{ "version": "2.2", "metadata": { "rules_version": "1.3.1" }, "rules": [ { "id": "crs-913-110", "name": "Acunetix", "tags": { "type": "security_scanner", "crs_id": "913110", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies" } ], "list": [ "acunetix-product", "(acunetix web vulnerability scanner", "acunetix-scanning-agreement", "acunetix-user-agreement", "md5(acunetix_wvs_security_test)" ] }, "operator": "phrase_match" } ], "transformers": [ "lowercase" ] }, { "id": "crs-913-120", "name": "Known security scanner filename/argument", "tags": { "type": "security_scanner", "crs_id": "913120", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" } ], "list": [ "/.adsensepostnottherenonobook", "/hello.html", "/actsensepostnottherenonotive", "/acunetix-wvs-test-for-some-inexistent-file", "/antidisestablishmentarianism", "/appscan_fingerprint/mac_address", "/arachni-", "/cybercop", "/nessus_is_probing_you_", "/nessustest", "/netsparker-", "/rfiinc.txt", "/thereisnowaythat-you-canbethere", "/w3af/remotefileinclude.html", "appscan_fingerprint", "w00tw00t.at.isc.sans.dfind", "w00tw00t.at.blackhats.romanian.anti-sec" ] }, "operator": "phrase_match" } ], "transformers": [ "lowercase" ] }, { "id": "crs-920-260", "name": "Unicode Full/Half Width Abuse Attack Attempt", "tags": { "type": "http_protocol_violation", "crs_id": "920260", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.uri.raw" } ], "regex": "\\%u[fF]{2}[0-9a-fA-F]{2}", "options": { "case_sensitive": true, "min_length": 6 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-921-110", "name": "HTTP Request Smuggling Attack", "tags": { "type": "http_protocol_violation", "crs_id": "921110", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" } ], "regex": "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+[^\\s]+\\s+http/\\d", "options": { "case_sensitive": true, "min_length": 12 } }, "operator": "match_regex" } ], "transformers": [ "lowercase" ] }, { "id": "crs-921-140", "name": "HTTP Header Injection Attack via headers", "tags": { "type": "http_protocol_violation", "crs_id": "921140", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies" } ], "regex": "[\\n\\r]", "options": { "case_sensitive": true, "min_length": 1 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-921-160", "name": "HTTP Header Injection Attack via payload (CR/LF and header-name detected)", "tags": { "type": "http_protocol_violation", "crs_id": "921160", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.path_params" } ], "regex": "[\\n\\r]+(?:\\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\s*:", "options": { "case_sensitive": true, "min_length": 3 } }, "operator": "match_regex" } ], "transformers": [ "lowercase" ] }, { "id": "crs-930-100", "name": "Obfuscated Path Traversal Attack (/../)", "tags": { "type": "lfi", "crs_id": "930100", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.uri.raw" }, { "address": "server.request.headers.no_cookies" } ], "regex": "(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2}(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))", "options": { "min_length": 4 } }, "operator": "match_regex" } ], "transformers": [ "normalizePath" ] }, { "id": "crs-930-110", "name": "Simple Path Traversal Attack (/../)", "tags": { "type": "lfi", "crs_id": "930110", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.uri.raw" }, { "address": "server.request.headers.no_cookies" } ], "regex": "(?:(?:^|[\\\\/])\\.\\.[\\\\/]|[\\\\/]\\.\\.(?:[\\\\/]|$))", "options": { "case_sensitive": true, "min_length": 3 } }, "operator": "match_regex" } ], "transformers": [ "removeNulls" ] }, { "id": "crs-930-120", "name": "OS File Access Attempt", "tags": { "type": "lfi", "crs_id": "930120", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "list": [ "/.htaccess", "/.htdigest", "/.htpasswd", "/.addressbook", "/.aptitude/config", "/.bash_config", "/.bash_history", "/.bash_logout", "/.bash_profile", "/.bashrc", ".cache/notify-osd.log", ".config/odesk/odesk team.conf", "/.cshrc", "/.dockerignore", ".drush/", "/.eslintignore", "/.fbcindex", "/.forward", "/.git", ".git/", "/.gitattributes", "/.gitconfig", ".gnupg/", ".hplip/hplip.conf", "/.ksh_history", "/.lesshst", ".lftp/", "/.lhistory", "/.lldb-history", ".local/share/mc/", "/.lynx_cookies", "/.my.cnf", "/.mysql_history", "/.nano_history", "/.node_repl_history", "/.pearrc", "/.php_history", "/.pinerc", ".pki/", "/.proclog", "/.procmailrc", "/.psql_history", "/.python_history", "/.rediscli_history", "/.rhistory", "/.rhosts", "/.sh_history", "/.sqlite_history", ".ssh/authorized_keys", ".ssh/config", ".ssh/id_dsa", ".ssh/id_dsa.pub", ".ssh/id_rsa", ".ssh/id_rsa.pub", ".ssh/identity", ".ssh/identity.pub", ".ssh/known_hosts", ".subversion/auth", ".subversion/config", ".subversion/servers", ".tconn/tconn.conf", "/.tcshrc", ".vidalia/vidalia.conf", "/.viminfo", "/.vimrc", "/.www_acl", "/.wwwacl", "/.xauthority", "/.zhistory", "/.zshrc", "/.zsh_history", "/.nsconfig", "etc/redis.conf", "etc/redis-sentinel.conf", "etc/php.ini", "bin/php.ini", "etc/httpd/php.ini", "usr/lib/php.ini", "usr/lib/php/php.ini", "usr/local/etc/php.ini", "usr/local/lib/php.ini", "usr/local/php/lib/php.ini", "usr/local/php4/lib/php.ini", "usr/local/php5/lib/php.ini", "usr/local/apache/conf/php.ini", "etc/php4.4/fcgi/php.ini", "etc/php4/apache/php.ini", "etc/php4/apache2/php.ini", "etc/php5/apache/php.ini", "etc/php5/apache2/php.ini", "etc/php/php.ini", "etc/php/php4/php.ini", "etc/php/apache/php.ini", "etc/php/apache2/php.ini", "web/conf/php.ini", "usr/local/zend/etc/php.ini", "opt/xampp/etc/php.ini", "var/local/www/conf/php.ini", "etc/php/cgi/php.ini", "etc/php4/cgi/php.ini", "etc/php5/cgi/php.ini", "home2/bin/stable/apache/php.ini", "home/bin/stable/apache/php.ini", "etc/httpd/conf.d/php.conf", "php5/php.ini", "php4/php.ini", "php/php.ini", "windows/php.ini", "winnt/php.ini", "apache/php/php.ini", "xampp/apache/bin/php.ini", "netserver/bin/stable/apache/php.ini", "volumes/macintosh_hd1/usr/local/php/lib/php.ini", "etc/mono/1.0/machine.config", "etc/mono/2.0/machine.config", "etc/mono/2.0/web.config", "etc/mono/config", "usr/local/cpanel/logs/stats_log", "usr/local/cpanel/logs/access_log", "usr/local/cpanel/logs/error_log", "usr/local/cpanel/logs/license_log", "usr/local/cpanel/logs/login_log", "var/cpanel/cpanel.config", "var/log/sw-cp-server/error_log", "usr/local/psa/admin/logs/httpsd_access_log", "usr/local/psa/admin/logs/panel.log", "var/log/sso/sso.log", "usr/local/psa/admin/conf/php.ini", "etc/sw-cp-server/applications.d/plesk.conf", "usr/local/psa/admin/conf/site_isolation_settings.ini", "usr/local/sb/config", "etc/sw-cp-server/applications.d/00-sso-cpserver.conf", "etc/sso/sso_config.ini", "etc/mysql/conf.d/old_passwords.cnf", "var/log/mysql/mysql-bin.log", "var/log/mysql/mysql-bin.index", "var/log/mysql/data/mysql-bin.index", "var/log/mysql.log", "var/log/mysql.err", "var/log/mysqlderror.log", "var/log/mysql/mysql.log", "var/log/mysql/mysql-slow.log", "var/log/mysql-bin.index", "var/log/data/mysql-bin.index", "var/mysql.log", "var/mysql-bin.index", "var/data/mysql-bin.index", "program files/mysql/mysql server 5.0/data/{host}.err", "program files/mysql/mysql server 5.0/data/mysql.log", "program files/mysql/mysql server 5.0/data/mysql.err", "program files/mysql/mysql server 5.0/data/mysql-bin.log", "program files/mysql/mysql server 5.0/data/mysql-bin.index", "program files/mysql/data/{host}.err", "program files/mysql/data/mysql.log", "program files/mysql/data/mysql.err", "program files/mysql/data/mysql-bin.log", "program files/mysql/data/mysql-bin.index", "mysql/data/{host}.err", "mysql/data/mysql.log", "mysql/data/mysql.err", "mysql/data/mysql-bin.log", "mysql/data/mysql-bin.index", "usr/local/mysql/data/mysql.log", "usr/local/mysql/data/mysql.err", "usr/local/mysql/data/mysql-bin.log", "usr/local/mysql/data/mysql-slow.log", "usr/local/mysql/data/mysqlderror.log", "usr/local/mysql/data/{host}.err", "usr/local/mysql/data/mysql-bin.index", "var/lib/mysql/my.cnf", "etc/mysql/my.cnf", "etc/my.cnf", "program files/mysql/mysql server 5.0/my.ini", "program files/mysql/mysql server 5.0/my.cnf", "program files/mysql/my.ini", "program files/mysql/my.cnf", "mysql/my.ini", "mysql/my.cnf", "mysql/bin/my.ini", "var/postgresql/log/postgresql.log", "var/log/postgresql/postgresql.log", "var/log/postgres/pg_backup.log", "var/log/postgres/postgres.log", "var/log/postgresql.log", "var/log/pgsql/pgsql.log", "var/log/postgresql/postgresql-8.1-main.log", "var/log/postgresql/postgresql-8.3-main.log", "var/log/postgresql/postgresql-8.4-main.log", "var/log/postgresql/postgresql-9.0-main.log", "var/log/postgresql/postgresql-9.1-main.log", "var/log/pgsql8.log", "var/log/postgresql/postgres.log", "var/log/pgsql_log", "var/log/postgresql/main.log", "var/log/cron/var/log/postgres.log", "usr/internet/pgsql/data/postmaster.log", "usr/local/pgsql/data/postgresql.log", "usr/local/pgsql/data/pg_log", "postgresql/log/pgadmin.log", "var/lib/pgsql/data/postgresql.conf", "var/postgresql/db/postgresql.conf", "var/nm2/postgresql.conf", "usr/local/pgsql/data/postgresql.conf", "usr/local/pgsql/data/pg_hba.conf", "usr/internet/pgsql/data/pg_hba.conf", "usr/local/pgsql/data/passwd", "usr/local/pgsql/bin/pg_passwd", "etc/postgresql/postgresql.conf", "etc/postgresql/pg_hba.conf", "home/postgres/data/postgresql.conf", "home/postgres/data/pg_version", "home/postgres/data/pg_ident.conf", "home/postgres/data/pg_hba.conf", "program