diff --git a/owasp_rules.json b/owasp_rules.json
index f44d515..e5d4ed6 100644
--- a/owasp_rules.json
+++ b/owasp_rules.json
@@ -120,59 +120,55 @@
"pattern": "@lt %{tx.blocking_paranoia_level}"
},
{
- "category": "EXCEPTIONS",
- "pattern": "@streq GET /"
- },
- {
- "category": "EXCEPTIONS",
- "pattern": "@ipMatch 127.0.0.1,::1"
+ "category": "LFI",
+ "pattern": "@lt 1"
},
{
- "category": "EXCEPTIONS",
- "pattern": "@ipMatch 127.0.0.1,::1"
+ "category": "LFI",
+ "pattern": "@lt 1"
},
{
- "category": "EXCEPTIONS",
- "pattern": "@endsWith (internal dummy connection)"
+ "category": "LFI",
+ "pattern": "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[0-1]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))"
},
{
- "category": "EXCEPTIONS",
- "pattern": "@rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$"
+ "category": "LFI",
+ "pattern": "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@lt 1"
+ "category": "LFI",
+ "pattern": "@pmFromFile lfi-os-files.data"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@lt 1"
+ "category": "LFI",
+ "pattern": "@pmFromFile restricted-files.data"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@within %{tx.allowed_methods}"
+ "category": "LFI",
+ "pattern": "@lt 2"
},
{
- "category": "ENFORCEMENT",
+ "category": "LFI",
"pattern": "@lt 2"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@lt 2"
+ "category": "LFI",
+ "pattern": "@pmFromFile lfi-os-files.data"
},
{
- "category": "ENFORCEMENT",
+ "category": "LFI",
"pattern": "@lt 3"
},
{
- "category": "ENFORCEMENT",
+ "category": "LFI",
"pattern": "@lt 3"
},
{
- "category": "ENFORCEMENT",
+ "category": "LFI",
"pattern": "@lt 4"
},
{
- "category": "ENFORCEMENT",
+ "category": "LFI",
"pattern": "@lt 4"
},
{
@@ -212,1644 +208,1548 @@
"pattern": "@lt 4"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@lt 1"
+ "category": "EVALUATION",
+ "pattern": "@ge 1"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@lt 1"
+ "category": "EVALUATION",
+ "pattern": "@ge 1"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@rx (?i)^(?:get /[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sv]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?)[sv]+[.-9A-Z_a-z]+)$"
+ "category": "EVALUATION",
+ "pattern": "@ge 2"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=])*$"
+ "category": "EVALUATION",
+ "pattern": "@ge 2"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@rx ^d+$"
+ "category": "EVALUATION",
+ "pattern": "@ge 3"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx ^(?:GET|HEAD)$"
+ "category": "EVALUATION",
+ "pattern": "@ge 3"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@rx ^0?$"
+ "category": "EVALUATION",
+ "pattern": "@ge 4"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx ^(?:GET|HEAD)$"
+ "category": "EVALUATION",
+ "pattern": "@ge 4"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@eq 0"
+ "category": "EVALUATION",
+ "pattern": "@ge 1"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0"
+ "category": "EVALUATION",
+ "pattern": "@ge 1"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@streq POST"
+ "category": "EVALUATION",
+ "pattern": "@ge 2"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@eq 0"
+ "category": "EVALUATION",
+ "pattern": "@ge 2"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@eq 0"
+ "category": "EVALUATION",
+ "pattern": "@ge 3"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@eq 0"
+ "category": "EVALUATION",
+ "pattern": "@ge 3"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@eq 0"
+ "category": "EVALUATION",
+ "pattern": "@ge 4"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx (d+)-(d+)"
+ "category": "EVALUATION",
+ "pattern": "@ge 4"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@lt %{tx.1}"
+ "category": "EVALUATION",
+ "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx b(?:keep-alive|close),s?(?:keep-alive|close)b"
+ "category": "EVALUATION",
+ "pattern": "@eq 1"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx x25"
+ "category": "EVALUATION",
+ "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@validateUrlEncoding"
+ "category": "EVALUATION",
+ "pattern": "@lt 1"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx ^(?i)application/x-www-form-urlencoded"
+ "category": "EVALUATION",
+ "pattern": "@lt 1"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx x25"
+ "category": "EVALUATION",
+ "pattern": "@lt 2"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@validateUrlEncoding"
+ "category": "EVALUATION",
+ "pattern": "@lt 2"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@eq 1"
+ "category": "EVALUATION",
+ "pattern": "@lt 3"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@validateUtf8Encoding"
+ "category": "EVALUATION",
+ "pattern": "@lt 3"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx %u[fF]{2}[0-9a-fA-F]{2}"
+ "category": "EVALUATION",
+ "pattern": "@lt 4"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@validateByteRange 1-255"
+ "category": "EVALUATION",
+ "pattern": "@lt 4"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@eq 0"
+ "category": "PHP",
+ "pattern": "@lt 1"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx ^$"
+ "category": "PHP",
+ "pattern": "@lt 1"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx ^$"
+ "category": "PHP",
+ "pattern": "@rx (?:"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@gt %{tx.combined_file_sizes}"
+ "category": "PHP",
+ "pattern": "@rx (?:((?:.+)(?:[\"'][-0-9A-Z_a-z]+[\"'])?(.+|[^)]*string[^)]*)[sv\"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|[\"'][-0-9A-Zx5c_a-z]+[\"'])(.+))(?:;|$)?"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['\"w.()+,/:=?<>@#*-]+)*$"
+ "category": "PHP",
+ "pattern": "@lt 4"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx ^[^;s]+"
+ "category": "PHP",
+ "pattern": "@lt 4"
},
{
"category": "ENFORCEMENT",
- "pattern": "!@within %{tx.allowed_request_content_type}"
+ "pattern": "@lt 1"
},
{
"category": "ENFORCEMENT",
- "pattern": "@rx charsets*=s*[\"']?([^;\"'s]+)"
+ "pattern": "@lt 1"
},
{
"category": "ENFORCEMENT",
- "pattern": "!@within %{tx.allowed_request_content_type_charset}"
+ "pattern": "!@within %{tx.allowed_methods}"
},
{
"category": "ENFORCEMENT",
- "pattern": "@rx charset.*?charset"
+ "pattern": "@lt 2"
},
{
"category": "ENFORCEMENT",
- "pattern": "!@within %{tx.allowed_http_versions}"
+ "pattern": "@lt 2"
},
{
"category": "ENFORCEMENT",
- "pattern": "@rx .([^.]+)$"
+ "pattern": "@lt 3"
},
{
"category": "ENFORCEMENT",
- "pattern": "@within %{tx.restricted_extensions}"
+ "pattern": "@lt 3"
},
{
"category": "ENFORCEMENT",
- "pattern": "@rx .[^.~]+~(?:/.*|)$"
+ "pattern": "@lt 4"
},
{
"category": "ENFORCEMENT",
- "pattern": "@rx ^.*$"
+ "pattern": "@lt 4"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@within %{tx.restricted_headers_basic}"
+ "category": "ATTACK",
+ "pattern": "!@eq 0"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@gt 50"
+ "category": "ATTACK",
+ "pattern": "!@within |%{tx.allowed_request_content_type_charset}|"
},
{
- "category": "ENFORCEMENT",
+ "category": "ATTACK",
+ "pattern": "@rx ^content-types*:s*(.*)$"
+ },
+ {
+ "category": "ATTACK",
"pattern": "!@rx ^(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@streq JSON"
+ "category": "ATTACK",
+ "pattern": "@rx content-transfer-encoding:(.*)"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx (?i)x5cu[0-9a-f]{4}"
+ "category": "SQL",
+ "pattern": "@lt 1"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@contains #"
+ "category": "SQL",
+ "pattern": "@lt 1"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@gt 1"
+ "category": "SQL",
+ "pattern": "!@pmFromFile sql-errors.data"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@lt 2"
+ "category": "SQL",
+ "pattern": "@rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@lt 2"
+ "category": "SQL",
+ "pattern": "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}"
+ "category": "SQL",
+ "pattern": "@rx (?i:DB2 SQL error:|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|DB2 SQL error|db2_w+()"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@endsWith .pdf"
+ "category": "SQL",
+ "pattern": "@rx (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@endsWith .pdf"
+ "category": "SQL",
+ "pattern": "@rx (?i)Dynamic SQL Error"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}"
+ "category": "SQL",
+ "pattern": "@rx (?i)Exception (?:condition )?d+. Transaction rollback."
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx %[0-9a-fA-F]{2}"
+ "category": "SQL",
+ "pattern": "@rx (?i)org.hsqldb.jdbc"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@validateByteRange 9,10,13,32-126,128-255"
+ "category": "SQL",
+ "pattern": "@rx (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@eq 0"
+ "category": "SQL",
+ "pattern": "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx ['\";=]"
+ "category": "SQL",
+ "pattern": "@rx (?i:Warning: ibase_|Unexpected end of command in statement)"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@rx ^0$"
+ "category": "SQL",
+ "pattern": "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@eq 0"
+ "category": "SQL",
+ "pattern": "@rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx ^.*$"
+ "category": "SQL",
+ "pattern": "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[(-)_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@within %{tx.restricted_headers_extended}"
+ "category": "SQL",
+ "pattern": "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)() [:|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@lt 3"
+ "category": "SQL",
+ "pattern": "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@lt 3"
+ "category": "SQL",
+ "pattern": "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@validateByteRange 32-36,38-126"
+ "category": "SQL",
+ "pattern": "@lt 2"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@eq 0"
+ "category": "SQL",
+ "pattern": "@lt 2"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@rx ^(?:OPTIONS|CONNECT)$"
+ "category": "SQL",
+ "pattern": "@lt 3"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@pm AppleWebKit Android"
+ "category": "SQL",
+ "pattern": "@lt 3"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@ge 1"
+ "category": "SQL",
+ "pattern": "@lt 4"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx ^(?i)up"
+ "category": "SQL",
+ "pattern": "@lt 4"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@gt 0"
+ "category": "GENERIC",
+ "pattern": "@lt 1"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$"
+ "category": "GENERIC",
+ "pattern": "@lt 1"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@rx br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)"
+ "category": "GENERIC",
+ "pattern": "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[[\"'`](?:debug|error|info|trace|warn)[\"'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]])"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@lt 4"
+ "category": "GENERIC",
+ "pattern": "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*("
},
{
- "category": "ENFORCEMENT",
- "pattern": "@lt 4"
+ "category": "GENERIC",
+ "pattern": "@pmFromFile ssrf.data"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@endsWith .pdf"
+ "category": "GENERIC",
+ "pattern": "@rx (?:__proto__|constructors*(?:.|[)s*prototype)"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}"
+ "category": "GENERIC",
+ "pattern": "@rx Process[sv]*.[sv]*spawn[sv]*("
},
{
- "category": "ENFORCEMENT",
- "pattern": "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122"
+ "category": "GENERIC",
+ "pattern": "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*)"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122"
+ "category": "GENERIC",
+ "pattern": "@rx ^data:(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*"
},
{
- "category": "ENFORCEMENT",
- "pattern": "!@rx ^(?:?[01])?$"
+ "category": "GENERIC",
+ "pattern": "@lt 2"
},
{
- "category": "ENFORCEMENT",
- "pattern": "@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]"
+ "category": "GENERIC",
+ "pattern": "@lt 2"
},
{
- "category": "ATTACK",
- "pattern": "@lt 1"
+ "category": "GENERIC",
+ "pattern": "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))"
},
{
- "category": "ATTACK",
- "pattern": "@lt 1"
+ "category": "GENERIC",
+ "pattern": "@rx [s*constructors*]"
},
{
- "category": "ATTACK",
- "pattern": "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d"
+ "category": "GENERIC",
+ "pattern": "@rx @{.*}"
},
{
- "category": "ATTACK",
- "pattern": "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w"
+ "category": "GENERIC",
+ "pattern": "@lt 3"
},
{
- "category": "ATTACK",
- "pattern": "@rx (?:bhttp/d|<(?:html|meta)b)"
+ "category": "GENERIC",
+ "pattern": "@lt 3"
},
{
- "category": "ATTACK",
- "pattern": "@rx [nr]"
+ "category": "GENERIC",
+ "pattern": "@lt 4"
},
{
- "category": "ATTACK",
- "pattern": "@rx [nr]"
+ "category": "GENERIC",
+ "pattern": "@lt 4"
},
{
- "category": "ATTACK",
- "pattern": "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:"
+ "category": "RFI",
+ "pattern": "@lt 1"
},
{
- "category": "ATTACK",
- "pattern": "@rx [nr]"
+ "category": "RFI",
+ "pattern": "@lt 1"
},
{
- "category": "ATTACK",
- "pattern": "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)"
+ "category": "RFI",
+ "pattern": "@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})"
},
{
- "category": "ATTACK",
- "pattern": "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)"
+ "category": "RFI",
+ "pattern": "@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://"
},
{
- "category": "ATTACK",
- "pattern": "@rx unix:[^|]*|"
+ "category": "RFI",
+ "pattern": "@rx ^(?i:file|ftps?|https?).*??+$"
},
{
- "category": "ATTACK",
+ "category": "RFI",
"pattern": "@lt 2"
},
{
- "category": "ATTACK",
+ "category": "RFI",
"pattern": "@lt 2"
},
{
- "category": "ATTACK",
- "pattern": "@rx [nr]"
+ "category": "RFI",
+ "pattern": "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)"
},
{
- "category": "ATTACK",
- "pattern": "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b"
+ "category": "RFI",
+ "pattern": "!@endsWith .%{request_headers.host}"
},
{
- "category": "ATTACK",
- "pattern": "@lt 3"
+ "category": "RFI",
+ "pattern": "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)"
},
{
- "category": "ATTACK",
+ "category": "RFI",
+ "pattern": "!@endsWith .%{request_headers.host}"
+ },
+ {
+ "category": "RFI",
"pattern": "@lt 3"
},
{
- "category": "ATTACK",
- "pattern": "@gt 0"
+ "category": "RFI",
+ "pattern": "@lt 3"
},
{
- "category": "ATTACK",
- "pattern": "@rx ."
