probings</description> 223 223 <tags> … … 231 231 <filter> 232 232 <id>22</id> 233 <rule><![CDATA[(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s* \w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule>233 <rule><![CDATA[(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*[gimx]*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule> 234 234 <description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description> 235 235 <tags> … … 283 283 <filter> 284 284 <id>27</id> 285 <rule><![CDATA[(?: data:.*,)|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*"?\s*vbs(?:ript)?:)|(language\s*=\s?"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-"?]]></rule>285 <rule><![CDATA[(?:(?:vbs|vbscript|data):.*[,+])|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*"?\s*vbs(?:ript)?:)|(language\s*=\s?"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-"?]]></rule> 286 286 <description>Detects data: URL injections, VBS injections and common URI schemes</description> 287 287 <tags> … … 437 437 <filter> 438 438 <id>42</id> 439 <rule><![CDATA[(?:"\s*or\s* \d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule>439 <rule><![CDATA[(?:"\s*or\s*"?\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)|(?:\Winformation_schema|table_name\W)]]></rule> 440 440 <description>Detects classic SQL injection probings 1/2</description> 441 441 <tags> … … 448 448 <filter> 449 449 <id>43</id> 450 <rule><![CDATA[(?:"\s*\*.+(?:or|id)\W*"\d)|(?:\^")|(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:"[\s\d]*[^\w\s]+\W*\d\W*.*["\d])|(?:"\s*[^\w\s?]+\s*[^\w\s]+\s*")|(?:"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:".*\*\s*\d)|(?:"\s*or\s[ \w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+"[^,])]]></rule>450 <rule><![CDATA[(?:"\s*\*.+(?:or|id)\W*"\d)|(?:\^")|(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:"[\s\d]*[^\w\s]+\W*\d\W*.*["\d])|(?:"\s*[^\w\s?]+\s*[^\w\s]+\s*")|(?:"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:".*\*\s*\d)|(?:"\s*or\s[^\d]+[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+"[^,])]]></rule> 451 451 <description>Detects classic SQL injection probings 2/2</description> 452 452 <tags> … … 470 470 <filter> 471 471 <id>45</id> 472 <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\., -]+from)]]></rule>472 <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,"-]+from)|(?:find_in_set\s*\()]]></rule> 473 473 <description>Detects basic SQL authentication bypass attempts 2/3</description> 474 474 <tags> … … 492 492 <filter> 493 493 <id>47</id> 494 <rule><![CDATA[(?:[\d\W]\s+as\s*["\w]+\s*from)|(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?: concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule>494 <rule><![CDATA[(?:[\d\W]\s+as\s*["\w]+\s*from)|(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule> 495 495 <description>Detects concatenated basic SQL injection and SQLLFI attempts</description> 496 496 <tags> … … 503 503 <filter> 504 504 <id>48</id> 505 <rule><![CDATA[(?: \d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule>505 <rule><![CDATA[(?:@.+=\s*\(\s*select)|(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select)\W)|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule> 506 506 <description>Detects chained SQL injection attempts 1/2</description> 507 507 <tags> … … 573 573 <filter> 574 574 <id>55</id> 575 <rule><![CDATA[(?:\sexec\s+xp_cmdshell)|(?:"\s*!\s*["\w])|(?:from\ s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule>575 <rule><![CDATA[(?:\sexec\s+xp_cmdshell)|(?:"\s*!\s*["\w])|(?:from\W+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule> 576 576 <description>Detects MSSQL code execution and information gathering attempts</description> 577 577 <tags> … … 583 583 <filter> 584 584 <id>56</id> 585 <rule><![CDATA[(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s ])|(?:match\s*[\w(),+-]+\s*against\s*\()]]></rule>585 <rule><![CDATA[(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s\-])|(?:match\s*[\w(),+-]+\s*against\s*\()]]></rule> 586 586 <description>Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections</description> 587 587 <tags> … … 593 593 <filter> 594 594 <id>57</id> 595 <rule><![CDATA[(?:,.