files/postgresql/8.3/data/pg_hba.conf", "program files/postgresql/8.3/data/pg_ident.conf", "program files/postgresql/8.3/data/postgresql.conf", "program files/postgresql/8.4/data/pg_hba.conf", "program files/postgresql/8.4/data/pg_ident.conf", "program files/postgresql/8.4/data/postgresql.conf", "program files/postgresql/9.0/data/pg_hba.conf", "program files/postgresql/9.0/data/pg_ident.conf", "program files/postgresql/9.0/data/postgresql.conf", "program files/postgresql/9.1/data/pg_hba.conf", "program files/postgresql/9.1/data/pg_ident.conf", "program files/postgresql/9.1/data/postgresql.conf", "wamp/logs/access.log", "wamp/logs/apache_error.log", "wamp/logs/genquery.log", "wamp/logs/mysql.log", "wamp/logs/slowquery.log", "wamp/bin/apache/apache2.2.22/logs/access.log", "wamp/bin/apache/apache2.2.22/logs/error.log", "wamp/bin/apache/apache2.2.21/logs/access.log", "wamp/bin/apache/apache2.2.21/logs/error.log", "wamp/bin/mysql/mysql5.5.24/data/mysql-bin.index", "wamp/bin/mysql/mysql5.5.16/data/mysql-bin.index", "wamp/bin/apache/apache2.2.21/conf/httpd.conf", "wamp/bin/apache/apache2.2.22/conf/httpd.conf", "wamp/bin/apache/apache2.2.21/wampserver.conf", "wamp/bin/apache/apache2.2.22/wampserver.conf", "wamp/bin/apache/apache2.2.22/conf/wampserver.conf", "wamp/bin/mysql/mysql5.5.24/my.ini", "wamp/bin/mysql/mysql5.5.24/wampserver.conf", "wamp/bin/mysql/mysql5.5.16/my.ini", "wamp/bin/mysql/mysql5.5.16/wampserver.conf", "wamp/bin/php/php5.3.8/php.ini", "wamp/bin/php/php5.4.3/php.ini", "xampp/apache/logs/access.log", "xampp/apache/logs/error.log", "xampp/mysql/data/mysql-bin.index", "xampp/mysql/data/mysql.err", "xampp/mysql/data/{host}.err", "xampp/sendmail/sendmail.log", "xampp/apache/conf/httpd.conf", "xampp/filezillaftp/filezilla server.xml", "xampp/mercurymail/mercury.ini", "xampp/php/php.ini", "xampp/phpmyadmin/config.inc.php", "xampp/sendmail/sendmail.ini", "xampp/webalizer/webalizer.conf", "opt/lampp/etc/httpd.conf", "xampp/htdocs/aca.txt", "xampp/htdocs/admin.php", "xampp/htdocs/leer.txt", "usr/local/apache/logs/audit_log", "usr/local/apache2/logs/audit_log", "logs/security_debug_log", "logs/security_log", "usr/local/apache/conf/modsec.conf", "usr/local/apache2/conf/modsec.conf", "winnt/system32/logfiles/msftpsvc", "winnt/system32/logfiles/msftpsvc1", "winnt/system32/logfiles/msftpsvc2", "windows/system32/logfiles/msftpsvc", "windows/system32/logfiles/msftpsvc1", "windows/system32/logfiles/msftpsvc2", "etc/logrotate.d/proftpd", "www/logs/proftpd.system.log", "var/log/proftpd", "var/log/proftpd/xferlog.legacy", "var/log/proftpd.access_log", "var/log/proftpd.xferlog", "etc/pam.d/proftpd", "etc/proftp.conf", "etc/protpd/proftpd.conf", "etc/vhcs2/proftpd/proftpd.conf", "etc/proftpd/modules.conf", "var/log/vsftpd.log", "etc/vsftpd.chroot_list", "etc/logrotate.d/vsftpd.log", "etc/vsftpd/vsftpd.conf", "etc/vsftpd.conf", "etc/chrootusers", "var/log/xferlog", "var/adm/log/xferlog", "etc/wu-ftpd/ftpaccess", "etc/wu-ftpd/ftphosts", "etc/wu-ftpd/ftpusers", "var/log/pure-ftpd/pure-ftpd.log", "logs/pure-ftpd.log", "var/log/pureftpd.log", "usr/sbin/pure-config.pl", "usr/etc/pure-ftpd.conf", "etc/pure-ftpd/pure-ftpd.conf", "usr/local/etc/pure-ftpd.conf", "usr/local/etc/pureftpd.pdb", "usr/local/pureftpd/etc/pureftpd.pdb", "usr/local/pureftpd/sbin/pure-config.pl", "usr/local/pureftpd/etc/pure-ftpd.conf", "etc/pure-ftpd.conf", "etc/pure-ftpd/pure-ftpd.pdb", "etc/pureftpd.pdb", "etc/pureftpd.passwd", "etc/pure-ftpd/pureftpd.pdb", "usr/ports/ftp/pure-ftpd/pure-ftpd.conf", "usr/ports/ftp/pure-ftpd/pureftpd.pdb", "usr/ports/ftp/pure-ftpd/pureftpd.passwd", "usr/ports/net/pure-ftpd/pure-ftpd.conf", "usr/ports/net/pure-ftpd/pureftpd.pdb", "usr/ports/net/pure-ftpd/pureftpd.passwd", "usr/pkgsrc/net/pureftpd/pure-ftpd.conf", "usr/pkgsrc/net/pureftpd/pureftpd.pdb", "usr/pkgsrc/net/pureftpd/pureftpd.passwd", "usr/ports/contrib/pure-ftpd/pure-ftpd.conf", "usr/ports/contrib/pure-ftpd/pureftpd.pdb", "usr/ports/contrib/pure-ftpd/pureftpd.passwd", "var/log/muddleftpd", "usr/sbin/mudlogd", "etc/muddleftpd/mudlog", "etc/muddleftpd.com", "etc/muddleftpd/mudlogd.conf", "etc/muddleftpd/muddleftpd.conf", "var/log/muddleftpd.conf", "usr/sbin/mudpasswd", "etc/muddleftpd/muddleftpd.passwd", "etc/muddleftpd/passwd", "var/log/ftp-proxy/ftp-proxy.log", "var/log/ftp-proxy", "var/log/ftplog", "etc/logrotate.d/ftp", "etc/ftpchroot", "etc/ftphosts", "etc/ftpusers", "var/log/exim_mainlog", "var/log/exim/mainlog", "var/log/maillog", "var/log/exim_paniclog", "var/log/exim/paniclog", "var/log/exim/rejectlog", "var/log/exim_rejectlog", "winnt/system32/logfiles/smtpsvc", "winnt/system32/logfiles/smtpsvc1", "winnt/system32/logfiles/smtpsvc2", "winnt/system32/logfiles/smtpsvc3", "winnt/system32/logfiles/smtpsvc4", "winnt/system32/logfiles/smtpsvc5", "windows/system32/logfiles/smtpsvc", "windows/system32/logfiles/smtpsvc1", "windows/system32/logfiles/smtpsvc2", "windows/system32/logfiles/smtpsvc3", "windows/system32/logfiles/smtpsvc4", "windows/system32/logfiles/smtpsvc5", "etc/osxhttpd/osxhttpd.conf", "system/library/webobjects/adaptors/apache2.2/apache.conf", "etc/apache2/sites-available/default", "etc/apache2/sites-available/default-ssl", "etc/apache2/sites-enabled/000-default", "etc/apache2/sites-enabled/default", "etc/apache2/apache2.conf", "etc/apache2/ports.conf", "usr/local/etc/apache/httpd.conf", "usr/pkg/etc/httpd/httpd.conf", "usr/pkg/etc/httpd/httpd-default.conf", "usr/pkg/etc/httpd/httpd-vhosts.conf", "etc/httpd/mod_php.conf", "etc/httpd/extra/httpd-ssl.conf", "etc/rc.d/rc.httpd", "usr/local/apache/conf/httpd.conf.default", "usr/local/apache/conf/access.conf", "usr/local/apache22/conf/httpd.conf", "usr/local/apache22/httpd.conf", "usr/local/etc/apache22/conf/httpd.conf", "usr/local/apps/apache22/conf/httpd.conf", "etc/apache22/conf/httpd.conf", "etc/apache22/httpd.conf", "opt/apache22/conf/httpd.conf", "usr/local/etc/apache2/vhosts.conf", "usr/local/apache/conf/vhosts.conf", "usr/local/apache2/conf/vhosts.conf", "usr/local/apache/conf/vhosts-custom.conf", "usr/local/apache2/conf/vhosts-custom.conf", "etc/apache/default-server.conf", "etc/apache2/default-server.conf", "usr/local/apache2/conf/extra/httpd-ssl.conf", "usr/local/apache2/conf/ssl.conf", "etc/httpd/conf.d", "usr/local/etc/apache22/httpd.conf", "usr/local/etc/apache2/httpd.conf", "etc/apache2/httpd2.conf", "etc/apache2/ssl-global.conf", "etc/apache2/vhosts.d/00_default_vhost.conf", "apache/conf/httpd.conf", "etc/apache/httpd.conf", "etc/httpd/conf", "http/httpd.conf", "usr/local/apache1.3/conf/httpd.conf", "usr/local/etc/httpd/conf", "var/apache/conf/httpd.conf", "var/www/conf", "www/apache/conf/httpd.conf", "www/conf/httpd.conf", "etc/init.d", "etc/apache/access.conf", "etc/rc.conf", "www/logs/freebsddiary-error.log", "www/logs/freebsddiary-access_log", "library/webserver/documents/index.html", "library/webserver/documents/index.htm", "library/webserver/documents/default.html", "library/webserver/documents/default.htm", "library/webserver/documents/index.php", "library/webserver/documents/default.php", "var/log/webmin/miniserv.log", "usr/local/etc/webmin/miniserv.conf", "etc/webmin/miniserv.conf", "usr/local/etc/webmin/miniserv.users", "etc/webmin/miniserv.users", "winnt/system32/logfiles/w3svc/inetsvn1.log", "winnt/system32/logfiles/w3svc1/inetsvn1.log", "winnt/system32/logfiles/w3svc2/inetsvn1.log", "winnt/system32/logfiles/w3svc3/inetsvn1.log", "windows/system32/logfiles/w3svc/inetsvn1.log", "windows/system32/logfiles/w3svc1/inetsvn1.log", "windows/system32/logfiles/w3svc2/inetsvn1.log", "windows/system32/logfiles/w3svc3/inetsvn1.log", "var/log/httpd/access_log", "var/log/httpd/error_log", "apache/logs/error.log", "apache/logs/access.log", "apache2/logs/error.log", "apache2/logs/access.log", "logs/error.log", "logs/access.log", "etc/httpd/logs/access_log", "etc/httpd/logs/access.log", "etc/httpd/logs/error_log", "etc/httpd/logs/error.log", "usr/local/apache/logs/access_log", "usr/local/apache/logs/access.log", "usr/local/apache/logs/error_log", "usr/local/apache/logs/error.log", "usr/local/apache2/logs/access_log", "usr/local/apache2/logs/access.log", "usr/local/apache2/logs/error_log", "usr/local/apache2/logs/error.log", "var/www/logs/access_log", "var/www/logs/access.log", "var/www/logs/error_log", "var/www/logs/error.log", "var/log/httpd/access.log", "var/log/httpd/error.log", "var/log/apache/access_log", "var/log/apache/access.log", "var/log/apache/error_log", "var/log/apache/error.log", "var/log/apache2/access_log", "var/log/apache2/access.log", "var/log/apache2/error_log", "var/log/apache2/error.log", "var/log/access_log", "var/log/access.log", "var/log/error_log", "var/log/error.log", "opt/lampp/logs/access_log", "opt/lampp/logs/error_log", "opt/xampp/logs/access_log", "opt/xampp/logs/error_log", "opt/lampp/logs/access.log", "opt/lampp/logs/error.log", "opt/xampp/logs/access.log", "opt/xampp/logs/error.log", "program