+ "category": "RFI",
+ "pattern": "@lt 4"
},
{
- "category": "ATTACK",
- "pattern": "@gt 1"
+ "category": "RFI",
+ "pattern": "@lt 4"
},
{
- "category": "ATTACK",
- "pattern": "@rx TX:paramcounter_(.*)"
+ "category": "LEAKAGES",
+ "pattern": "@lt 1"
},
{
- "category": "ATTACK",
- "pattern": "@rx (][^]]+$|][^]]+[)"
+ "category": "LEAKAGES",
+ "pattern": "@lt 1"
},
{
- "category": "ATTACK",
- "pattern": "@lt 4"
+ "category": "LEAKAGES",
+ "pattern": "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>[To Parent Directory]
)"
},
{
- "category": "ATTACK",
- "pattern": "@lt 4"
+ "category": "LEAKAGES",
+ "pattern": "@rx ^#!s?/"
},
{
- "category": "ATTACK",
- "pattern": "@rx ["
+ "category": "LEAKAGES",
+ "pattern": "@lt 2"
},
{
- "category": "ATTACK",
- "pattern": "!@eq 0"
+ "category": "LEAKAGES",
+ "pattern": "@lt 2"
},
{
- "category": "ATTACK",
- "pattern": "!@within |%{tx.allowed_request_content_type_charset}|"
+ "category": "LEAKAGES",
+ "pattern": "@rx ^5d{2}$"
},
{
- "category": "ATTACK",
- "pattern": "@rx ^content-types*:s*(.*)$"
+ "category": "LEAKAGES",
+ "pattern": "@lt 3"
},
{
- "category": "ATTACK",
- "pattern": "!@rx ^(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$"
+ "category": "LEAKAGES",
+ "pattern": "@lt 3"
},
{
- "category": "ATTACK",
- "pattern": "@rx content-transfer-encoding:(.*)"
+ "category": "LEAKAGES",
+ "pattern": "@lt 4"
},
{
- "category": "LFI",
+ "category": "LEAKAGES",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "XSS",
"pattern": "@lt 1"
},
{
- "category": "LFI",
+ "category": "XSS",
"pattern": "@lt 1"
},
{
- "category": "LFI",
- "pattern": "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[0-1]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))"
+ "category": "XSS",
+ "pattern": "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122"
},
{
- "category": "LFI",
- "pattern": "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))"
+ "category": "XSS",
+ "pattern": "@detectXSS"
},
{
- "category": "LFI",
- "pattern": "@pmFromFile lfi-os-files.data"
+ "category": "XSS",
+ "pattern": "@rx (?i)]*>[sS]*?"
},
{
- "category": "LFI",
- "pattern": "@pmFromFile restricted-files.data"
+ "category": "XSS",
+ "pattern": "@rx (?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b"
},
{
- "category": "LFI",
- "pattern": "@lt 2"
+ "category": "XSS",
+ "pattern": "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript"
},
{
- "category": "LFI",
- "pattern": "@lt 2"
+ "category": "XSS",
+ "pattern": "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sv\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[sv/]|[\"'](?:.*[sv/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[x08-nf-r ]*?="
},
{
- "category": "LFI",
- "pattern": "@pmFromFile lfi-os-files.data"
+ "category": "XSS",
+ "pattern": "@rx (?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:[\"']|W*?uW*?rW*?l[sS]*?()|[^-]*?-W*?mW*?oW*?zW*?-W*?bW*?iW*?nW*?dW*?iW*?nW*?g[^:]*?:W*?uW*?rW*?l[sS]*?("
},
{
- "category": "LFI",
- "pattern": "@lt 3"
+ "category": "XSS",
+ "pattern": "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding "
},
{
- "category": "RCE",
- "pattern": "@rx b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))"
+ "category": "XSS",
+ "pattern": "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W"
},
{
- "category": "RCE",
- "pattern": "@rx (?i)(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|[ckz][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)[sv&)<>|]"
+ "category": "XSS",
+ "pattern": "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)"
},
{
- "category": "RCE",
- "pattern": "@rx (?i)(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:a(?:ddgroup|xel)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:g(?:passwd|rp)|pass|sh)|lang++|oproc|ron)|d(?:iff[sv&)<>|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[sv&)<>|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|erl5?|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[sv&)<>|])|tar(?:diff|grep)?|wd.db|ython[2-3])|r(?:(?:bas|ealpat)h|m(?:dir[sv&)<>|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h.distri|pwd.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[sv&)<>|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))"
+ "category": "XSS",
+ "pattern": "@rx (?i)[\"'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?="
},
{
- "category": "RCE",
- "pattern": "!@rx [0-9]s*'s*[0-9]"
+ "category": "XSS",
+ "pattern": "@rx {{.*?}}"
},
{
- "category": "RCE",
- "pattern": "@rx !-d"
+ "category": "XSS",
+ "pattern": "@lt 3"
},
{
- "category": "RCE",
- "pattern": "@pmFromFile unix-shell.data"
+ "category": "XSS",
+ "pattern": "@lt 3"
},
{
- "category": "RCE",
- "pattern": "@rx ^(s*)s+{"
+ "category": "XSS",
+ "pattern": "@lt 4"
},
{
- "category": "RCE",
- "pattern": "@rx ^(s*)s+{"
+ "category": "XSS",
+ "pattern": "@lt 4"
},
{
- "category": "RCE",
- "pattern": "@rx ba[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-\"%',0-9@-Z_a-z]+=[^sv]"
+ "category": "JAVA",
+ "pattern": "@lt 1"
},
{
- "category": "RCE",
- "pattern": "@pmFromFile restricted-upload.data"
+ "category": "JAVA",
+ "pattern": "@lt 1"
},
{
- "category": "RCE",
- "pattern": "@rx (?i)(?:t[\"^]*i[\"^]*m[\"^]*e|[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:a[\"^]*(?:c[\"^]*c[\"^]*c[\"^]*h[\"^]*e[\"^]*c[\"^]*k[\"^]*c[\"^]*o[\"^]*n[\"^]*s[\"^]*o[\"^]*l[\"^]*e|d[\"^]*(?:p[\"^]*l[\"^]*u[\"^]*s|v[\"^]*p[\"^]*a[\"^]*c[\"^]*k)|(?:g[\"^]*e[\"^]*n[\"^]*t[\"^]*e[\"^]*x[\"^]*e[\"^]*c[\"^]*u[\"^]*t[\"^]*o|s[\"^]*p[\"^]*n[\"^]*e[\"^]*t[\"^]*_[\"^]*c[\"^]*o[\"^]*m[\"^]*p[\"^]*i[\"^]*l[\"^]*e)[\"^]*r|p[\"^]*p[\"^]*(?:i[\"^]*n[\"^]*s[\"^]*t[\"^]*a[\"^]*l[\"^]*l[\"^]*e[\"^]*r|v[\"^]*l[\"^]*p)|t[\"^]*(?:[sv,.-/;-<>].*|b[\"^]*r[\"^]*o[\"^]*k[\"^]*e[\"^]*r))|b[\"^]*(?:a[\"^]*s[\"^]*h|g[\"^]*i[\"^]*n[\"^]*f[\"^]*o|i[\"^]*t[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|c[\"^]*(?:d[\"^]*b|e[\"^]*r[\"^]*t[\"^]*(?:o[\"^]*c|r[\"^]*e[\"^]*q|u[\"^]*t[\"^]*i[\"^]*l)|l[\"^]*_[\"^]*(?:i[\"^]*n[\"^]*v[\"^]*o[\"^]*c[\"^]*a[\"^]*t[\"^]*i[\"^]*o[\"^]*n|l[\"^]*o[\"^]*a[\"^]*d[\"^]*a[\"^]*s[\"^]*s[\"^]*e[\"^]*m[\"^]*b[\"^]*l[\"^]*y|m[\"^]*u[\"^]*t[\"^]*e[\"^]*x[\"^]*v[\"^]*e[\"^]*r[\"^]*i[\"^]*f[\"^]*i[\"^]*e[\"^]*r[\"^]*s)|m[\"^]*(?:d(?:[\"^]*(?:k[\"^]*e[\"^]*y|l[\"^]*3[\"^]*2))?|s[\"^]*t[\"^]*p)|o[\"^]*(?:m[\"^]*s[\"^]*v[\"^]*c[\"^]*s|n[\"^]*(?:f[\"^]*i[\"^]*g[\"^]*s[\"^]*e[\"^]*c[\"^]*u[\"^]*r[\"^]*i[\"^]*t[\"^]*y[\"^]*p[\"^]*o[\"^]*l[\"^]*i[\"^]*c[\"^]*y|h[\"^]*o[\"^]*s[\"^]*t|t[\"^]*r[\"^]*o[\"^]*l)|r[\"^]*e[\"^]*g[\"^]*e[\"^]*n)|r[\"^]*e[\"^]*a[\"^]*t[\"^]*e[\"^]*d[\"^]*u[\"^]*m[\"^]*p|s[\"^]*(?:c(?:[\"^]*r[\"^]*i[\"^]*p[\"^]*t)?|i)|u[\"^]*s[\"^]*t[\"^]*o[\"^]*m[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l[\"^]*h[\"^]*o[\"^]*s[\"^]*t)|d[\"^]*(?:a[\"^]*t[\"^]*a[\"^]*s[\"^]*v[\"^]*c[\"^]*u[\"^]*t[\"^]*i[\"^]*l|e[\"^]*(?:f[\"^]*a[\"^]*u[\"^]*l[\"^]*t[\"^]*p[\"^]*a[\"^]*c[\"^]*k|s[\"^]*k(?:[\"^]*t[\"^]*o[\"^]*p[\"^]*i[\"^]*m[\"^]*g[\"^]*d[\"^]*o[\"^]*w[\"^]*n[\"^]*l[\"^]*d[\"^]*r)?