*[)\da-f"]"(?:".*"|\Z|[^"]+))|(?: select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()]]></rule>595 <rule><![CDATA[(?:,.*[)\da-f"]"(?:".*"|\Z|[^"]+))|(?:\Wselect.+\W*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()]]></rule> 596 596 <description>Detects MySQL comment-/space-obfuscated injections and backtick termination</description> 597 597 <tags> … … 702 702 <id>68</id> 703 703 <rule><![CDATA[(?:[\s\/"]+[-\w\/\\\*]+\s*=.+(?:\/\s*>))]]></rule> 704 <description> finds attribute breaking injections including obfuscated attributes</description>704 <description>Finds attribute breaking injections including obfuscated attributes</description> 705 705 <tags> 706 706 <tag>xss</tag> … … 712 712 <id>69</id> 713 713 <rule><![CDATA[(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))]]></rule> 714 <description> finds basic VBScript injection attempts</description>714 <description>Finds basic VBScript injection attempts</description> 715 715 <tags> 716 716 <tag>xss</tag> … … 722 722 <id>70</id> 723 723 <rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule> 724 <description> finds basic MongoDB SQL injection attempts</description>724 <description>Finds basic MongoDB SQL injection attempts</description> 725 725 <tags> 726 726 <tag>sqli</tag> … … 730 730 <filter> 731 731 <id>71</id> 732 <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])]]></rule> 733 <description>finds malicious attribute injection attempts</description> 734 <tags> 735 <tag>xss</tag> 736 <tag>csrf</tag> 737 </tags> 738 <impact>6</impact> 732 <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])|(?:-type\s*:\s*multipart)]]></rule> 733 <description>finds malicious attribute injection attempts and MHTML attacks</description> 734 <tags> 735 <tag>xss</tag> 736 <tag>csrf</tag> 737 </tags> 738 <impact>6</impact> 739 </filter> 740 <filter> 741 <id>72</id> 742 <rule><![CDATA[(?:(sleep\((\s*)(\d*)(\s*)\)|benchmark\((.*)\,(.*)\)))]]></rule> 743 <description>Detects blind sqli tests using sleep() or benchmark().</description> 744 <tags> 745 <tag>sqli</tag> 746 <tag>id</tag> 747 </tags> 748 <impact>4</impact> 749 </filter> 750 <filter> 751 <id>73</id> 752 <rule><![CDATA[(?i:(\%SYSTEMROOT\%))]]></rule> 753 <description>An attacker is trying to locate a file to read or write.</description> 754 <tags> 755 <tag>files</tag> 756 <tag>id</tag> 757 </tags> 758 <impact>4</impact> 739 759 </filter> 760 <filter> 761 <id>74</id> 762 <rule><![CDATA[(?i:(ping(.*)[\-(.*)\w|\w(.*)\-]))]]></rule> 763 <description>Detects remote code exectuion tests. Will match "ping -n 3 localhost" and "ping localhost -n 3" </description> 764 <tags> 765 <tag>Command Execution</tag> 766 <tag>id</tag> 767 </tags> 768 <impact>5</impact> 769 </filter> 770 <filter> 771 <id>75</id> 772 <rule><![CDATA[(?:(((.*)\%[c|d|i|e|f|g|o|s|u|x|p|n]){8}))]]></rule> 773 <description>Looking for a format string attack</description> 774 <tags> 775 <tag>format string</tag> 776 </tags> 777 <impact>4</impact> 778 </filter> 779 <filter> 780 <id>76</id> 781 <rule><![CDATA[(?:(union(.*)select(.*)from))]]></rule> 782 <description>Looking for basic sql injection. Common attack string for mysql, oracle and others.</description> 783 <tags> 784 <tag>sqli</tag> 785 <tag>id</tag> 786 </tags> 787 <impact>3</impact> 788 </filter> 789 <filter> 790 <id>77</id> 791 <rule><![CDATA[(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|1e309)$)]]></rule> 792 <description>Looking for intiger overflow attacks, these are taken from skipfish, except 2.2250738585072007e-308 is the "magic number" crash</description> 793 <tags> 794 <tag>sqli</tag> 795 <tag>id</tag> 796 </tags> 797 <impact>3</impact> 798 </filter> 740 799 </filters>
Note: See TracChangeset
for help on using the changeset viewer.