files/apache group/apache/logs/access.log", "program files/apache group/apache/logs/error.log", "program files/apache software foundation/apache2.2/logs/error.log", "program files/apache software foundation/apache2.2/logs/access.log", "opt/apache/apache.conf", "opt/apache/conf/apache.conf", "opt/apache2/apache.conf", "opt/apache2/conf/apache.conf", "opt/httpd/apache.conf", "opt/httpd/conf/apache.conf", "etc/httpd/apache.conf", "etc/apache2/apache.conf", "etc/httpd/conf/apache.conf", "usr/local/apache/apache.conf", "usr/local/apache/conf/apache.conf", "usr/local/apache2/apache.conf", "usr/local/apache2/conf/apache.conf", "usr/local/php/apache.conf.php", "usr/local/php4/apache.conf.php", "usr/local/php5/apache.conf.php", "usr/local/php/apache.conf", "usr/local/php4/apache.conf", "usr/local/php5/apache.conf", "private/etc/httpd/apache.conf", "opt/apache/apache2.conf", "opt/apache/conf/apache2.conf", "opt/apache2/apache2.conf", "opt/apache2/conf/apache2.conf", "opt/httpd/apache2.conf", "opt/httpd/conf/apache2.conf", "etc/httpd/apache2.conf", "etc/httpd/conf/apache2.conf", "usr/local/apache/apache2.conf", "usr/local/apache/conf/apache2.conf", "usr/local/apache2/apache2.conf", "usr/local/apache2/conf/apache2.conf", "usr/local/php/apache2.conf.php", "usr/local/php4/apache2.conf.php", "usr/local/php5/apache2.conf.php", "usr/local/php/apache2.conf", "usr/local/php4/apache2.conf", "usr/local/php5/apache2.conf", "private/etc/httpd/apache2.conf", "usr/local/apache/conf/httpd.conf", "usr/local/apache2/conf/httpd.conf", "etc/httpd/conf/httpd.conf", "etc/apache/apache.conf", "etc/apache/conf/httpd.conf", "etc/apache2/httpd.conf", "usr/apache2/conf/httpd.conf", "usr/apache/conf/httpd.conf", "usr/local/etc/apache/conf/httpd.conf", "usr/local/apache/httpd.conf", "usr/local/apache2/httpd.conf", "usr/local/httpd/conf/httpd.conf", "usr/local/etc/apache2/conf/httpd.conf", "usr/local/etc/httpd/conf/httpd.conf", "usr/local/apps/apache2/conf/httpd.conf", "usr/local/apps/apache/conf/httpd.conf", "usr/local/php/httpd.conf.php", "usr/local/php4/httpd.conf.php", "usr/local/php5/httpd.conf.php", "usr/local/php/httpd.conf", "usr/local/php4/httpd.conf", "usr/local/php5/httpd.conf", "etc/apache2/conf/httpd.conf", "etc/http/conf/httpd.conf", "etc/httpd/httpd.conf", "etc/http/httpd.conf", "etc/httpd.conf", "opt/apache/conf/httpd.conf", "opt/apache2/conf/httpd.conf", "var/www/conf/httpd.conf", "private/etc/httpd/httpd.conf", "private/etc/httpd/httpd.conf.default", "etc/apache2/vhosts.d/default_vhost.include", "etc/apache2/conf.d/charset", "etc/apache2/conf.d/security", "etc/apache2/envvars", "etc/apache2/mods-available/autoindex.conf", "etc/apache2/mods-available/deflate.conf", "etc/apache2/mods-available/dir.conf", "etc/apache2/mods-available/mem_cache.conf", "etc/apache2/mods-available/mime.conf", "etc/apache2/mods-available/proxy.conf", "etc/apache2/mods-available/setenvif.conf", "etc/apache2/mods-available/ssl.conf", "etc/apache2/mods-enabled/alias.conf", "etc/apache2/mods-enabled/deflate.conf", "etc/apache2/mods-enabled/dir.conf", "etc/apache2/mods-enabled/mime.conf", "etc/apache2/mods-enabled/negotiation.conf", "etc/apache2/mods-enabled/php5.conf", "etc/apache2/mods-enabled/status.conf", "program files/apache group/apache/conf/httpd.conf", "program files/apache group/apache2/conf/httpd.conf", "program files/xampp/apache/conf/apache.conf", "program files/xampp/apache/conf/apache2.conf", "program files/xampp/apache/conf/httpd.conf", "program files/apache group/apache/apache.conf", "program files/apache group/apache/conf/apache.conf", "program files/apache group/apache2/conf/apache.conf", "program files/apache group/apache/apache2.conf", "program files/apache group/apache/conf/apache2.conf", "program files/apache group/apache2/conf/apache2.conf", "program files/apache software foundation/apache2.2/conf/httpd.conf", "volumes/macintosh_hd1/opt/httpd/conf/httpd.conf", "volumes/macintosh_hd1/opt/apache/conf/httpd.conf", "volumes/macintosh_hd1/opt/apache2/conf/httpd.conf", "volumes/macintosh_hd1/usr/local/php/httpd.conf.php", "volumes/macintosh_hd1/usr/local/php4/httpd.conf.php", "volumes/macintosh_hd1/usr/local/php5/httpd.conf.php", "volumes/webbackup/opt/apache2/conf/httpd.conf", "volumes/webbackup/private/etc/httpd/httpd.conf", "volumes/webbackup/private/etc/httpd/httpd.conf.default", "usr/local/etc/apache/vhosts.conf", "usr/local/jakarta/tomcat/conf/jakarta.conf", "usr/local/jakarta/tomcat/conf/server.xml", "usr/local/jakarta/tomcat/conf/context.xml", "usr/local/jakarta/tomcat/conf/workers.properties", "usr/local/jakarta/tomcat/conf/logging.properties", "usr/local/jakarta/dist/tomcat/conf/jakarta.conf", "usr/local/jakarta/dist/tomcat/conf/server.xml", "usr/local/jakarta/dist/tomcat/conf/context.xml", "usr/local/jakarta/dist/tomcat/conf/workers.properties", "usr/local/jakarta/dist/tomcat/conf/logging.properties", "usr/share/tomcat6/conf/server.xml", "usr/share/tomcat6/conf/context.xml", "usr/share/tomcat6/conf/workers.properties", "usr/share/tomcat6/conf/logging.properties", "var/log/tomcat6/catalina.out", "var/cpanel/tomcat.options", "usr/local/jakarta/tomcat/logs/catalina.out", "usr/local/jakarta/tomcat/logs/catalina.err", "opt/tomcat/logs/catalina.out", "opt/tomcat/logs/catalina.err", "usr/share/logs/catalina.out", "usr/share/logs/catalina.err", "usr/share/tomcat/logs/catalina.out", "usr/share/tomcat/logs/catalina.err", "usr/share/tomcat6/logs/catalina.out", "usr/share/tomcat6/logs/catalina.err", "usr/local/apache/logs/mod_jk.log", "usr/local/jakarta/tomcat/logs/mod_jk.log", "usr/local/jakarta/dist/tomcat/logs/mod_jk.log", "opt/[jboss]/server/default/conf/jboss-minimal.xml", "opt/[jboss]/server/default/conf/jboss-service.xml", "opt/[jboss]/server/default/conf/jndi.properties", "opt/[jboss]/server/default/conf/log4j.xml", "opt/[jboss]/server/default/conf/login-config.xml", "opt/[jboss]/server/default/conf/standardjaws.xml", "opt/[jboss]/server/default/conf/standardjboss.xml", "opt/[jboss]/server/default/conf/server.log.properties", "opt/[jboss]/server/default/deploy/jboss-logging.xml", "usr/local/[jboss]/server/default/conf/jboss-minimal.xml", "usr/local/[jboss]/server/default/conf/jboss-service.xml", "usr/local/[jboss]/server/default/conf/jndi.properties", "usr/local/[jboss]/server/default/conf/log4j.xml", "usr/local/[jboss]/server/default/conf/login-config.xml", "usr/local/[jboss]/server/default/conf/standardjaws.xml", "usr/local/[jboss]/server/default/conf/standardjboss.xml", "usr/local/[jboss]/server/default/conf/server.log.properties", "usr/local/[jboss]/server/default/deploy/jboss-logging.xml", "private/tmp/[jboss]/server/default/conf/jboss-minimal.xml", "private/tmp/[jboss]/server/default/conf/jboss-service.xml", "private/tmp/[jboss]/server/default/conf/jndi.properties", "private/tmp/[jboss]/server/default/conf/log4j.xml", "private/tmp/[jboss]/server/default/conf/login-config.xml", "private/tmp/[jboss]/server/default/conf/standardjaws.xml", "private/tmp/[jboss]/server/default/conf/standardjboss.xml", "private/tmp/[jboss]/server/default/conf/server.log.properties", "private/tmp/[jboss]/server/default/deploy/jboss-logging.xml", "tmp/[jboss]/server/default/conf/jboss-minimal.xml", "tmp/[jboss]/server/default/conf/jboss-service.xml", "tmp/[jboss]/server/default/conf/jndi.properties", "tmp/[jboss]/server/default/conf/log4j.xml", "tmp/[jboss]/server/default/conf/login-config.xml", "tmp/[jboss]/server/default/conf/standardjaws.xml", "tmp/[jboss]/server/default/conf/standardjboss.xml", "tmp/[jboss]/server/default/conf/server.log.properties", "tmp/[jboss]/server/default/deploy/jboss-logging.xml", "program files/[jboss]/server/default/conf/jboss-minimal.xml", "program files/[jboss]/server/default/conf/jboss-service.xml", "program files/[jboss]/server/default/conf/jndi.properties", "program files/[jboss]/server/default/conf/log4j.xml", "program files/[jboss]/server/default/conf/login-config.xml", "program files/[jboss]/server/default/conf/standardjaws.xml", "program files/[jboss]/server/default/conf/standardjboss.xml", "program files/[jboss]/server/default/conf/server.log.properties", "program