|v[\"^]*(?:i[\"^]*c[\"^]*e[\"^]*c[\"^]*r[\"^]*e[\"^]*d[\"^]*e[\"^]*n[\"^]*t[\"^]*i[\"^]*a[\"^]*l[\"^]*d[\"^]*e[\"^]*p[\"^]*l[\"^]*o[\"^]*y[\"^]*m[\"^]*e[\"^]*n[\"^]*t|t[\"^]*o[\"^]*o[\"^]*l[\"^]*s[\"^]*l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*e[\"^]*r))|f[\"^]*s[\"^]*(?:h[\"^]*i[\"^]*m|v[\"^]*c)|i[\"^]*(?:a[\"^]*n[\"^]*t[\"^]*z|s[\"^]*k[\"^]*s[\"^]*h[\"^]*a[\"^]*d[\"^]*o[\"^]*w)|n[\"^]*(?:s[\"^]*c[\"^]*m[\"^]*d|x)|o[\"^]*t[\"^]*n[\"^]*e[\"^]*t|u[\"^]*m[\"^]*p[\"^]*6[\"^]*4|x[\"^]*c[\"^]*a[\"^]*p)|e[\"^]*(?:s[\"^]*e[\"^]*n[\"^]*t[\"^]*u[\"^]*t[\"^]*l|v[\"^]*e[\"^]*n[\"^]*t[\"^]*v[\"^]*w[\"^]*r|x[\"^]*(?:c[\"^]*e[\"^]*l|p[\"^]*(?:a[\"^]*n[\"^]*d|l[\"^]*o[\"^]*r[\"^]*e[\"^]*r)|t[\"^]*(?:e[\"^]*x[\"^]*p[\"^]*o[\"^]*r[\"^]*t|r[\"^]*a[\"^]*c[\"^]*3[\"^]*2)))|f[\"^]*(?:i[\"^]*n[\"^]*(?:d[\"^]*s[\"^]*t|g[\"^]*e)[\"^]*r|l[\"^]*t[\"^]*m[\"^]*c|o[\"^]*r[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s|s[\"^]*(?:i(?:[\"^]*a[\"^]*n[\"^]*y[\"^]*c[\"^]*p[\"^]*u)?|u[\"^]*t[\"^]*i[\"^]*l)|t[\"^]*p)|g[\"^]*(?:f[\"^]*x[\"^]*d[\"^]*o[\"^]*w[\"^]*n[\"^]*l[\"^]*o[\"^]*a[\"^]*d[\"^]*w[\"^]*r[\"^]*a[\"^]*p[\"^]*p[\"^]*e[\"^]*r|p[\"^]*s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|h[\"^]*h|i[\"^]*(?:e[\"^]*(?:4[\"^]*u[\"^]*i[\"^]*n[\"^]*i[\"^]*t|a[\"^]*d[\"^]*v[\"^]*p[\"^]*a[\"^]*c[\"^]*k|e[\"^]*x[\"^]*e[\"^]*c|f[\"^]*r[\"^]*a[\"^]*m[\"^]*e)|l[\"^]*a[\"^]*s[\"^]*m|m[\"^]*e[\"^]*w[\"^]*d[\"^]*b[\"^]*l[\"^]*d|n[\"^]*(?:f[\"^]*d[\"^]*e[\"^]*f[\"^]*a[\"^]*u[\"^]*l[\"^]*t[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a[\"^]*l|s[\"^]*t[\"^]*a[\"^]*l[\"^]*l[\"^]*u[\"^]*t[\"^]*i)[\"^]*l)|j[\"^]*s[\"^]*c|l[\"^]*(?:a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*-[\"^]*v[\"^]*s[\"^]*d[\"^]*e[\"^]*v[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l|d[\"^]*i[\"^]*f[\"^]*d[\"^]*e)|m[\"^]*(?:a[\"^]*(?:k[\"^]*e[\"^]*c[\"^]*a[\"^]*b|n[\"^]*a[\"^]*g[\"^]*e[\"^]*-[\"^]*b[\"^]*d[\"^]*e|v[\"^]*i[\"^]*n[\"^]*j[\"^]*e[\"^]*c[\"^]*t)|f[\"^]*t[\"^]*r[\"^]*a[\"^]*c[\"^]*e|i[\"^]*c[\"^]*r[\"^]*o[\"^]*s[\"^]*o[\"^]*f[\"^]*t|m[\"^]*c|p[\"^]*c[\"^]*m[\"^]*d[\"^]*r[\"^]*u[\"^]*n|s[\"^]*(?:(?:b[\"^]*u[\"^]*i[\"^]*l|o[\"^]*h[\"^]*t[\"^]*m[\"^]*e)[\"^]*d|c[\"^]*o[\"^]*n[\"^]*f[\"^]*i[\"^]*g|d[\"^]*(?:e[\"^]*p[\"^]*l[\"^]*o[\"^]*y|t)|h[\"^]*t[\"^]*(?:a|m[\"^]*l)|i[\"^]*e[\"^]*x[\"^]*e[\"^]*c|p[\"^]*u[\"^]*b|x[\"^]*s[\"^]*l))|n[\"^]*(?:e[\"^]*t[\"^]*s[\"^]*h|t[\"^]*d[\"^]*s[\"^]*u[\"^]*t[\"^]*i[\"^]*l)|o[\"^]*(?:d[\"^]*b[\"^]*c[\"^]*c[\"^]*o[\"^]*n[\"^]*f|f[\"^]*f[\"^]*l[\"^]*i[\"^]*n[\"^]*e[\"^]*s[\"^]*c[\"^]*a[\"^]*n[\"^]*n[\"^]*e[\"^]*r[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l|n[\"^]*e[\"^]*d[\"^]*r[\"^]*i[\"^]*v[\"^]*e[\"^]*s[\"^]*t[\"^]*a[\"^]*n[\"^]*d[\"^]*a[\"^]*l[\"^]*o[\"^]*n[\"^]*e[\"^]*u[\"^]*p[\"^]*d[\"^]*a[\"^]*t[\"^]*e[\"^]*r|p[\"^]*e[\"^]*n[\"^]*c[\"^]*o[\"^]*n[\"^]*s[\"^]*o[\"^]*l[\"^]*e)|p[\"^]*(?:c[\"^]*(?:a[\"^]*l[\"^]*u[\"^]*a|w[\"^]*(?:r[\"^]*u[\"^]*n|u[\"^]*t[\"^]*l))|(?:e[\"^]*s[\"^]*t[\"^]*e|s)[\"^]*r|(?:k[\"^]*t[\"^]*m[\"^]*o|u[\"^]*b[\"^]*p[\"^]*r)[\"^]*n|n[\"^]*p[\"^]*u[\"^]*t[\"^]*i[\"^]*l|o[\"^]*w[\"^]*e[\"^]*r[\"^]*p[\"^]*n[\"^]*t|r[\"^]*(?:e[\"^]*s[\"^]*e[\"^]*n[\"^]*t[\"^]*a[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*h[\"^]*o[\"^]*s[\"^]*t|i[\"^]*n[\"^]*t(?:[\"^]*b[\"^]*r[\"^]*m)?|o[\"^]*(?:c[\"^]*d[\"^]*u[\"^]*m[\"^]*p|t[\"^]*o[\"^]*c[\"^]*o[\"^]*l[\"^]*h[\"^]*a[\"^]*n[\"^]*d[\"^]*l[\"^]*e[\"^]*r)))|r[\"^]*(?:a[\"^]*s[\"^]*a[\"^]*u[\"^]*t[\"^]*o[\"^]*u|c[\"^]*s[\"^]*i|(?:d[\"^]*r[\"^]*l[\"^]*e[\"^]*a[\"^]*k[\"^]*d[\"^]*i[\"^]*a|p[\"^]*c[\"^]*p[\"^]*i[\"^]*n)[\"^]*g|e[\"^]*(?:g(?:[\"^]*(?:a[\"^]*s[\"^]*m|e[\"^]*d[\"^]*i[\"^]*t|i[\"^]*(?:n[\"^]*i|s[\"^]*t[\"^]*e[\"^]*r[\"^]*-[\"^]*c[\"^]*i[\"^]*m[\"^]*p[\"^]*r[\"^]*o[\"^]*v[\"^]*i[\"^]*d[\"^]*e[\"^]*r)|s[\"^]*v[\"^]*(?:c[\"^]*s|r[\"^]*3[\"^]*2)))?|(?:m[\"^]*o[\"^]*t|p[\"^]*l[\"^]*a[\"^]*c)[\"^]*e)|u[\"^]*n[\"^]*(?:d[\"^]*l[\"^]*l[\"^]*3[\"^]*2|(?:e[\"^]*x[\"^]*e|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)[\"^]*h[\"^]*e[\"^]*l[\"^]*p[\"^]*e[\"^]*r|o[\"^]*n[\"^]*c[\"^]*e))|s[\"^]*(?:c[\"^]*(?:[sv,.-/;-<>].*|h[\"^]*t[\"^]*a[\"^]*s[\"^]*k[\"^]*s|r[\"^]*i[\"^]*p[\"^]*t[\"^]*r[\"^]*u[\"^]*n[\"^]*n[\"^]*e[\"^]*r)|e[\"^]*t[\"^]*(?:r[\"^]*e[\"^]*s|t[\"^]*i[\"^]*n[\"^]*g[\"^]*s[\"^]*y[\"^]*n[\"^]*c[\"^]*h[\"^]*o[\"^]*s[\"^]*t|u[\"^]*p[\"^]*a[\"^]*p[\"^]*i)|h[\"^]*(?:d[\"^]*o[\"^]*c[\"^]*v[\"^]*w|e[\"^]*l[\"^]*l[\"^]*3[\"^]*2)|q[\"^]*(?:l[\"^]*(?:d[\"^]*u[\"^]*m[\"^]*p[\"^]*e[\"^]*r|(?:t[\"^]*o[\"^]*o[\"^]*l[\"^]*s[\"^]*)?p[\"^]*s)|u[\"^]*i[\"^]*r[\"^]*r[\"^]*e[\"^]*l)|s[\"^]*h|t[\"^]*o[\"^]*r[\"^]*d[\"^]*i[\"^]*a[\"^]*g|y[\"^]*(?:n[\"^]*c[\"^]*a[\"^]*p[\"^]*p[\"^]*v[\"^]*p[\"^]*u[\"^]*b[\"^]*l[\"^]*i[\"^]*s[\"^]*h[\"^]*i[\"^]*n[\"^]*g[\"^]*s[\"^]*e[\"^]*r[\"^]*v[\"^]*e[\"^]*r|s[\"^]*s[\"^]*e[\"^]*t[\"^]*u[\"^]*p))|t[\"^]*(?:e[\"^]*[sv,.-/;-<>].*|r[\"^]*a[\"^]*c[\"^]*k[\"^]*e[\"^]*r|t[\"^]*(?:d[\"^]*i[\"^]*n[\"^]*j[\"^]*e[\"^]*c[\"^]*t|t[\"^]*r[\"^]*a[\"^]*c[\"^]*e[\"^]*r))|u[\"^]*(?:n[\"^]*r[\"^]*e[\"^]*g[\"^]*m[\"^]*p[\"^]*2|p[\"^]*d[\"^]*a[\"^]*t[\"^]*e|r[\"^]*l|t[\"^]*i[\"^]*l[\"^]*i[\"^]*t[\"^]*y[\"^]*f[\"^]*u[\"^]*n[\"^]*c[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*s)|v[\"^]*(?:b[\"^]*c|e[\"^]*r[\"^]*c[\"^]*l[\"^]*s[\"^]*i[\"^]*d|i[\"^]*s[\"^]*u[\"^]*a[\"^]*l[\"^]*u[\"^]*i[\"^]*a[\"^]*v[\"^]*e[\"^]*r[\"^]*i[\"^]*f[\"^]*y[\"^]*n[\"^]*a[\"^]*t[\"^]*i[\"^]*v[\"^]*e|s[\"^]*(?:i[\"^]*i[\"^]*s[\"^]*e[\"^]*x[\"^]*e[\"^]*l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h|j[\"^]*i[\"^]*t[\"^]*d[\"^]*e[\"^]*b[\"^]*u[\"^]*g[\"^]*g)[\"^]*e[\"^]*r)|w[\"^]*(?:a[\"^]*b|(?:f|m[\"^]*i)[\"^]*c|i[\"^]*n[\"^]*(?:g[\"^]*e[\"^]*t|r[\"^]*m|w[\"^]*o[\"^]*r[\"^]*d)|l[\"^]*r[\"^]*m[\"^]*d[\"^]*r|o[\"^]*r[\"^]*k[\"^]*f[\"^]*o[\"^]*l[\"^]*d[\"^]*e[\"^]*r[\"^]*s|s[\"^]*(?:(?:c[\"^]*r[\"^]*i[\"^]*p|r[\"^]*e[\"^]*s[\"^]*e)[\"^]*t|l)|t[\"^]*[sv,.-/;-<>].*|u[\"^]*a[\"^]*u[\"^]*c[\"^]*l[\"^]*t)|x[\"^]*w[\"^]*i[\"^]*z[\"^]*a[\"^]*r[\"^]*d|z[\"^]*i[\"^]*p[\"^]*f[\"^]*l[\"^]*d[\"^]*r)(?:.[\"^]*[0-9A-Z_a-z]+)?b"
+ "category": "JAVA",
+ "pattern": "@rx java.lang.(?:runtime|processbuilder)"
},
{
- "category": "RCE",
- "pattern": "@rx (?i)(?:t[\"^]*i[\"^]*m[\"^]*e|[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:a[\"^]*(?:s[\"^]*s[\"^]*o[\"^]*c|t[\"^]*(?:m[\"^]*a[\"^]*d[\"^]*m|t[\"^]*r[\"^]*i[\"^]*b)|u[\"^]*(?:d[\"^]*i[\"^]*t[\"^]*p[\"^]*o[\"^]*l|t[\"^]*o[\"^]*(?:c[\"^]*(?:h[\"^]*k|o[\"^]*n[\"^]*v)|(?:f[\"^]*m|m[\"^]*o[\"^]*u[\"^]*n)[\"^]*t)))|b[\"^]*(?:c[\"^]*d[\"^]*(?:b[\"^]*o[\"^]*o|e[\"^]*d[\"^]*i)[\"^]*t|(?:d[\"^]*e[\"^]*h[\"^]*d|o[\"^]*o[\"^]*t)[\"^]*c[\"^]*f[\"^]*g|i[\"^]*t[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|c[\"^]*(?:a[\"^]*c[\"^]*l[\"^]*s|e[\"^]*r[\"^]*t[\"^]*(?:r[\"^]*e[\"^]*q|u[\"^]*t[\"^]*i[\"^]*l)|h[\"^]*(?:c[\"^]*p|d[\"^]*i[\"^]*r|g[\"^]*(?:l[\"^]*o[\"^]*g[\"^]*o[\"^]*n|p[\"^]*o[\"^]*r[\"^]*t|u[\"^]*s[\"^]*r)|k[\"^]*(?:d[\"^]*s[\"^]*k|n[\"^]*t[\"^]*f[\"^]*s))|l[\"^]*e[\"^]*a[\"^]*n[\"^]*m[\"^]*g[\"^]*r|m[\"^]*(?:d(?:[\"^]*k[\"^]*e[\"^]*y)?|s[\"^]*t[\"^]*p)|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|d[\"^]*(?:c[\"^]*(?:d[\"^]*i[\"^]*a[\"^]*g|g[\"^]*p[\"^]*o[\"^]*f[\"^]*i[\"^]*x)|e[\"^]*(?:f[\"^]*r[\"^]*a[\"^]*g|l)|f[\"^]*s[\"^]*(?:d[\"^]*i[\"^]*a|r[\"^]*m[\"^]*i)[\"^]*g|i[\"^]*(?:a[\"^]*n[\"^]*t[\"^]*z|r|s[\"^]*(?:k[\"^]*(?:c[\"^]*o[\"^]*(?:m[\"^]*p|p[\"^]*y)|p[\"^]*(?:a[\"^]*r[\"^]*t|e[\"^]*r[\"^]*f)|r[\"^]*a[\"^]*i[\"^]*d|s[\"^]*h[\"^]*a[\"^]*d[\"^]*o[\"^]*w)|p[\"^]*d[\"^]*i[\"^]*a[\"^]*g))|n[\"^]*s[\"^]*c[\"^]*m[\"^]*d|(?:o[\"^]*s[\"^]*k[\"^]*e|r[\"^]*i[\"^]*v[\"^]*e[\"^]*r[\"^]*q[\"^]*u[\"^]*e[\"^]*r)[\"^]*y)|e[\"^]*(?:n[\"^]*d[\"^]*l[\"^]*o[\"^]*c[\"^]*a[\"^]*l|v[\"^]*e[\"^]*n[\"^]*t[\"^]*c[\"^]*r[\"^]*e[\"^]*a[\"^]*t[\"^]*e)|E[\"^]*v[\"^]*n[\"^]*t[\"^]*c[\"^]*m[\"^]*d|f[\"^]*(?:c|i[\"^]*(?:l[\"^]*e[\"^]*s[\"^]*y[\"^]*s[\"^]*t[\"^]*e[\"^]*m[\"^]*s|n[\"^]*d[\"^]*s[\"^]*t[\"^]*r)|l[\"^]*a[\"^]*t[\"^]*t[\"^]*e[\"^]*m[\"^]*p|o[\"^]*r(?:[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s)?|r[\"^]*e[\"^]*e[\"^]*d[\"^]*i[\"^]*s[\"^]*k|s[\"^]*u[\"^]*t[\"^]*i[\"^]*l|(?:t[\"^]*y[\"^]*p|v[\"^]*e[\"^]*u[\"^]*p[\"^]*d[\"^]*a[\"^]*t)[\"^]*e)|g[\"^]*(?:e[\"^]*t[\"^]*(?:m[\"^]*a[\"^]*c|t[\"^]*y[\"^]*p[\"^]*e)|o[\"^]*t[\"^]*o|p[\"^]*(?:f[\"^]*i[\"^]*x[\"^]*u[\"^]*p|(?:r[\"^]*e[\"^]*s[\"^]*u[\"^]*l[\"^]*)?t|u[\"^]*p[\"^]*d[\"^]*a[\"^]*t[\"^]*e)|r[\"^]*a[\"^]*f[\"^]*t[\"^]*a[\"^]*b[\"^]*l)|h[\"^]*(?:e[\"^]*l[\"^]*p[\"^]*c[\"^]*t[\"^]*r|o[\"^]*s[\"^]*t[\"^]*n[\"^]*a[\"^]*m[\"^]*e)|i[\"^]*(?:c[\"^]*a[\"^]*c[\"^]*l[\"^]*s|f|p[\"^]*(?:c[\"^]*o[\"^]*n[\"^]*f[\"^]*i[\"^]*g|x[\"^]*r[\"^]*o[\"^]*u[\"^]*t[\"^]*e)|r[\"^]*f[\"^]*t[\"^]*p)|j[\"^]*e[\"^]*t[\"^]*p[\"^]*a[\"^]*c[\"^]*k|k[\"^]*(?:l[\"^]*i[\"^]*s[\"^]*t|s[\"^]*e[\"^]*t[\"^]*u[\"^]*p|t[\"^]*(?:m[\"^]*u[\"^]*t[\"^]*i[\"^]*l|p[\"^]*a[\"^]*s[\"^]*s))|l[\"^]*(?:o[\"^]*(?:d[\"^]*c[\"^]*t[\"^]*r|g[\"^]*(?:m[\"^]*a[\"^]*n|o[\"^]*f[\"^]*f))|p[\"^]*[q-r])|m[\"^]*(?:a[\"^]*(?:c[\"^]*f[\"^]*i[\"^]*l[\"^]*e|k[\"^]*e[\"^]*c[\"^]*a[\"^]*b|p[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|k[\"^]*(?:d[\"^]*i[\"^]*r|l[\"^]*i[\"^]*n[\"^]*k)|m[\"^]*c|o[\"^]*u[\"^]*n[\"^]*t[\"^]*v[\"^]*o[\"^]*l|q[\"^]*(?:b[\"^]*k[\"^]*u[\"^]*p|(?:t[\"^]*g[\"^]*)?s[\"^]*v[\"^]*c)|s[\"^]*(?:d[\"^]*t|i[\"^]*(?:e[\"^]*x[\"^]*e[\"^]*c|n[\"^]*f[\"^]*o[\"^]*3[\"^]*2)|t[\"^]*s[\"^]*c))|n[\"^]*(?:b[\"^]*t[\"^]*s[\"^]*t[\"^]*a[\"^]*t|e[\"^]*t[\"^]*(?:c[\"^]*f[\"^]*g|d[\"^]*o[\"^]*m|s[\"^]*(?:h|t[\"^]*a[\"^]*t))|f[\"^]*s[\"^]*(?:a[\"^]*d[\"^]*m[\"^]*i[\"^]*n|s[\"^]*(?:h[\"^]*a[\"^]*r[\"^]*e|t[\"^]*a[\"^]*t))|l[\"^]*(?:b[\"^]*m[\"^]*g[\"^]*r|t[\"^]*e[\"^]*s[\"^]*t)|s[\"^]*l[\"^]*o[\"^]*o[\"^]*k[\"^]*u[\"^]*p|t[\"^]*(?:b[\"^]*a[\"^]*c[\"^]*k[\"^]*u[\"^]*p|c[\"^]*m[\"^]*d[\"^]*p[\"^]*r[\"^]*o[\"^]*m[\"^]*p[\"^]*t|f[\"^]*r[\"^]*s[\"^]*u[\"^]*t[\"^]*l))|o[\"^]*(?:f[\"^]*f[\"^]*l[\"^]*i[\"^]*n[\"^]*e|p[\"^]*e[\"^]*n[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s)|p[\"^]*(?:a[\"^]*(?:g[\"^]*e[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*c[\"^]*o[\"^]*n[\"^]*f[\"^]*i|t[\"^]*h[\"^]*p[\"^]*i[\"^]*n)[\"^]*g|(?:b[\"^]*a[\"^]*d[\"^]*m[\"^]*i|k[\"^]*t[\"^]*m[\"^]*o)[\"^]*n|e[\"^]*(?:n[\"^]*t[\"^]*n[\"^]*t|r[\"^]*f[\"^]*m[\"^]*o[\"^]*n)|n[\"^]*p[\"^]*u[\"^]*(?:n[\"^]*a[\"^]*t[\"^]*t[\"^]*e[\"^]*n[\"^]*d|t[\"^]*i[\"^]*l)|o[\"^]*(?:p[\"^]*d|w[\"^]*e[\"^]*r[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l)|r[\"^]*n[\"^]*(?:c[\"^]*n[\"^]*f[\"^]*g|(?:d[\"^]*r[\"^]*v|m[\"^]*n[\"^]*g)[\"^]*r|j[\"^]*o[\"^]*b[\"^]*s|p[\"^]*o[\"^]*r[\"^]*t|q[\"^]*c[\"^]*t[\"^]*l)|u[\"^]*(?:b[\"^]*p[\"^]*r[\"^]*n|s[\"^]*h[\"^]*(?:d|p[\"^]*r[\"^]*i[\"^]*n[\"^]*t[\"^]*e[\"^]*r[\"^]*c[\"^]*o[\"^]*n[\"^]*n[\"^]*e[\"^]*c[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*s))|w[\"^]*(?:l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*e[\"^]*r|s[\"^]*h))|q[\"^]*(?:a[\"^]*p[\"^]*p[\"^]*s[\"^]*r[\"^]*v|p[\"^]*r[\"^]*o[\"^]*c[\"^]*e[\"^]*s[\"^]*s|u[\"^]*s[\"^]*e[\"^]*r|w[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a)|r[\"^]*(?:d(?:[\"^]*p[\"^]*s[\"^]*i[\"^]*g[\"^]*n)?|e[\"^]*(?:f[\"^]*s[\"^]*u[\"^]*t[\"^]*i[\"^]*l|g(?:[\"^]*(?:i[\"^]*n[\"^]*i|s[\"^]*v[\"^]*r[\"^]*3[\"^]*2))?|l[\"^]*o[\"^]*g|(?:(?:p[\"^]*a[\"^]*d[\"^]*m[\"^]*i|s[\"^]*c[\"^]*a)[\"^]*)?n|x[\"^]*e[\"^]*c)|i[\"^]*s[\"^]*e[\"^]*t[\"^]*u[\"^]*p|m[\"^]*d[\"^]*i[\"^]*r|o[\"^]*b[\"^]*o[\"^]*c[\"^]*o[\"^]*p[\"^]*y|p[\"^]*c[\"^]*(?:i[\"^]*n[\"^]*f[\"^]*o|p[\"^]*i[\"^]*n[\"^]*g)|s[\"^]*h|u[\"^]*n[\"^]*d[\"^]*l[\"^]*l[\"^]*3[\"^]*2|w[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a)|s[\"^]*(?:a[\"^]*n|c[\"^]*(?:h[\"^]*t[\"^]*a[\"^]*s[\"^]*k[\"^]*s|w[\"^]*c[\"^]*m[\"^]*d)|e[\"^]*(?:c[\"^]*e[\"^]*d[\"^]*i[\"^]*t|r[\"^]*v[\"^]*e[\"^]*r[\"^]*(?:(?:c[\"^]*e[\"^]*i[\"^]*p|w[\"^]*e[\"^]*r)[\"^]*o[\"^]*p[\"^]*t[\"^]*i[\"^]*n|m[\"^]*a[\"^]*n[\"^]*a[\"^]*g[\"^]*e[\"^]*r[\"^]*c[\"^]*m[\"^]*d)|t[\"^]*x)|f[\"^]*c|(?:h[\"^]*o[\"^]*w[\"^]*m[\"^]*o[\"^]*u[\"^]*n|u[\"^]*b[\"^]*s)[\"^]*t|x[\"^]*s[\"^]*t[\"^]*r[\"^]*a[\"^]*c[\"^]*e|y[\"^]*s[\"^]*(?:o[\"^]*c[\"^]*m[\"^]*g[\"^]*r|t[\"^]*e[\"^]*m[\"^]*i[\"^]*n[\"^]*f[\"^]*o))|t[\"^]*(?:a[\"^]*(?:k[\"^]*e[\"^]*o[\"^]*w[\"^]*n|p[\"^]*i[\"^]*c[\"^]*f[\"^]*g|s[\"^]*k[\"^]*(?:k[\"^]*i[\"^]*l[\"^]*l|l[\"^]*i[\"^]*s[\"^]*t))|(?:c[\"^]*m[\"^]*s[\"^]*e[\"^]*t[\"^]*u|f[\"^]*t)[\"^]*p|(?:(?:e[\"^]*l[\"^]*n[\"^]*e|i[\"^]*m[\"^]*e[\"^]*o[\"^]*u)[\"^]*|r[\"^]*a[\"^]*c[\"^]*e[\"^]*r[\"^]*(?:p[\"^]*)?)t|l[\"^]*n[\"^]*t[\"^]*a[\"^]*d[\"^]*m[\"^]*n|p[\"^]*m[\"^]*(?:t[\"^]*o[\"^]*o[\"^]*l|v[\"^]*s[\"^]*c[\"^]*m[\"^]*g[\"^]*r)|s[\"^]*(?:(?:d[\"^]*i[\"^]*s[\"^]*)?c[\"^]*o[\"^]*n|e[\"^]*c[\"^]*i[\"^]*m[\"^]*p|k[\"^]*i[\"^]*l[\"^]*l|p[\"^]*r[\"^]*o[\"^]*f)|y[\"^]*p[\"^]*e[\"^]*p[\"^]*e[\"^]*r[\"^]*f|z[\"^]*u[\"^]*t[\"^]*i[\"^]*l)|u[\"^]*n[\"^]*(?:e[\"^]*x[\"^]*p[\"^]*o[\"^]*s[\"^]*e|i[\"^]*q[\"^]*u[\"^]*e[\"^]*i[\"^]*d|l[\"^]*o[\"^]*d[\"^]*c[\"^]*t[\"^]*r)|v[\"^]*(?:o[\"^]*l|s[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|w[\"^]*(?:a[\"^]*i[\"^]*t[\"^]*f[\"^]*o[\"^]*r|b[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n|(?:d[\"^]*s|e[\"^]*(?:c|v[\"^]*t))[\"^]*u[\"^]*t[\"^]*i[\"^]*l|h[\"^]*(?:e[\"^]*r[\"^]*e|o[\"^]*a[\"^]*m[\"^]*i)|i[\"^]*n[\"^]*(?:n[\"^]*t(?:[\"^]*3[\"^]*2)?|r[\"^]*s)|m[\"^]*i[\"^]*c|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|x[\"^]*c[\"^]*o[\"^]*p[\"^]*y)(?:.[\"^]*[0-9A-Z_a-z]+)?b"
+ "category": "JAVA",
+ "pattern": "@rx (?:runtime|processbuilder)"
},
{
- "category": "RCE",
- "pattern": "@lt 2"
+ "category": "JAVA",
+ "pattern": "@rx (?:unmarshaller|base64data|java.)"
},
{
- "category": "RCE",
- "pattern": "@lt 2"
+ "category": "JAVA",
+ "pattern": "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)"
},
{
- "category": "RCE",
- "pattern": "@rx (?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*.[sv].*b"
+ "category": "JAVA",
+ "pattern": "@rx (?:runtime|processbuilder)"
},
{
- "category": "RCE",
- "pattern": "@rx (?:$(?:((?:(.*)|.*))|{.*})|[<>](.*)|[!?.+])"
+ "category": "JAVA",