files/[jboss]/server/default/deploy/jboss-logging.xml", "[jboss]/server/default/conf/jboss-minimal.xml", "[jboss]/server/default/conf/jboss-service.xml", "[jboss]/server/default/conf/jndi.properties", "[jboss]/server/default/conf/log4j.xml", "[jboss]/server/default/conf/login-config.xml", "[jboss]/server/default/conf/standardjaws.xml", "[jboss]/server/default/conf/standardjboss.xml", "[jboss]/server/default/conf/server.log.properties", "[jboss]/server/default/deploy/jboss-logging.xml", "opt/[jboss]/server/default/log/server.log", "opt/[jboss]/server/default/log/boot.log", "usr/local/[jboss]/server/default/log/server.log", "usr/local/[jboss]/server/default/log/boot.log", "private/tmp/[jboss]/server/default/log/server.log", "private/tmp/[jboss]/server/default/log/boot.log", "tmp/[jboss]/server/default/log/server.log", "tmp/[jboss]/server/default/log/boot.log", "program files/[jboss]/server/default/log/server.log", "program files/[jboss]/server/default/log/boot.log", "[jboss]/server/default/log/server.log", "[jboss]/server/default/log/boot.log", "var/log/lighttpd.error.log", "var/log/lighttpd.access.log", "var/lighttpd.log", "var/logs/access.log", "var/log/lighttpd/", "var/log/lighttpd/error.log", "var/log/lighttpd/access.www.log", "var/log/lighttpd/error.www.log", "var/log/lighttpd/access.log", "usr/local/apache2/logs/lighttpd.error.log", "usr/local/apache2/logs/lighttpd.log", "usr/local/apache/logs/lighttpd.error.log", "usr/local/apache/logs/lighttpd.log", "usr/local/lighttpd/log/lighttpd.error.log", "usr/local/lighttpd/log/access.log", "var/log/lighttpd/{domain}/access.log", "var/log/lighttpd/{domain}/error.log", "usr/home/user/var/log/lighttpd.error.log", "usr/home/user/var/log/apache.log", "home/user/lighttpd/lighttpd.conf", "usr/home/user/lighttpd/lighttpd.conf", "etc/lighttpd/lighthttpd.conf", "usr/local/etc/lighttpd.conf", "usr/local/lighttpd/conf/lighttpd.conf", "usr/local/etc/lighttpd.conf.new", "var/www/.lighttpdpassword", "var/log/nginx/access_log", "var/log/nginx/error_log", "var/log/nginx/access.log", "var/log/nginx/error.log", "var/log/nginx.access_log", "var/log/nginx.error_log", "logs/access_log", "logs/error_log", "etc/nginx/nginx.conf", "usr/local/etc/nginx/nginx.conf", "usr/local/nginx/conf/nginx.conf", "usr/local/zeus/web/global.cfg", "usr/local/zeus/web/log/errors", "opt/lsws/conf/httpd_conf.xml", "usr/local/lsws/conf/httpd_conf.xml", "opt/lsws/logs/error.log", "opt/lsws/logs/access.log", "usr/local/lsws/logs/error.log", "usr/local/logs/access.log", "usr/local/samba/lib/log.user", "usr/local/logs/samba.log", "var/log/samba/log.smbd", "var/log/samba/log.nmbd", "var/log/samba.log", "var/log/samba.log1", "var/log/samba.log2", "var/log/log.smb", "etc/samba/netlogon", "etc/smbpasswd", "etc/smb.conf", "etc/samba/dhcp.conf", "etc/samba/smb.conf", "etc/samba/samba.conf", "etc/samba/smb.conf.user", "etc/samba/smbpasswd", "etc/samba/smbusers", "etc/samba/private/smbpasswd", "usr/local/etc/smb.conf", "usr/local/samba/lib/smb.conf.user", "etc/dhcp3/dhclient.conf", "etc/dhcp3/dhcpd.conf", "etc/dhcp/dhclient.conf", "program files/vidalia bundle/polipo/polipo.conf", "etc/tor/tor-tsocks.conf", "etc/stunnel/stunnel.conf", "etc/tsocks.conf", "etc/tinyproxy/tinyproxy.conf", "etc/miredo-server.conf", "etc/miredo.conf", "etc/miredo/miredo-server.conf", "etc/miredo/miredo.conf", "etc/wicd/dhclient.conf.template.default", "etc/wicd/manager-settings.conf", "etc/wicd/wired-settings.conf", "etc/wicd/wireless-settings.conf", "var/log/ipfw.log", "var/log/ipfw", "var/log/ipfw/ipfw.log", "var/log/ipfw.today", "etc/ipfw.rules", "etc/ipfw.conf", "etc/firewall.rules", "winnt/system32/logfiles/firewall/pfirewall.log", "winnt/system32/logfiles/firewall/pfirewall.log.old", "windows/system32/logfiles/firewall/pfirewall.log", "windows/system32/logfiles/firewall/pfirewall.log.old", "etc/clamav/clamd.conf", "etc/clamav/freshclam.conf", "etc/x11/xorg.conf", "etc/x11/xorg.conf-vesa", "etc/x11/xorg.conf-vmware", "etc/x11/xorg.conf.beforevmwaretoolsinstall", "etc/x11/xorg.conf.orig", "etc/bluetooth/input.conf", "etc/bluetooth/main.conf", "etc/bluetooth/network.conf", "etc/bluetooth/rfcomm.conf", "proc/self/environ", "proc/self/mounts", "proc/self/stat", "proc/self/status", "proc/self/cmdline", "proc/self/fd/0", "proc/self/fd/1", "proc/self/fd/2", "proc/self/fd/3", "proc/self/fd/4", "proc/self/fd/5", "proc/self/fd/6", "proc/self/fd/7", "proc/self/fd/8", "proc/self/fd/9", "proc/self/fd/10", "proc/self/fd/11", "proc/self/fd/12", "proc/self/fd/13", "proc/self/fd/14", "proc/self/fd/15", "proc/version", "proc/devices", "proc/cpuinfo", "proc/meminfo", "proc/net/tcp", "proc/net/udp", "etc/bash_completion.d/debconf", "root/.bash_logout", "root/.bash_history", "root/.bash_config", "root/.bashrc", "etc/bash.bashrc", "var/adm/syslog", "var/adm/sulog", "var/adm/utmp", "var/adm/utmpx", "var/adm/wtmp", "var/adm/wtmpx", "var/adm/lastlog/username", "usr/spool/lp/log", "var/adm/lp/lpd-errs", "usr/lib/cron/log", "var/adm/loginlog", "var/adm/pacct", "var/adm/dtmp", "var/adm/acct/sum/loginlog", "var/adm/x0msgs", "var/adm/crash/vmcore", "var/adm/crash/unix", "etc/newsyslog.conf", "var/adm/qacct", "var/adm/ras/errlog", "var/adm/ras/bootlog", "var/adm/cron/log", "etc/utmp", "etc/security/lastlog", "etc/security/failedlogin", "usr/spool/mqueue/syslog", "var/adm/messages", "var/adm/aculogs", "var/adm/aculog", "var/adm/vold.log", "var/adm/log/asppp.log", "var/log/poplog", "var/log/authlog", "var/lp/logs/lpsched", "var/lp/logs/lpnet", "var/lp/logs/requests", "var/cron/log", "var/saf/_log", "var/saf/port/log", "var/log/news.all", "var/log/news/news.all", "var/log/news/news.crit", "var/log/news/news.err", "var/log/news/news.notice", "var/log/news/suck.err", "var/log/news/suck.notice", "var/log/messages", "var/log/messages.1", "var/log/user.log", "var/log/user.log.1", "var/log/auth.log", "var/log/pm-powersave.log", "var/log/xorg.0.log", "var/log/daemon.log", "var/log/daemon.log.1", "var/log/kern.log", "var/log/kern.log.1", "var/log/mail.err", "var/log/mail.info", "var/log/mail.warn", "var/log/ufw.log", "var/log/boot.log", "var/log/syslog", "var/log/syslog.1", "tmp/access.log", "etc/sensors.conf", "etc/sensors3.conf", "etc/host.conf", "etc/pam.conf", "etc/resolv.conf", "etc/apt/apt.conf", "etc/inetd.conf", "etc/syslog.conf", "etc/sysctl.conf", "etc/sysctl.d/10-console-messages.conf", "etc/sysctl.d/10-network-security.conf", "etc/sysctl.d/10-process-security.conf", "etc/sysctl.d/wine.sysctl.conf", "etc/security/access.conf", "etc/security/group.conf", "etc/security/limits.conf", "etc/security/namespace.conf", "etc/security/pam_env.conf", "etc/security/sepermit.conf", "etc/security/time.conf", "etc/ssh/sshd_config", "etc/adduser.conf", "etc/deluser.conf", "etc/avahi/avahi-daemon.conf", "etc/ca-certificates.conf", "etc/ca-certificates.conf.dpkg-old", "etc/casper.conf", "etc/chkrootkit.conf", "etc/debconf.conf", "etc/dns2tcpd.conf", "etc/e2fsck.conf", "etc/esound/esd.conf", "etc/etter.conf", "etc/fuse.conf", "etc/foremost.conf", "etc/hdparm.conf", "etc/kernel-img.conf", "etc/kernel-pkg.conf", "etc/ld.so.conf", "etc/ltrace.conf", "etc/mail/sendmail.conf", "etc/manpath.config", "etc/kbd/config", "etc/ldap/ldap.conf", "etc/logrotate.conf", "etc/mtools.conf", "etc/smi.conf", "etc/updatedb.conf", "etc/pulse/client.conf", "usr/share/adduser/adduser.conf", "etc/hostname", "etc/networks", "etc/timezone", "etc/modules", "etc/passwd", "etc/passwd~", "etc/passwd-", "etc/shadow", "etc/shadow~", "etc/shadow-", "etc/fstab", "etc/motd", "etc/hosts", "etc/group", "etc/group-", "etc/alias", "etc/crontab", "etc/crypttab", "etc/exports", "etc/mtab", "etc/hosts.allow", "etc/hosts.deny", "etc/os-release", "etc/password.master", "etc/profile", "etc/default/grub", "etc/resolvconf/update-libc.d/sendmail", "etc/inittab", "etc/issue", "etc/issue.net", "etc/login.defs", "etc/sudoers", "etc/sysconfig/network-scripts/ifcfg-eth0", "etc/redhat-release", "etc/debian_version", "etc/fedora-release", "etc/mandrake-release", "etc/slackware-release", "etc/suse-release", "etc/security/group", "etc/security/passwd", "etc/security/user", "etc/security/environ", "etc/security/limits", "etc/security/opasswd", "boot/grub/grub.cfg", "boot/grub/menu.lst", "root/.ksh_history", "root/.xauthority", "usr/lib/security/mkuser.default", "var/log/squirrelmail.log", "var/log/apache2/squirrelmail.log", "var/log/apache2/squirrelmail.err.log", "var/lib/squirrelmail/prefs/squirrelmail.log", "var/log/mail.log", "etc/squirrelmail/apache.conf", "etc/squirrelmail/config_local.php", "etc/squirrelmail/default_pref", "etc/squirrelmail/index.php", "etc/squirrelmail/config_default.php", "etc/squirrelmail/config.php", "etc/squirrelmail/filters_setup.php", "etc/squirrelmail/sqspell_config.php", "etc/squirrelmail/config/config.php", "etc/httpd/conf.d/squirrelmail.conf", "usr/share/squirrelmail/config/config.php", "private/etc/squirrelmail/config/config.php", "srv/www/htdos/squirrelmail/config/config.php", "var/www/squirrelmail/config/config.php", "var/www/html/squirrelmail/config/config.php", "var/www/html/squirrelmail-1.2.9/config/config.php", "usr/share/squirrelmail/plugins/squirrel_logger/setup.php", "usr/local/squirrelmail/www/readme", "windows/system32/drivers/etc/hosts", "windows/system32/drivers/etc/lmhosts.sam", "windows/system32/drivers/etc/networks", "windows/system32/drivers/etc/protocol", "windows/system32/drivers/etc/services", "/boot.ini", "windows/debug/netsetup.log", "windows/comsetup.log", "windows/repair/setup.log", "windows/setupact.log", "windows/setupapi.log", "windows/setuperr.log", "windows/updspapi.log", "windows/wmsetup.log", "windows/windowsupdate.log", "windows/odbc.ini", "usr/local/psa/admin/htdocs/domains/databases/phpmyadmin/libraries/config.default.php", "etc/apache2/conf.d/phpmyadmin.conf", "etc/phpmyadmin/config.inc.php", "etc/openldap/ldap.conf", "etc/cups/acroread.conf", "etc/cups/cupsd.conf", "etc/cups/cupsd.conf.default", "etc/cups/pdftops.conf", "etc/cups/printers.conf", "windows/system32/macromed/flash/flashinstall.log", "windows/system32/macromed/flash/install.log", "etc/cvs-cron.conf", "etc/cvs-pserver.conf", "etc/subversion/config", "etc/modprobe.d/vmware-tools.conf", "etc/updatedb.conf.beforevmwaretoolsinstall", "etc/vmware-tools/config", "etc/vmware-tools/tpvmlp.conf", "etc/vmware-tools/vmware-tools-libraries.conf", "var/log/vmware/hostd.log", "var/log/vmware/hostd-1.log", "/wp-config.php", "/wp-config.bak", "/wp-config.old", "/wp-config.temp", "/wp-config.tmp", "/wp-config.txt", "/config.yml", "/config_dev.yml", "/config_prod.yml", "/config_test.yml", "/parameters.yml", "/routing.yml", "/security.yml", "/services.yml", "sites/default/default.settings.php", "sites/default/settings.php", "sites/default/settings.local.php", "app/etc/local.xml", "/sftp-config.json", "/web.config", "includes/config.php", "includes/configure.php", "config.inc.php", "localsettings.php", "inc/config.php", "typo3conf/localconf.php", "config/app.php", "config/custom.php", "config/database.php", "/configuration.php", "/config.php", "var/mail/www-data", "etc/network/", "etc/init/", "inetpub/wwwroot/global.asa", "system32/inetsrv/config/applicationhost.config", "system32/inetsrv/config/administration.config", "system32/inetsrv/config/redirection.config", "system32/config/default", "system32/config/sam", "system32/config/system", "system32/config/software", "winnt/repair/sam._", "/package.json", "/package-lock.json", "/gruntfile.js", "/npm-debug.log", "/ormconfig.json", "/tsconfig.json", "/webpack.config.js", "/yarn.lock" ] }, "operator": "phrase_match" } ], "transformers": [ "lowercase", "normalizePath" ] }, { "id": "crs-931-110", "name": "RFI: Common RFI Vulnerable Parameter Name used w/ URL Payload", "tags": { "type": "rfi", "crs_id": "931110", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" } ], "regex": "(?:\\binclude\\s*\\([^)]*|mosConfig_absolute_path|_CONF\\[path\\]|_SERVER\\[DOCUMENT_ROOT\\]|GALLERY_BASEDIR|path\\[docroot\\]|appserv_root|config\\[root_dir\\])=(?:file|ftps?|https?)://", "options": { "min_length": 15 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-931-120", "name": "RFI: URL Payload Used w/Trailing Question Mark Character (?)", "tags": { "type": "rfi", "crs_id": "931120", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" } ], "regex": "^(?i:file|ftps?|https?).*?\\?+$", "options": { "case_sensitive": true, "min_length": 4 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-932-160", "name": "Remote Command Execution: Unix Shell Code Found", "tags": { "type": "command_injection", "crs_id": "932160", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "list": [ "${cdpath}", "${dirstack}", "${home}", "${hostname}", "${ifs}", "${oldpwd}", "${ostype}", "${path}", "${pwd}", "$cdpath", "$dirstack", "$home", "$hostname", "$ifs", "$oldpwd", "$ostype", "$path", "$pwd", "bin/bash", "bin/cat", "bin/csh", "bin/dash", "bin/du", "bin/echo", "bin/grep", "bin/less", "bin/ls", "bin/mknod", "bin/more", "bin/nc", "bin/ps", "bin/rbash", "bin/sh", "bin/sleep", "bin/su", "bin/tcsh", "bin/uname", "dev/fd/", "dev/null", "dev/stderr", "dev/stdin", "dev/stdout", "dev/tcp/", "dev/udp/", "dev/zero", "etc/group", "etc/master.passwd", "etc/passwd", "etc/pwd.db", "etc/shadow", "etc/shells", "etc/spwd.db", "proc/self/", "usr/bin/awk", "usr/bin/base64", "usr/bin/cat", "usr/bin/cc", "usr/bin/clang", "usr/bin/clang++", "usr/bin/curl", "usr/bin/diff", "usr/bin/env", "usr/bin/fetch", "usr/bin/file", "usr/bin/find", "usr/bin/ftp", "usr/bin/gawk", "usr/bin/gcc", "usr/bin/head", "usr/bin/hexdump", "usr/bin/id", "usr/bin/less", "usr/bin/ln", "usr/bin/mkfifo", "usr/bin/more", "usr/bin/nc", "usr/bin/ncat", "usr/bin/nice", "usr/bin/nmap", "usr/bin/perl", "usr/bin/php", "usr/bin/php5", "usr/bin/php7", "usr/bin/php-cgi", "usr/bin/printf", "usr/bin/psed", "usr/bin/python", "usr/bin/python2", "usr/bin/python3", "usr/bin/ruby", "usr/bin/sed", "usr/bin/socat", "usr/bin/tail", "usr/bin/tee", "usr/bin/telnet", "usr/bin/top", "usr/bin/uname", "usr/bin/wget", "usr/bin/who", "usr/bin/whoami", "usr/bin/xargs", "usr/bin/xxd", "usr/bin/yes", "usr/local/bin/bash", "usr/local/bin/curl", "usr/local/bin/ncat", "usr/local/bin/nmap", "usr/local/bin/perl", "usr/local/bin/php", "usr/local/bin/python", "usr/local/bin/python2", "usr/local/bin/python3", "usr/local/bin/rbash", "usr/local/bin/ruby", "usr/local/bin/wget" ] }, "operator": "phrase_match" } ], "transformers": [ "lowercase" ] }, { "id": "crs-932-171", "name": "Remote Command Execution: Shellshock (CVE-2014-6271)", "tags": { "type": "command_injection", "crs_id": "932171", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "server.request.headers.no_cookies" }, { "address": "grpc.server.request.message" } ], "regex": "^\\(\\s*\\)\\s+{", "options": { "case_sensitive": true, "min_length": 4 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-932-180", "name": "Restricted File Upload Attempt", "tags": { "type": "command_injection", "crs_id": "932180", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "x-filename" ] }, { "address": "server.request.headers.no_cookies", "key_path": [ "x_filename" ] }, { "address": "server.request.headers.no_cookies", "key_path": [ "x-file-name" ] } ], "list": [ ".htaccess", ".htdigest", ".htpasswd", "wp-config.php", "config.yml", "config_dev.yml", "config_prod.yml", "config_test.yml", "parameters.yml", "routing.yml", "security.yml", "services.yml", "default.settings.php", "settings.php", "settings.local.php", "local.xml", ".env" ] }, "operator": "phrase_match" } ], "transformers": [ "lowercase" ] }, { "id": "crs-933-111", "name": "PHP Injection Attack: PHP Script File Upload Found", "tags": { "type": "unrestricted_file_upload", "crs_id": "933111", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "x-filename" ] }, { "address": "server.request.headers.no_cookies", "key_path": [ "x_filename" ] }, { "address": "server.request.headers.no_cookies", "key_path": [ "x.filename" ] }, { "address": "server.request.headers.no_cookies", "key_path": [ "x-file-name" ] } ], "regex": ".*\\.(?:php\\d*|phtml)\\..*$", "options": { "case_sensitive": true, "min_length": 5 } }, "operator": "match_regex" } ], "transformers": [ "lowercase" ] }, { "id": "crs-933-130", "name": "PHP Injection Attack: Global Variables Found", "tags": { "type": "php_code_injection", "crs_id": "933130", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "list": [ "$globals", "$http_cookie_vars", "$http_env_vars", "$http_get_vars", "$http_post_files", "$http_post_vars", "$http_raw_post_data", "$http_request_vars", "$http_server_vars", "$_cookie", "$_env", "$_files", "$_get", "$_post", "$_request", "$_server", "$_session", "$argc", "$argv" ] }, "operator": "phrase_match" } ], "transformers": [ "lowercase" ] }, { "id": "crs-933-131", "name": "PHP Injection Attack: HTTP Headers Values Found", "tags": { "type": "php_code_injection", "crs_id": "933131", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "(?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)", "options": { "case_sensitive": true, "min_length": 9 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-933-140", "name": "PHP Injection Attack: I/O Stream Found", "tags": { "type": "php_code_injection", "crs_id": "933140", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)", "options": { "min_length": 8 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-933-150", "name": "PHP Injection Attack: High-Risk PHP Function Name Found", "tags": { "type": "php_code_injection", "crs_id": "933150", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "list": [ "__halt_compiler", "apache_child_terminate", "base64_decode", "bzdecompress", "call_user_func", "call_user_func_array", "call_user_method", "call_user_method_array", "convert_uudecode", "file_get_contents", "file_put_contents", "fsockopen", "get_class_methods", "get_class_vars", "get_defined_constants", "get_defined_functions", "get_defined_vars", "gzdecode", "gzinflate", "gzuncompress", "include_once", "invokeargs", "pcntl_exec", "pcntl_fork", "pfsockopen", "posix_getcwd", "posix_getpwuid", "posix_getuid", "posix_uname", "reflectionfunction", "require_once", "shell_exec", "str_rot13", "sys_get_temp_dir", "wp_remote_fopen", "wp_remote_get", "wp_remote_head", "wp_remote_post", "wp_remote_request", "wp_safe_remote_get", "wp_safe_remote_head", "wp_safe_remote_post", "wp_safe_remote_request", "zlib_decode" ] }, "operator": "phrase_match" } ], "transformers": [ "lowercase" ] }, { "id": "crs-933-160", "name": "PHP Injection Attack: High-Risk PHP Function Call Found", "tags": { "type": "php_code_injection", "crs_id": "933160", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\(.