+ "pattern": "@pmFromFile java-classes.data"
},
{
- "category": "RCE",
- "pattern": "@rx ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]"
- },
- {
- "category": "RCE",
- "pattern": "@rx /"
- },
- {
- "category": "RCE",
- "pattern": "@rx s"
- },
- {
- "category": "RCE",
- "pattern": "@rx ^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))"
- },
- {
- "category": "RCE",
- "pattern": "@rx /"
- },
- {
- "category": "RCE",
- "pattern": "@rx s"
- },
- {
- "category": "RCE",
- "pattern": "@rx ^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])"
- },
- {
- "category": "RCE",
- "pattern": "@rx /"
- },
- {
- "category": "RCE",
- "pattern": "@rx s"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i).|(?:[sv]*|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|G[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?E[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?T|a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:b|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?t|r(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[jp])?|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ks])|b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[8-9][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?9|[au][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|c|(?:m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?p|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dfu]|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[gr])|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[bdx]|n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|q[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[c-dgi]|m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[chr][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|o|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dp]|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b)|j[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:j[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|q)|k[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)?|[nps]|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a|z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|v)|n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[cl]|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|o[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[at][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?x|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|f|(?:k[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?g|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cp]|r(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?y)?|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dv]|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dt]|[g-hu]|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cr]|b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l|[co][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ex]|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c)|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|l)|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|c)|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|z)|y[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)|z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h))"
+ "category": "JAVA",
+ "pattern": "@rx .*.(?:jsp|jspx).*$"
},
{
- "category": "RCE",
- "pattern": "@rx (?i)[-0-9_a-z]+(?:[\"'[-]]+|$+[!#*-0-9?-@x5c_a-{]+|``|[$<>]())[sv]*[-0-9_a-z]+"
+ "category": "JAVA",
+ "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)"
},
{
- "category": "RCE",
- "pattern": "!@rx [0-9]s*'s*[0-9]"
+ "category": "JAVA",
+ "pattern": "@lt 2"
},
{
- "category": "RCE",
- "pattern": "@rx ;[sv]*.[sv]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)"
+ "category": "JAVA",
+ "pattern": "@lt 2"
},
{
- "category": "RCE",
- "pattern": "@rx rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)"
+ "category": "JAVA",
+ "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)"
},
{
- "category": "RCE",
- "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[\"-#%-&*--9A-Zx5c_a-z]+)?(?: ([ x5ca-z]+))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [+-][0-9]{4}\"?)? {[0-9]{1,20}+?}|UTHENTICATE [-0-9_a-z]{1,20}rn)|L(?:SUB (?:[\"-#*.-9A-Z_a-z~]+)? (?:[\"%-&*.-9A-Zx5c_a-z]+)?|ISTRIGHTS (?:[\"%-&*--9A-Zx5c_a-z]+)?)|S(?:TATUS (?:[\"%-&*--9A-Zx5c_a-z]+)? ((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+)|ETACL (?:[\"%-&*--9A-Zx5c_a-z]+)? [+-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%-&*--9A-Zx5c_a-z]+)?)"
+ "category": "JAVA",
+ "pattern": "@rx xacxedx00x05"
},
{
- "category": "RCE",
- "pattern": "@rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))"
+ "category": "JAVA",
+ "pattern": "@rx (?:rO0ABQ|KztAAU|Cs7QAF)"
},
{
- "category": "RCE",
- "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|inks|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[^sv])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash|nap)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:3m|c|a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))"
+ "category": "JAVA",
+ "pattern": "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)"
},
{
- "category": "RCE",
- "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:c|a(?:ll|tch)[sv&)<>|]|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))"
+ "category": "JAVA",
+ "pattern": "@rx javab.+(?:runtime|processbuilder)"
},
{
- "category": "RCE",
- "pattern": "@pmFromFile unix-shell.data"
+ "category": "JAVA",
+ "pattern": "@rx (?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)"
},
{
- "category": "RCE",
+ "category": "JAVA",
"pattern": "@lt 3"
},
{
- "category": "RCE",
+ "category": "JAVA",
"pattern": "@lt 3"
},
{
- "category": "RCE",
- "pattern": "@rx (?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))b"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:(?:itude)?[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|s(?:[sv&)<>|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[sv&)<>|]|m(?:[sv&)<>|]|diff)|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:[sv&)<>c|]|h(?:o(?:[sv&)<>|]|ami|is)?|iptail[sv&)<>|])|a(?:ll|tch)[sv&)<>|]|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))b"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))"
- },
- {
- "category": "RCE",
- "pattern": "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)"
- },
- {
- "category": "RCE",
- "pattern": "@rx rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [\"-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE [\"-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST [\"-#*--9A-Zx5c_a-z~]+? [\"-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&*--9A-Zx5c_a-z]+? [\"-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT [\"-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)"
- },
- {
- "category": "RCE",
- "pattern": "@rx rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)"
- },
- {
- "category": "RCE",
- "pattern": "@rx !(?:d|!)"
+ "category": "JAVA",
+ "pattern": "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)"
},
{
- "category": "RCE",
+ "category": "JAVA",
"pattern": "@lt 4"
},
{
- "category": "RCE",
+ "category": "JAVA",
"pattern": "@lt 4"
},
{
- "category": "PHP",
- "pattern": "@lt 1"
+ "category": "JAVA",
+ "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)"
},
{
- "category": "PHP",
+ "category": "SQLI",
"pattern": "@lt 1"
},
{
- "category": "PHP",
- "pattern": "@rx (?:"
+ "category": "SQLI",
+ "pattern": "@rx (?i)[sv(-)]case[sv]+when.*?then|)[sv]*?like[sv]*?(|select.*?having[sv]*?[^sv]+[sv]*?[^sv0-9A-Z_a-z]|if[sv]?([0-9A-Z_a-z]+[sv]*?[<->~]"
},
{
- "category": "PHP",
- "pattern": "@rx (?:((?:.+)(?:[\"'][-0-9A-Z_a-z]+[\"'])?(.+|[^)]*string[^)]*)[sv\"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|[\"'][-0-9A-Zx5c_a-z]+[\"'])(.+))(?:;|$)?"
+ "category": "SQLI",
+ "pattern": "@rx (?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)"
},
{
- "category": "PHP",
- "pattern": "@lt 4"
+ "category": "SQLI",
+ "pattern": "@rx (?i:merge.*?usings*?(|executes*?immediates*?[\"'`]|matchs*?[w(),+-]+s*?againsts*?()"
},
{
- "category": "PHP",
- "pattern": "@lt 4"
+ "category": "SQLI",
+ "pattern": "@rx (?i)union.*?select.*?from"
},
{
- "category": "GENERIC",
- "pattern": "@lt 1"
+ "category": "SQLI",
+ "pattern": "@rx (?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)"
},
{
- "category": "GENERIC",
- "pattern": "@lt 1"
+ "category": "SQLI",
+ "pattern": "@rx (?i)[?$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)]?"
},
{
- "category": "GENERIC",
- "pattern": "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[[\"'`](?:debug|error|info|trace|warn)[\"'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]])"
+ "category": "SQLI",
+ "pattern": "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)"
},
{
- "category": "GENERIC",
- "pattern": "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*("
+ "category": "SQLI",
+ "pattern": "@rx (?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}"
},
{
- "category": "GENERIC",
- "pattern": "@pmFromFile ssrf.data"
+ "category": "SQLI",
+ "pattern": "@rx (?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)b[sv]*(?|end[sv]*?);)|[sv(]load_file[sv]*?(|[\"'`][sv]+regexp[^0-9A-Z_a-z]|[\"'0-9A-Z_-z][sv]+asb[sv]*[\"'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]+[0-9A-Z_a-z]+|u(?:pdate[sv]+[0-9A-Z_a-z]+|nion[sv]*(?:all|(?:sele|distin)ct)b)|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject))b)"
},
{
- "category": "GENERIC",
- "pattern": "@rx (?:__proto__|constructors*(?:.|[)s*prototype)"
+ "category": "SQLI",
+ "pattern": "@rx (?i:/*[!+](?:[ws=_-()]+)?*/)"
},
{
- "category": "GENERIC",
- "pattern": "@rx Process[sv]*.[sv]*spawn[sv]*("
+ "category": "SQLI",
+ "pattern": "@rx ^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;"
},
{
- "category": "GENERIC",
- "pattern": "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*)"
+ "category": "SQLI",
+ "pattern": "@rx (?i)1.e[(-),]"
},
{
- "category": "GENERIC",
- "pattern": "@rx ^data:(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*"
+ "category": "SQLI",
+ "pattern": "@rx [\"'`][[{].*[]}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)[\"'`][[{].*[]}][\"'`]|json_extract.*(.*)"
},
{
- "category": "GENERIC",
+ "category": "SQLI",
"pattern": "@lt 2"
},
{
- "category": "GENERIC",
+ "category": "SQLI",
"pattern": "@lt 2"
},
{
- "category": "GENERIC",
- "pattern": "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))"
- },
- {
- "category": "GENERIC",
- "pattern": "@rx [s*constructors*]"
- },
- {
- "category": "GENERIC",
- "pattern": "@rx @{.*}"
- },
- {
- "category": "GENERIC",
- "pattern": "@lt 3"
+ "category": "SQLI",
+ "pattern": "@rx (?:^s*[\"'`;]+|[\"'`]+s*$)"
},
{
- "category": "GENERIC",
- "pattern": "@lt 3"
+ "category": "SQLI",
+ "pattern": "@rx (?i)!=|&&||||>[=->]|<(?:<|=>?|>(?:[sv]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[sv]*()|r(?:egexp|like)[sv]+binary|not[sv]+between[sv]+(?:0[sv]+and|(?:'[^']*'|\"[^\"]*\")[sv]+and[sv]+(?:'[^']*'|\"[^\"]*\"))|is[sv]+null|like[sv]+(?:null|[0-9A-Z_a-z]+[sv]+escapeb)|(?:^|[^0-9A-Z_a-z])in[sv+]*([sv\"0-9]+[^(-)]*)|[!<->]{1,2}[sv]*allb"
},
{
- "category": "GENERIC",
- "pattern": "@lt 4"
+ "category": "SQLI",
+ "pattern": "@rx (?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b"
},
{
- "category": "GENERIC",
- "pattern": "@lt 4"
+ "category": "SQLI",
+ "pattern": "@streq %{TX.2}"
},
{
- "category": "XSS",
- "pattern": "@lt 1"
+ "category": "SQLI",
+ "pattern": "@rx (?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b"
},
{
- "category": "XSS",
- "pattern": "@lt 1"
+ "category": "SQLI",
+ "pattern": "!@streq %{TX.2}"
},
{
- "category": "XSS",
- "pattern": "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122"
+ "category": "SQLI",
+ "pattern": "@rx (?i)b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*("
},
{
- "category": "XSS",
- "pattern": "@detectXSS"
+ "category": "SQLI",
+ "pattern": "@rx (?i)(?:/*)+[\"'`]+[sv]?(?:--|[#{]|/*)?|[\"'`](?:[sv]*(?:(?:x?or|and|div|like|between)[sv-0-9A-Z_a-z]+[(-)+--<->][sv]*[\"'0-9`]|[!=|](?:[sv -!+-0-9=]+.*?[\"'-(`].*?|[sv -!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+[\"'-(0-9A-Z_-z]|;)|(?:[<>~]+|[sv]*[^sv0-9A-Z_a-z]?=[sv]*|[^0-9A-Z_a-z]*?[+=]+[^0-9A-Z_a-z]*?)[\"'`])|[0-9][\"'`][sv]+[\"'`][sv]+[0-9]|^admin[sv]*?[\"'`]|[sv\"'-(`][sv]*?glob[^0-9A-Z_a-z]+[\"'-(0-9A-Z_-z]|[sv]is[sv]*?0[^0-9A-Z_a-z]|where[sv][sv,-.0-9A-Z_a-z]+[sv]="
},
{
- "category": "XSS",
- "pattern": "@rx (?i)]*>[sS]*?"
+ "category": "SQLI",
+ "pattern": "@rx (?i),.*?[\"')0-9`-f][\"'`](?:[\"'`].*?[\"'`]|(?:r?n)?z|[^\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]*?([sv]*?space[sv]*?("
},
{
- "category": "XSS",
- "pattern": "@rx (?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b"
+ "category": "SQLI",
+ "pattern": "@rx (?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sv(]+[0-9A-Z_a-z]+[sv)]*?[!+=]+[sv0-9]*?[\"'-)=`]|[0-9](?:[sv]*?(?:and|between|div|like|x?or)[sv]*?[0-9]+[sv]*?[+-]|[sv]+group[sv]+by.+()|/[0-9A-Z_a-z]+;?[sv]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[sv]*?(?:alter|drop|(?:insert|update)[sv]*?[0-9A-Z_a-z]{2,})|@.+=[sv]*?([sv]*?select|[^0-9A-Z_a-z]SET[sv]*?@[0-9A-Z_a-z]+"
},
{
- "category": "XSS",
- "pattern": "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript"
+ "category": "SQLI",
+ "pattern": "@rx (?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+"
},
{
- "category": "XSS",
- "pattern": "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sv\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[sv/]|[\"'](?:.*[sv/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[x08-nf-r ]*?="
+ "category": "SQLI",
+ "pattern": "@rx (?i))[sv]*?when[sv]*?[0-9]+[sv]*?then|[\"'`][sv]*?(?:[#{]|--)|/*![sv]?[0-9]+|b(?:(?:binary|cha?r)[sv]*?([sv]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[sv]+[0-9A-Z_a-z]+()|(?:|||&&)[sv]*?[0-9A-Z_a-z]+("
},
{
- "category": "XSS",
- "pattern": "@rx (?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:[\"']|W*?uW*?rW*?l[sS]*?()|[^-]*?-W*?mW*?oW*?zW*?-W*?bW*?iW*?nW*?dW*?iW*?nW*?g[^:]*?:W*?uW*?rW*?l[sS]*?("
+ "category": "SQLI",
+ "pattern": "@rx (?i)(?:([sv]*?select[sv]*?[0-9A-Z_a-z]+|coalesce|order[sv]+by[sv]+if[0-9A-Z_a-z]*?)[sv]*?(|*/from|+[sv]*?[0-9]+[sv]*?+[sv]*?@|[0-9A-Z_a-z][\"'`][sv]*?(?:(?:[+-=@|]+[sv]+?)+|[+-=@|]+)[(0-9]|@@[0-9A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]|[^0-9A-Z_a-z]!+[\"'`][0-9A-Z_a-z]|[\"'`](?:;[sv]*?(?:if|while|begin)|[sv0-9]+=[sv]*?[0-9])|[sv(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[sv(]"
},
{
- "category": "XSS",
- "pattern": "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding "
+ "category": "SQLI",
+ "pattern": "@rx (?i)W+d*?s*?bhavingbs*?[^s-]"
},
{
- "category": "XSS",
- "pattern": "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W"
+ "category": "SQLI",
+ "pattern": "@rx [\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]"
},
{
- "category": "XSS",
- "pattern": "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)"
+ "category": "SQLI",
+ "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){8})"
},
{
- "category": "XSS",
- "pattern": "@rx (?i)[\"'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?="
+ "category": "SQLI",
+ "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){6})"
},
{
- "category": "XSS",
- "pattern": "@rx {{.*?}}"
+ "category": "SQLI",
+ "pattern": "@rx W{4}"
},
{
- "category": "XSS",
- "pattern": "@lt 3"
+ "category": "SQLI",
+ "pattern": "@rx (?:'(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')"
},
{
- "category": "XSS",
- "pattern": "@lt 3"
+ "category": "SQLI",
+ "pattern": "@rx ';"
},
{
- "category": "XSS",
+ "category": "SQLI",
"pattern": "@lt 4"
},
{
- "category": "XSS",
+ "category": "SQLI",
"pattern": "@lt 4"
},
{
"category": "SQLI",
- "pattern": "@lt 1"
+ "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){3})"
},
{
"category": "SQLI",
+ "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){2})"
+ },
+ {
+ "category": "ENFORCEMENT",
"pattern": "@lt 1"
},
{
- "category": "SQLI",
- "pattern": "@detectSQLi"
+ "category": "ENFORCEMENT",
+ "pattern": "@lt 1"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*(|(?:information_schema|m(?:aster..sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql.db)|northwind|pg_(?:catalog|toast)|tempdb)b|s(?:chema(?:_nameb|[^0-9A-Z_a-z]*()|(?:qlite_(?:temp_)?master|ys(?:aux|.database_name))b))"
+ "category": "ENFORCEMENT",
+ "pattern": "!@rx (?i)^(?:get /[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sv]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?)[sv]+[.-9A-Z_a-z]+)$"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*("
+ "category": "ENFORCEMENT",
+ "pattern": "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=])*$"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))"
+ "category": "ENFORCEMENT",
+ "pattern": "!@rx ^d+$"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)(?:select|;)[sv]+(?:benchmark|if|sleep)[sv]*?([sv]*?(?[sv]*?[0-9A-Z_a-z]+"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^(?:GET|HEAD)$"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)[\"'`](?:[sv]*![sv]*[\"'0-9A-Z_-z]|;?[sv]*(?:having|select|unionb[sv]*(?:all|(?:distin|sele)ct))b[sv]*[^sv])|b(?:(?:(?:c(?:onnection_id|urrent_user)|database|schema|user)[sv]*?|select.*?[0-9A-Z_a-z]?user)(|exec(?:ute)?[sv]+master.|from[^0-9A-Z_a-z]+information_schema[^0-9A-Z_a-z]|into[sv+]+(?:dump|out)file[sv]*?[\"'`]|union(?:[sv]select[sv]@|[sv(0-9A-Z_a-z]*?select))|[sv]*?exec(?:ute)?.*?[^0-9A-Z_a-z]xp_cmdshell|[^0-9A-Z_a-z]iif[sv]*?("
+ "category": "ENFORCEMENT",
+ "pattern": "!@rx ^0?$"
},
{
- "category": "SQLI",
- "pattern": "@rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^(?:GET|HEAD)$"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)[sv(-)]case[sv]+when.*?then|)[sv]*?like[sv]*?(|select.*?having[sv]*?[^sv]+[sv]*?[^sv0-9A-Z_a-z]|if[sv]?([0-9A-Z_a-z]+[sv]*?[<->~]"
+ "category": "ENFORCEMENT",
+ "pattern": "!@eq 0"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)"
+ "category": "ENFORCEMENT",
+ "pattern": "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i:merge.*?usings*?(|executes*?immediates*?[\"'`]|matchs*?[w(),+-]+s*?againsts*?()"
+ "category": "ENFORCEMENT",
+ "pattern": "@streq POST"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)union.*?select.*?from"
+ "category": "ENFORCEMENT",
+ "pattern": "@eq 0"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)"
+ "category": "ENFORCEMENT",
+ "pattern": "@eq 0"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)[?$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)]?"
+ "category": "ENFORCEMENT",
+ "pattern": "!@eq 0"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)"
+ "category": "ENFORCEMENT",
+ "pattern": "!@eq 0"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx (d+)-(d+)"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)b[sv]*(?|end[sv]*?);)|[sv(]load_file[sv]*?(|[\"'`][sv]+regexp[^0-9A-Z_a-z]|[\"'0-9A-Z_-z][sv]+asb[sv]*[\"'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]+[0-9A-Z_a-z]+|u(?:pdate[sv]+[0-9A-Z_a-z]+|nion[sv]*(?:all|(?:sele|distin)ct)b)|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject))b)"
+ "category": "ENFORCEMENT",
+ "pattern": "@lt %{tx.1}"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i:/*[!+](?:[ws=_-()]+)?*/)"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx b(?:keep-alive|close),s?(?:keep-alive|close)b"
},
{
- "category": "SQLI",
- "pattern": "@rx ^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx x25"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)1.e[(-),]"
+ "category": "ENFORCEMENT",
+ "pattern": "@validateUrlEncoding"
},
{
- "category": "SQLI",
- "pattern": "@rx [\"'`][[{].*[]}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)[\"'`][[{].*[]}][\"'`]|json_extract.*(.*)"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^(?i)application/x-www-form-urlencoded"
},
{
- "category": "SQLI",
- "pattern": "@lt 2"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx x25"
},
{
- "category": "SQLI",
- "pattern": "@lt 2"
+ "category": "ENFORCEMENT",
+ "pattern": "@validateUrlEncoding"
},
{
- "category": "SQLI",
- "pattern": "@rx (?:^s*[\"'`;]+|[\"'`]+s*$)"
+ "category": "ENFORCEMENT",
+ "pattern": "@eq 1"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)!=|&&||||>[=->]|<(?:<|=>?|>(?:[sv]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[sv]*()|r(?:egexp|like)[sv]+binary|not[sv]+between[sv]+(?:0[sv]+and|(?:'[^']*'|\"[^\"]*\")[sv]+and[sv]+(?:'[^']*'|\"[^\"]*\"))|is[sv]+null|like[sv]+(?:null|[0-9A-Z_a-z]+[sv]+escapeb)|(?:^|[^0-9A-Z_a-z])in[sv+]*([sv\"0-9]+[^(-)]*)|[!<->]{1,2}[sv]*allb"
+ "category": "ENFORCEMENT",
+ "pattern": "@validateUtf8Encoding"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx %u[fF]{2}[0-9a-fA-F]{2}"
},
{
- "category": "SQLI",
- "pattern": "@streq %{TX.2}"
+ "category": "ENFORCEMENT",
+ "pattern": "@validateByteRange 1-255"
+ },
+ {
+ "category": "ENFORCEMENT",
+ "pattern": "@eq 0"
+ },
+ {
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^$"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^$"
},
{
- "category": "SQLI",
- "pattern": "!@streq %{TX.2}"
+ "category": "ENFORCEMENT",
+ "pattern": "!@rx ^OPTIONS$"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*("
+ "category": "ENFORCEMENT",
+ "pattern": "!@pm AppleWebKit Android Business Enterprise Entreprise"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)(?:/*)+[\"'`]+[sv]?(?:--|[#{]|/*)?|[\"'`](?:[sv]*(?:(?:x?or|and|div|like|between)[sv-0-9A-Z_a-z]+[(-)+--<->][sv]*[\"'0-9`]|[!=|](?:[sv -!+-0-9=]+.*?[\"'-(`].*?|[sv -!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+[\"'-(0-9A-Z_-z]|;)|(?:[<>~]+|[sv]*[^sv0-9A-Z_a-z]?=[sv]*|[^0-9A-Z_a-z]*?[+=]+[^0-9A-Z_a-z]*?)[\"'`])|[0-9][\"'`][sv]+[\"'`][sv]+[0-9]|^admin[sv]*?[\"'`]|[sv\"'-(`][sv]*?glob[^0-9A-Z_a-z]+[\"'-(0-9A-Z_-z]|[sv]is[sv]*?0[^0-9A-Z_a-z]|where[sv][sv,-.0-9A-Z_a-z]+[sv]="
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^$"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i),.*?[\"')0-9`-f][\"'`](?:[\"'`].*?[\"'`]|(?:r?n)?z|[^\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]*?([sv]*?space[sv]*?("
+ "category": "ENFORCEMENT",
+ "pattern": "!@rx ^OPTIONS$"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sv(]+[0-9A-Z_a-z]+[sv)]*?[!+=]+[sv0-9]*?[\"'-)=`]|[0-9](?:[sv]*?(?:and|between|div|like|x?or)[sv]*?[0-9]+[sv]*?[+-]|[sv]+group[sv]+by.+()|/[0-9A-Z_a-z]+;?[sv]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[sv]*?(?:alter|drop|(?:insert|update)[sv]*?[0-9A-Z_a-z]{2,})|@.+=[sv]*?([sv]*?select|[^0-9A-Z_a-z]SET[sv]*?@[0-9A-Z_a-z]+"
+ "category": "ENFORCEMENT",
+ "pattern": "@eq 0"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^$"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i))[sv]*?when[sv]*?[0-9]+[sv]*?then|[\"'`][sv]*?(?:[#{]|--)|/*![sv]?[0-9]+|b(?:(?:binary|cha?r)[sv]*?([sv]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[sv]+[0-9A-Z_a-z]+()|(?:|||&&)[sv]*?[0-9A-Z_a-z]+("
+ "category": "ENFORCEMENT",
+ "pattern": "!@rx ^0$"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)(?:([sv]*?select[sv]*?[0-9A-Z_a-z]+|coalesce|order[sv]+by[sv]+if[0-9A-Z_a-z]*?)[sv]*?(|*/from|+[sv]*?[0-9]+[sv]*?+[sv]*?@|[0-9A-Z_a-z][\"'`][sv]*?(?:(?:[+-=@|]+[sv]+?)+|[+-=@|]+)[(0-9]|@@[0-9A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]|[^0-9A-Z_a-z]!+[\"'`][0-9A-Z_a-z]|[\"'`](?:;[sv]*?(?:if|while|begin)|[sv0-9]+=[sv]*?[0-9])|[sv(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[sv(]"
+ "category": "ENFORCEMENT",
+ "pattern": "@eq 0"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)[\"'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?[\"'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?[\"'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?[\"'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?[\"'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx (?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)in[sv]*?(+[sv]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)[sv+0-9A-Z_a-z]+(?:regexp[sv]*?(|sounds[sv]+like[sv]*?[\"'`]|[0-9=]+x)|[\"'`](?:[sv]*?(?:[0-9][sv]*?(?:--|#)|is[sv]*?(?:[0-9].+[\"'`]?[0-9A-Z_a-z]|[.0-9]+[sv]*?[^0-9A-Z_a-z].*?[\"'`]))|[%-&<->^]+[0-9][sv]*?(?:=|x?or|div|like|between|and)|(?:[^0-9A-Z_a-z]+[+-0-9A-Z_a-z]+[sv]*?=[sv]*?[0-9][^0-9A-Z_a-z]+||?[-0-9A-Z_a-z]{3,}[^sv,.0-9A-Z_a-z]+)[\"'`]|[sv]*(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)(?:array[sv]*[|[0-9A-Z_a-z]+(?:[sv]*!?~|[sv]+(?:not[sv]+)?similar[sv]+to[sv]+)|(?:tru|fals)eb))|bexcept[sv]+(?:selectb|values[sv]*?()"
+ "category": "ENFORCEMENT",
+ "pattern": "@eq 1"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i:^[Wd]+s*?(?:alter|union)b)"
+ "category": "ENFORCEMENT",
+ "pattern": "@gt %{tx.max_num_args}"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)[sv]?(?|end[sv]*?);|[sv(]load_file[sv]*?(|[\"'`][sv]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][sv]+asb[sv]*[\"'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:create[sv]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[sv]*(?:all|(?:sele|distin)ct))|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject)))b)"
+ "category": "ENFORCEMENT",
+ "pattern": "@eq 1"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)[\"'`](?:[sv]*?(?:(?:*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?[\"'`]|(?:x?or|div|like|between|and)[sv][^0-9]+[-0-9A-Z_a-z]+.*?)[0-9]|[^sv0-9?A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]+[sv]*?[\"'`]|[^sv0-9A-Z_a-z]+[sv]*?[^A-Z_a-z].*?(?:#|--))|.*?*[sv]*?[0-9])|^[\"'`]|[%(-+-<>][-0-9A-Z_a-z]+[^sv0-9A-Z_a-z]+[\"'`][^,]"
+ "category": "ENFORCEMENT",
+ "pattern": "@gt %{tx.arg_name_length}"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:havingb(?:[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')[sv]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\"'][^=]{1,10}[ \"'<-?[]+))|ex(?:ecute(?:(|[sv]{1,5}[$.0-9A-Z_a-z]{1,5}[sv]{0,3})|ists[sv]*?([sv]*?selectb)|(?:create[sv]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)()|select.*?case|from.*?limit|order[sv]by|exists[sv](?:[sv]select|s(?:elect[^sv](?:if(?:null)?[sv](|top|concat)|ystem[sv]()|bhavingb[sv]+[0-9]{1,10}|'[^=]{1,10}')"
+ "category": "ENFORCEMENT",
+ "pattern": "@eq 1"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]"
+ "category": "ENFORCEMENT",
+ "pattern": "@gt %{tx.arg_length}"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)"
+ "category": "ENFORCEMENT",
+ "pattern": "@eq 1"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[1-2]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?("
+ "category": "ENFORCEMENT",
+ "pattern": "@gt %{tx.total_arg_length}"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)"
+ "category": "ENFORCEMENT",
+ "pattern": "@eq 1"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:(?:d(?:bms_[0-9A-Z_a-z]+.|eleteb[^0-9A-Z_a-z]*?bfrom)|(?:groupb.*?bbyb.{1,100}?bhav|overlayb[^0-9A-Z_a-z]*?(.*?b[^0-9A-Z_a-z]*?plac)ing|in(?:nerb[^0-9A-Z_a-z]*?bjoin|sertb[^0-9A-Z_a-z]*?binto|tob[^0-9A-Z_a-z]*?b(?:dump|out)file)|loadb[^0-9A-Z_a-z]*?bdatab.*?binfile|s(?:electb.{1,100}?b(?:(?:.*?bdumpb.*|(?:count|length)b.{1,100}?)bfrom|(?:data_typ|fromb.{1,100}?bwher)e|instr|to(?:_(?:cha|numbe)r|pb.{1,100}?bfrom))|ys_context)|u(?:nionb.{1,100}?bselect|tl_inaddr))b|printb[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?(a|@@version|;[^0-9A-Z_a-z]*?b(?:drop|shutdown))b|'(?:dbo|msdasql|s(?:a|qloledb))'"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^(?i)multipart/form-data"