*\\)", "options": { "min_length": 5 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-933-170", "name": "PHP Injection Attack: Serialized Object Injection", "tags": { "type": "php_code_injection", "crs_id": "933170", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies" }, { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "[oOcC]:\\d+:\\\".+?\\\":\\d+:{[\\W\\w]*}", "options": { "case_sensitive": true, "min_length": 12 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-933-200", "name": "PHP Injection Attack: Wrapper scheme detected", "tags": { "type": "php_code_injection", "crs_id": "933200", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "(?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://", "options": { "case_sensitive": true, "min_length": 6 } }, "operator": "match_regex" } ], "transformers": [ "removeNulls" ] }, { "id": "crs-934-100", "name": "Node.js Injection Attack", "tags": { "type": "js_code_injection", "crs_id": "934100", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "(?:(?:_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|(?:new\\s+Function|\\beval)\\s*\\(|String\\s*\\.\\s*fromCharCode|function\\s*\\(\\s*\\)\\s*{|this\\.constructor)|module\\.exports\\s*=)", "options": { "case_sensitive": true, "min_length": 5 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-941-100", "name": "XSS Attack Detected via libinjection", "tags": { "type": "xss", "crs_id": "941100", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] }, { "address": "server.request.headers.no_cookies", "key_path": [ "referer" ] }, { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ] }, "operator": "is_xss" } ], "transformers": [ "removeNulls" ] }, { "id": "crs-941-110", "name": "XSS Filter - Category 1: Script Tag Vector", "tags": { "type": "xss", "crs_id": "941110", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] }, { "address": "server.request.headers.no_cookies", "key_path": [ "referer" ] }, { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "]*>[\\s\\S]*?", "options": { "min_length": 8 } }, "operator": "match_regex" } ], "transformers": [ "removeNulls" ] }, { "id": "crs-941-120", "name": "XSS Filter - Category 2: Event Handler Vector", "tags": { "type": "xss", "crs_id": "941120", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] }, { "address": "server.request.headers.no_cookies", "key_path": [ "referer" ] }, { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on[a-zA-Z]{3,25}[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]", "options": { "min_length": 8 } }, "operator": "match_regex" } ], "transformers": [ "removeNulls" ] }, { "id": "crs-941-140", "name": "XSS Filter - Category 4: Javascript URI Vector", "tags": { "type": "xss", "crs_id": "941140", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] }, { "address": "server.request.headers.no_cookies", "key_path": [ "referer" ] }, { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\\(javascript", "options": { "min_length": 18 } }, "operator": "match_regex" } ], "transformers": [ "removeNulls" ] }, { "id": "crs-941-180", "name": "Node-Validator Deny List Keywords", "tags": { "type": "xss", "crs_id": "941180", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "list": [ "document.cookie", "document.write", ".parentnode", ".innerhtml", "window.location", "-moz-binding", "]", "options": { "min_length": 8 } }, "operator": "match_regex" } ], "transformers": [ "removeNulls" ] }, { "id": "crs-941-300", "name": "IE XSS Filters - Attack Detected via object tag", "tags": { "type": "xss", "crs_id": "941300", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": ")|<.*\\+AD4-", "options": { "case_sensitive": true, "min_length": 6 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-941-360", "name": "JSFuck / Hieroglyphy obfuscation detected", "tags": { "type": "xss", "crs_id": "941360", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "![!+ ]\\[\\]", "options": { "case_sensitive": true, "min_length": 4 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-942-100", "name": "SQL Injection Attack Detected via libinjection", "tags": { "type": "sql_injection", "crs_id": "942100", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ] }, "operator": "is_sqli" } ], "transformers": [ "removeNulls" ] }, { "id": "crs-942-160", "name": "Detects blind sqli tests using sleep() or benchmark()", "tags": { "type": "sql_injection", "crs_id": "942160", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))", "options": { "case_sensitive": true, "min_length": 7 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-942-190", "name": "Detects MSSQL code execution and information gathering attempts", "tags": { "type": "sql_injection", "crs_id": "942190", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "(?:\\b(?:(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|u(?:nion(?:[\\w(?:\\s]*?select| select @)|ser\\s*?\\([^\\)]*?)|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|into[\\s+]+(?:dump|out)file\\s*?[\\\"'`]|from\\W+information_schema\\W|exec(?:ute)?\\s+master\\.)|[\\\"'`](?:;?\\s*?(?:union\\b\\s*?(?:(?:distin|sele)ct|all)|having|select)\\b\\s*?[^\\s]|\\s*?!\\s*?[\\\"'`\\w])|\\s*?exec(?:ute)?.*?\\Wxp_cmdshell|\\Wiif\\s*?\\()", "options": { "min_length": 3 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-942-240", "name": "Detects MySQL charset switch and MSSQL DoS attempts", "tags": { "type": "sql_injection", "crs_id": "942240", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "(?:[\\\"'`](?:;*?\\s*?waitfor\\s+(?:delay|time)\\s+[\\\"'`]|;.*?:\\s*?goto)|alter\\s*?\\w+.*?cha(?:racte)?r\\s+set\\s+\\w+)", "options": { "min_length": 7 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-942-250", "name": "Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections", "tags": { "type": "sql_injection", "crs_id": "942250", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "(?i:merge.*?using\\s*?\\(|execute\\s*?immediate\\s*?[\\\"'`]|match\\s*?[\\w(?:),+-]+\\s*?against\\s*?\\()", "options": { "case_sensitive": true, "min_length": 11 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-942-270", "name": "Basic SQL injection", "tags": { "type": "sql_injection", "crs_id": "942270", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "union.*?select.*?from", "options": { "min_length": 15 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-942-280", "name": "SQL Injection with delay functions", "tags": { "type": "sql_injection", "crs_id": "942280", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "(?:;\\s*?shutdown\\s*?(?:[#;{]|\\/\\*|--)|waitfor\\s*?delay\\s?[\\\"'`]+\\s?\\d|select\\s*?pg_sleep)", "options": { "min_length": 10 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-942-290", "name": "Finds basic MongoDB SQL injection attempts", "tags": { "type": "nosql_injection", "crs_id": "942290", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))", "options": { "case_sensitive": true, "min_length": 5 } }, "operator": "match_regex" } ], "transformers": [ "keys_only" ] }, { "id": "crs-942-360", "name": "Detects concatenated basic SQL injection and SQLLFI attempts", "tags": { "type": "sql_injection", "crs_id": "942360", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)\\b|(?:(?:(?:trunc|cre)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\\s+\\w+|u(?:nion\\s*(?:(?:distin|sele)ct|all)\\b|pdate\\s+\\w+))|\\b(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|end\\s*?\\);)|[\\\"'`\\w]\\s+as\\b\\s*[\\\"'`\\w]+\\s*\\bfrom|[\\s(?:]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)", "options": { "min_length": 5 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-942-500", "name": "MySQL in-line comment detected", "tags": { "type": "sql_injection", "crs_id": "942500", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "(?i:/\\*[!+](?:[\\w\\s=_\\-(?:)]+)?\\*/)", "options": { "case_sensitive": true, "min_length": 5 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-943-100", "name": "Possible Session Fixation Attack: Setting Cookie Values in HTML", "tags": { "type": "http_protocol_violation", "crs_id": "943100", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" } ], "regex": "(?i:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)", "options": { "case_sensitive": true, "min_length": 15 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "crs-944-100", "name": "Remote Command Execution: Suspicious Java class detected", "tags": { "type": "java_code_injection", "crs_id": "944100", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "server.request.headers.no_cookies" }, { "address": "grpc.server.request.message" } ], "regex": "java\\.lang\\.(?:runtime|processbuilder)", "options": { "case_sensitive": true, "min_length": 17 } }, "operator": "match_regex" } ], "transformers": [ "lowercase" ] }, { "id": "crs-944-110", "name": "Remote Command Execution: Java process spawn (CVE-2017-9805)", "tags": { "type": "java_code_injection", "crs_id": "944110", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "server.request.headers.no_cookies" }, { "address": "grpc.server.request.message" } ], "regex": "(?:runtime|processbuilder)", "options": { "case_sensitive": true, "min_length": 7 } }, "operator": "match_regex" }, { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "server.request.headers.no_cookies" }, { "address": "grpc.server.request.message" } ], "regex": "(?:unmarshaller|base64data|java\\.)", "options": { "case_sensitive": true, "min_length": 5 } }, "operator": "match_regex" } ], "transformers": [ "lowercase" ] }, { "id": "crs-944-130", "name": "Suspicious Java class detected", "tags": { "type": "java_code_injection", "crs_id": "944130", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "server.request.headers.no_cookies" }, { "address": "grpc.server.request.message" } ], "list": [ "com.opensymphony.xwork2", "com.sun.org.apache", "java.io.bufferedinputstream", "java.io.bufferedreader", "java.io.bytearrayinputstream", "java.io.bytearrayoutputstream", "java.io.chararrayreader", "java.io.datainputstream", "java.io.file", "java.io.fileoutputstream", "java.io.filepermission", "java.io.filewriter", "java.io.filterinputstream", "java.io.filteroutputstream", "java.io.filterreader", "java.io.inputstream", "java.io.inputstreamreader", "java.io.linenumberreader", "java.io.objectoutputstream", "java.io.outputstream", "java.io.pipedoutputstream", "java.io.pipedreader", "java.io.printstream", "java.io.pushbackinputstream", "java.io.reader", "java.io.stringreader", "java.lang.class", "java.lang.integer", "java.lang.number", "java.lang.object", "java.lang.process", "java.lang.processbuilder", "java.lang.reflect", "java.lang.runtime", "java.lang.string", "java.lang.stringbuilder", "java.lang.system", "javax.script.scriptenginemanager", "org.apache.commons", "org.apache.struts", "org.apache.struts2", "org.omg.corba", "java.beans.xmldecode" ] }, "operator": "phrase_match" } ], "transformers": [ "lowercase" ] }, { "id": "dog-000-001", "name": "Look for Cassandra injections", "tags": { "type": "nosql_injection", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "server.request.headers.no_cookies" } ], "regex": "\\ballow\\s+filtering\\b" }, "operator": "match_regex" } ], "transformers": [ "removeComments" ] }, { "id": "dog-000-002", "name": "OGNL - Look for formatting injection patterns", "tags": { "type": "java_code_injection", "category": "attack_attempt" }, "conditions": [ { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "[#%$]{[^}]+[^\\w\\s][^}]+}", "options": { "case_sensitive": true } } } ], "transformers": [] }, { "id": "dog-000-003", "name": "OGNL - Detect OGNL exploitation primitives", "tags": { "type": "java_code_injection", "category": "attack_attempt" }, "conditions": [ { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "server.request.headers.no_cookies" }, { "address": "grpc.server.request.message" } ], "regex": "[@#]ognl", "options": { "case_sensitive": true } } } ], "transformers": [] }, { "id": "dog-000-004", "name": "Spring4Shell - Attempts to exploit the Spring4shell vulnerability", "tags": { "type": "exploit_detection", "category": "attack_attempt" }, "conditions": [ { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.request.body" } ], "regex": "^class\\.module\\.classLoader\\.", "options": { "case_sensitive": false } } } ], "transformers": [ "keys_only" ] }, { "id": "nfd-000-001", "name": "Detect common directory discovery scans", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.response.status" } ], "regex": "^404$", "options": { "case_sensitive": true } } }, { "operator": "phrase_match", "parameters": { "inputs": [ { "address": "server.request.uri.raw" } ], "list": [ "/wordpress/", "/etc/", "/login.php", "/install.php", "/administrator", "/admin.php", "/wp-config", "/phpmyadmin", "/fckeditor", "/mysql", "/manager/html", ".htaccess", "/config.php", "/configuration", "/cgi-bin/php", "/search.php", "/tinymce", "/tiny_mce", "/settings.php", "../../..", "/install/", "/download.php", "/webdav", "/forum.php", "/user.php", "/style.php", "/jmx-console", "/modules.php", "/include.php", "/default.asp", "/help.php", "/database.yml", "/database.yml.pgsql", "/database.yml.sqlite3", "/database.yml.sqlite", "/database.yml.mysql", ".%2e/", "/view.php", "/header.php", "/search.asp", "%5c%5c", "/server/php/", "/invoker/jmxinvokerservlet", "/phpmyadmin/index.php", "/data/admin/allowurl.txt", "/verify.php", "/misc/ajax.js", "/.idea", "/module.php", "/backup.rar", "/backup.tar", "/backup.zip", "/backup.7z", "/backup.gz", "/backup.tgz", "/backup.tar.gz", "waitfor%20delay", "/calendar.php", "/news.php", "/dompdf.php", "))))))))))))))))", "/web.config", "tree.php", "/cgi-bin-sdb/printenv", "/comments.php", "/detail.asp", "/license.txt", "/admin.asp", "/auth.php", "/list.php", "/content.php", "/mod.php", "/mini.php", "/install.pgsql", "/install.mysql", "/install.sqlite", "/install.sqlite3", "/install.txt", "/install.md", "/doku.php", "/main.asp", "/myadmin", "/force-download.php", "/iisprotect/admin", "/.gitignore", "/print.php", "/common.php", "/mainfile.php", "/functions.php", "/scripts/setup.php", "/faq.php", "/op/op.login.php", "/home.php", "/includes/hnmain.inc.php3", "/preview.php", "/dump.rar", "/dump.tar", "/dump.zip", "/dump.7z", "/dump.gz", "/dump.tgz", "/dump.tar.gz", "/thumbnail.php", "/sendcard.php", "/global.asax", "/directory.php", "/footer.php", "/error.asp", "/forum.asp", "/save.php", "/htmlsax3.php", "/adm/krgourl.php", "/includes/converter.inc.php", "/nucleus/libs/pluginadmin.php", "/base_qry_common.php", "/fileadmin", "/bitrix/admin/", "/adm.php", "/util/barcode.php", "/action.php", "/rss.asp", "/downloads.php", "/page.php", "/snarf_ajax.php", "/fck/editor", "/sendmail.php", "/detail.php", "/iframe.php", "/swfupload.swf", "/jenkins/login", "/phpmyadmin/main.php", "/phpmyadmin/scripts/setup.php", "/user/index.php", "/checkout.php", "/process.php", "/ks_inc/ajax.js", "/export.php", "/register.php", "/cart.php", "/console.php", "/friend.php", "/readmsg.php", "/install.asp", "/dagent/downloadreport.asp", "/system/index.php", "/core/changelog.txt", "/js/util.js", "/interna.php", "/gallery.php", "/links.php", "/data/admin/ver.txt", "/language/zh-cn.xml", "/productdetails.asp", "/admin/template/article_more/config.htm", "/components/com_moofaq/includes/file_includer.php", "/licence.txt", "/rss.xsl", "/vtigerservice.php", "/mysql/main.php", "/passwiki.php", "/scr/soustab.php", "/global.php", "/email.php", "/user.asp", "/msd", "/products.php", "/cultbooking.php", "/cron.php", "/static/js/admincp.js", "/comment.php", "/maintainers", "/modules/plain/adminpart/addplain.php", "/wp-content/plugins/ungallery/source_vuln.php", "/upgrade.txt", "/category.php", "/index_logged.php", "/members.asp", "/script/html.js", "/images/ad.js", "/awstats/awstats.pl", "/includes/esqueletos/skel_null.php", "/modules/profile/user.php", "/window_top.php", "/openbrowser.php", "/thread.php", "tinfoil_xss", "/includes/include.php", "/urheber.php", "/header.inc.php", "/mysqldumper", "/display.php", "/website.php", "/stats.php", "/assets/plugins/mp3_id/mp3_id.php", "/siteminderagent/forms/smpwservices.fcc" ] } } ], "transformers": [ "lowercase" ] }, { "id": "nfd-000-002", "name": "Detect failed attempt to fetch readme files", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.response.status" } ], "regex": "^404$", "options": { "case_sensitive": true } } }, { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.request.uri.raw" } ], "regex": "readme\\.[\\.a-z0-9]+$", "options": { "case_sensitive": false } } } ], "transformers": [] }, { "id": "nfd-000-003", "name": "Detect failed attempt to fetch Java EE resource files", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.response.status" } ], "regex": "^404$", "options": { "case_sensitive": true } } }, { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.request.uri.raw" } ], "regex": "^(?:.*web\\-inf)(?:.*web\\.xml).*$", "options": { "case_sensitive": false } } } ], "transformers": [] }, { "id": "nfd-000-004", "name": "Detect failed attempt to fetch code files", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.response.status" } ], "regex": "^404$", "options": { "case_sensitive": true } } }, { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.request.uri.raw" } ], "regex": "\\.(java|pyc?|rb|class)\\b", "options": { "case_sensitive": false } } } ], "transformers": [] }, { "id": "nfd-000-005", "name": "Detect failed attempt to fetch source code archives", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.response.status" } ], "regex": "^404$", "options": { "case_sensitive": true } } }, { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.request.uri.raw" } ], "regex": "\\.(sql|log|ndb|gz|zip|tar\\.gz|tar|regVV|reg|conf|bz2|ini|db|war|bat|inc|btr|server|ds|conf|config|admin|master|sln|bak)\\b(?:[^.]|$)", "options": { "case_sensitive": false } } } ], "transformers": [] }, { "id": "nfd-000-006", "name": "Detect failed attempt to fetch sensitive files", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.response.status" } ], "regex": "^404$", "options": { "case_sensitive": true } } }, { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.request.uri.raw" } ], "regex": "\\.(cgi|bat|dll|exe|key|cert|crt|pem|der|pkcs|pkcs|pkcs[0-9]*|nsf|jsa|war|java|class|vb|vba|so|git|svn|hg|cvs)([^a-zA-Z0-9_]|$)", "options": { "case_sensitive": false } } } ], "transformers": [] }, { "id": "nfd-000-007", "name": "Detect failed attempt to fetch archives", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.response.status" } ], "regex": "^404$", "options": { "case_sensitive": true } } }, { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.request.uri.raw" } ], "regex": "/[\\d\\-_]*\\.(rar|tar|zip|7z|gz|tgz|tar.gz)", "options": { "case_sensitive": false } } } ], "transformers": [] }, { "id": "nfd-000-008", "name": "Detect failed attempt to trigger incorrect application behavior", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.response.status" } ], "regex": "^404$", "options": { "case_sensitive": true } } }, { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.request.uri.raw" } ], "regex": "(/(administrator/components/com.*\\.php|response\\.write\\(.+\\))|select\\(.+\\)from|\\(.*sleep\\(.+\\)|(%[a-zA-Z0-9]{2}[a-zA-Z]{0,1})+\\))", "options": { "case_sensitive": false } } } ], "transformers": [] }, { "id": "nfd-000-009", "name": "Detect failed attempt to leak the structure of the application", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.response.status" } ], "regex": "^404$", "options": { "case_sensitive": true } } }, { "operator": "match_regex", "parameters": { "inputs": [ { "address": "server.request.uri.raw" } ], "regex": "/(login\\.rol|LICENSE|[\\w-]+\\.(plx|pwd))$", "options": { "case_sensitive": false } } } ], "transformers": [] }, { "id": "sqr-000-001", "name": "SSRF: Try to access the credential manager of the main cloud services", "tags": { "type": "ssrf", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "(?i)^\\W*((http|ftp)s?://)?\\W*((::f{4}:)?(169|(0x)?0*a9|0+251)\\.?(254|(0x)?0*fe|0+376)[0-9a-fx\\.:]+|metadata\\.google\\.internal|metadata\\.goog)\\W*/", "options": { "min_length": 4 } }, "operator": "match_regex" } ], "transformers": [ "removeNulls" ] }, { "id": "sqr-000-002", "name": "Server-side Javascript injection: Try to detect obvious JS injection", "tags": { "type": "js_code_injection", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "require\\(['\"][\\w\\.]+['\"]\\)|process\\.\\w+\\([\\w\\.]*\\)|\\.toString\\(\\)", "options": { "min_length": 4 } }, "operator": "match_regex" } ], "transformers": [ "removeNulls" ] }, { "id": "sqr-000-007", "name": "NoSQL: Detect common exploitation strategy", "tags": { "type": "nosql_injection", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" } ], "regex": "^\\$(eq|ne|(l|g)te?|n?in|not|(n|x|)or|and|regex|where|expr|exists)$" }, "operator": "match_regex" } ], "transformers": [ "keys_only" ] }, { "id": "sqr-000-008", "name": "Windows: Detect attempts to exfiltrate .ini files", "tags": { "type": "command_injection", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "server.request.headers.no_cookies" }, { "address": "grpc.server.request.message" } ], "regex": "(?i)[&|]\\s*type\\s+%\\w+%\\\\+\\w+\\.ini\\s*[&|]" }, "operator": "match_regex" } ], "transformers": [] }, { "id": "sqr-000-009", "name": "Linux: Detect attempts to exfiltrate passwd files", "tags": { "type": "command_injection", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "server.request.headers.no_cookies" }, { "address": "grpc.server.request.message" } ], "regex": "(?i)[&|]\\s*cat\\s+\\/etc\\/[\\w\\.\\/]*passwd\\s*[&|]" }, "operator": "match_regex" } ], "transformers": [] }, { "id": "sqr-000-010", "name": "Windows: Detect attempts to timeout a shell", "tags": { "type": "command_injection", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "server.request.headers.no_cookies" }, { "address": "grpc.server.request.message" } ], "regex": "(?i)[&|]\\s*timeout\\s+/t\\s+\\d+\\s*[&|]" }, "operator": "match_regex" } ], "transformers": [] }, { "id": "sqr-000-011", "name": "SSRF: Try to access internal OMI service (CVE-2021-38647)", "tags": { "type": "ssrf", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "http(s?):\\/\\/([A-Za-z0-9\\.\\-\\_]+|\\[[A-Fa-f0-9\\:]+\\]|):5986\\/wsman", "options": { "min_length": 4 } }, "operator": "match_regex" } ], "transformers": [] }, { "id": "sqr-000-012", "name": "SSRF: Detect SSRF attempt on internal service", "tags": { "type": "ssrf", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10}|localhost)(:[0-9]{1,5})?(\\/.*|)$" }, "operator": "match_regex" } ], "transformers": [ "lowercase" ] }, { "id": "sqr-000-013", "name": "SSRF: Detect SSRF attempts using IPv6 or octal/hexdecimal obfuscation", "tags": { "type": "ssrf", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "grpc.server.request.message" } ], "regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/.*)?$" }, "operator": "match_regex" } ], "transformers": [ "lowercase" ] }, { "id": "sqr-000-014", "name": "SSRF: Detect SSRF domain redirection bypass", "tags": { "type": "ssrf", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "server.request.headers.no_cookies" }, { "address": "grpc.server.request.message" } ], "regex": "^(http|https):\\/\\/(.*burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io)" }, "operator": "match_regex" } ], "transformers": [ "lowercase" ] }, { "id": "sqr-000-015", "name": "SSRF: Detect SSRF attempt using non HTTP protocol", "tags": { "type": "ssrf", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "server.request.headers.no_cookies" }, { "address": "grpc.server.request.message" } ], "regex": "^(jar:)?((file|netdoc):\\/\\/[\\\\\\/]+|(dict|gopher|ldap|sftp|tftp):\\/\\/.*:[0-9]{1,5})" }, "operator": "match_regex" } ], "transformers": [ "lowercase" ] }, { "id": "sqr-000-017", "name": "Log4shell: Attempt to exploit log4j CVE-2021-44228", "tags": { "type": "exploit_detection", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.uri.raw" }, { "address": "server.request.query" }, { "address": "server.request.body" }, { "address": "server.request.path_params" }, { "address": "server.request.headers.no_cookies" }, { "address": "grpc.server.request.message" } ], "regex": "\\${[^j]*j[^n]*n[^d]*d[^i]*i[^:]*:[^}]*}" }, "operator": "match_regex" } ], "transformers": [] }, { "id": "ua0-600-0xx", "name": "Joomla exploitation tool", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] } ], "regex": "JDatabaseDriverMysqli" }, "operator": "match_regex" } ], "transformers": [] }, { "id": "ua0-600-10x", "name": "Nessus", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] } ], "regex": "(?i)^Nessus(/|([ :]+SOAP))" }, "operator": "match_regex" } ], "transformers": [] }, { "id": "ua0-600-12x", "name": "Arachni", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] } ], "regex": "^Arachni\\/v" }, "operator": "match_regex" } ], "transformers": [] }, { "id": "ua0-600-13x", "name": "Jorgee", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] } ], "regex": "(?i)\\bJorgee\\b" }, "operator": "match_regex" } ], "transformers": [] }, { "id": "ua0-600-14x", "name": "Probely", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] } ], "regex": "(?i)\\bProbely\\b" }, "operator": "match_regex" } ], "transformers": [] }, { "id": "ua0-600-15x", "name": "Metis", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] } ], "regex": "(?i)\\bmetis\\b" }, "operator": "match_regex" } ], "transformers": [] }, { "id": "ua0-600-16x", "name": "SQL power injector", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] } ], "regex": "sql power injector" }, "operator": "match_regex" } ], "transformers": [] }, { "id": "ua0-600-18x", "name": "N-Stealth", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] } ], "regex": "(?i)\\bn-stealth\\b" }, "operator": "match_regex" } ], "transformers": [] }, { "id": "ua0-600-19x", "name": "Brutus", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] } ], "regex": "(?i)\\bbrutus\\b" }, "operator": "match_regex" } ], "transformers": [] }, { "id": "ua0-600-1xx", "name": "Shellshock exploitation tool", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] } ], "regex": "\\(\\) \\{ :; *\\}" }, "operator": "match_regex" } ], "transformers": [] }, { "id": "ua0-600-20x", "name": "Netsparker", "tags": { "type": "security_scanner", "category": "attack_attempt" }, "conditions": [ { "parameters": { "inputs": [ { "address": "server.request.headers.no_cookies", "key_path": [ "user-agent" ] } ], "regex": "(?i)(