},
{
- "category": "SQLI",
- "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){12})"
+ "category": "ENFORCEMENT",
+ "pattern": "@gt %{tx.max_file_size}"
},
{
- "category": "SQLI",
- "pattern": "@rx /*!?|*/|[';]--|--(?:[sv]|[^-]*?-)|[^&-]#.*?[sv]|;?x00"
+ "category": "ENFORCEMENT",
+ "pattern": "@eq 1"
},
{
- "category": "SQLI",
- "pattern": "!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$"
+ "category": "ENFORCEMENT",
+ "pattern": "@gt %{tx.combined_file_sizes}"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i:b0x[a-fd]{3,})"
+ "category": "ENFORCEMENT",
+ "pattern": "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['\"w.()+,/:=?<>@#*-]+)*$"
},
{
- "category": "SQLI",
- "pattern": "@rx (?:`(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^[^;s]+"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)[\"'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])"
+ "category": "ENFORCEMENT",
+ "pattern": "!@within %{tx.allowed_request_content_type}"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx charsets*=s*[\"']?([^;\"'s]+)"
},
{
- "category": "SQLI",
- "pattern": "@rx ^(?:and|or)$"
+ "category": "ENFORCEMENT",
+ "pattern": "!@within %{tx.allowed_request_content_type_charset}"
},
{
- "category": "SQLI",
- "pattern": "@rx ^.*?x5c['\"`](?:.*?['\"`])?s*(?:and|or)b"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx charset.*?charset"
},
{
- "category": "SQLI",
- "pattern": "@detectSQLi"
+ "category": "ENFORCEMENT",
+ "pattern": "!@within %{tx.allowed_http_versions}"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*("
+ "category": "ENFORCEMENT",
+ "pattern": "@rx .([^.]+)$"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)"
+ "category": "ENFORCEMENT",
+ "pattern": "@within %{tx.restricted_extensions}"
},
{
- "category": "SQLI",
- "pattern": "@lt 3"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx .[^.~]+~(?:/.*|)$"
},
{
- "category": "SQLI",
- "pattern": "@lt 3"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^.*$"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)W+d*?s*?bhavingbs*?[^s-]"
+ "category": "ENFORCEMENT",
+ "pattern": "@within %{tx.restricted_headers_basic}"
},
{
- "category": "SQLI",
- "pattern": "@rx [\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]"
+ "category": "ENFORCEMENT",
+ "pattern": "@gt 50"
},
{
- "category": "SQLI",
- "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){8})"
+ "category": "ENFORCEMENT",
+ "pattern": "!@rx ^(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$"
},
{
- "category": "SQLI",
- "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){6})"
+ "category": "ENFORCEMENT",
+ "pattern": "!@streq JSON"
},
{
- "category": "SQLI",
- "pattern": "@rx W{4}"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx (?i)x5cu[0-9a-f]{4}"
},
{
- "category": "SQLI",
- "pattern": "@rx (?:'(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')"
+ "category": "ENFORCEMENT",
+ "pattern": "@contains #"
},
{
- "category": "SQLI",
- "pattern": "@rx ';"
+ "category": "ENFORCEMENT",
+ "pattern": "@gt 1"
},
{
- "category": "SQLI",
- "pattern": "@lt 4"
+ "category": "ENFORCEMENT",
+ "pattern": "@lt 2"
},
{
- "category": "SQLI",
- "pattern": "@lt 4"
+ "category": "ENFORCEMENT",
+ "pattern": "@lt 2"
},
{
- "category": "SQLI",
- "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){3})"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}"
},
{
- "category": "SQLI",
- "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){2})"
+ "category": "ENFORCEMENT",
+ "pattern": "!@endsWith .pdf"
},
{
- "category": "FIXATION",
- "pattern": "@lt 1"
+ "category": "ENFORCEMENT",
+ "pattern": "@endsWith .pdf"
},
{
- "category": "FIXATION",
- "pattern": "@lt 1"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}"
},
{
- "category": "FIXATION",
- "pattern": "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx %[0-9a-fA-F]{2}"
},
{
- "category": "FIXATION",
- "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$"
+ "category": "ENFORCEMENT",
+ "pattern": "@validateByteRange 9,10,13,32-126,128-255"
},
{
- "category": "FIXATION",
- "pattern": "@rx ^(?:ht|f)tps?://(.*?)/"
+ "category": "ENFORCEMENT",
+ "pattern": "@eq 0"
},
{
- "category": "FIXATION",
- "pattern": "!@endsWith %{request_headers.host}"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ['\";=]"
},
{
- "category": "FIXATION",
- "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$"
+ "category": "ENFORCEMENT",
+ "pattern": "!@rx ^0$"
},
{
- "category": "FIXATION",
+ "category": "ENFORCEMENT",
"pattern": "@eq 0"
},
{
- "category": "FIXATION",
- "pattern": "@lt 2"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^.*$"
},
{
- "category": "FIXATION",
- "pattern": "@lt 2"
+ "category": "ENFORCEMENT",
+ "pattern": "@within %{tx.restricted_headers_extended}"
},
{
- "category": "FIXATION",
+ "category": "ENFORCEMENT",
"pattern": "@lt 3"
},
{
- "category": "FIXATION",
+ "category": "ENFORCEMENT",
"pattern": "@lt 3"
},
{
- "category": "FIXATION",
- "pattern": "@lt 4"
+ "category": "ENFORCEMENT",
+ "pattern": "@validateByteRange 32-36,38-126"
},
{
- "category": "FIXATION",
- "pattern": "@lt 4"
+ "category": "ENFORCEMENT",
+ "pattern": "@eq 0"
},
{
- "category": "JAVA",
- "pattern": "@lt 1"
+ "category": "ENFORCEMENT",
+ "pattern": "!@rx ^(?:OPTIONS|CONNECT)$"
},
{
- "category": "JAVA",
- "pattern": "@lt 1"
+ "category": "ENFORCEMENT",
+ "pattern": "!@pm AppleWebKit Android"
},
{
- "category": "JAVA",
- "pattern": "@rx java.lang.(?:runtime|processbuilder)"
+ "category": "ENFORCEMENT",
+ "pattern": "@ge 1"
},
{
- "category": "JAVA",
- "pattern": "@rx (?:runtime|processbuilder)"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^(?i)up"
+ },
+ {
+ "category": "ENFORCEMENT",
+ "pattern": "@gt 0"
+ },
+ {
+ "category": "ENFORCEMENT",
+ "pattern": "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$"
},
{
- "category": "JAVA",
- "pattern": "@rx (?:unmarshaller|base64data|java.)"
+ "category": "ENFORCEMENT",
+ "pattern": "!@rx br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)"
},
{
- "category": "JAVA",
- "pattern": "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)"
+ "category": "ENFORCEMENT",
+ "pattern": "@lt 4"
},
{
- "category": "JAVA",
- "pattern": "@rx (?:runtime|processbuilder)"
+ "category": "ENFORCEMENT",
+ "pattern": "@lt 4"
},
{
- "category": "JAVA",
- "pattern": "@pmFromFile java-classes.data"
+ "category": "ENFORCEMENT",
+ "pattern": "@endsWith .pdf"
},
{
- "category": "JAVA",
- "pattern": "@rx .*.(?:jsp|jspx).*$"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}"
},
{
- "category": "JAVA",
- "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)"
+ "category": "ENFORCEMENT",
+ "pattern": "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122"
},
{
- "category": "JAVA",
- "pattern": "@lt 2"
+ "category": "ENFORCEMENT",
+ "pattern": "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122"
},
{
- "category": "JAVA",
- "pattern": "@lt 2"
+ "category": "ENFORCEMENT",
+ "pattern": "!@rx ^(?:?[01])?$"
},
{
- "category": "JAVA",
- "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)"
+ "category": "ENFORCEMENT",
+ "pattern": "@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]"
},
{
"category": "JAVA",
- "pattern": "@rx xacxedx00x05"
+ "pattern": "@lt 1"
},
{
"category": "JAVA",
- "pattern": "@rx (?:rO0ABQ|KztAAU|Cs7QAF)"
+ "pattern": "@lt 1"
},
{
"category": "JAVA",
- "pattern": "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)"
+ "pattern": "@pmFromFile java-code-leakages.data"
},
{
"category": "JAVA",
- "pattern": "@rx javab.+(?:runtime|processbuilder)"
+ "pattern": "@pmFromFile java-errors.data"
},
{
"category": "JAVA",
- "pattern": "@rx (?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)"
+ "pattern": "@lt 2"
},
{
"category": "JAVA",
- "pattern": "@lt 3"
+ "pattern": "@lt 2"
},
{
"category": "JAVA",
@@ -1857,7 +1757,7 @@
},
{
"category": "JAVA",
- "pattern": "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)"
+ "pattern": "@lt 3"
},
{
"category": "JAVA",
@@ -1868,399 +1768,427 @@
"pattern": "@lt 4"
},
{
- "category": "JAVA",
- "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 1"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 1"
+ "category": "ATTACK",
+ "pattern": "@lt 1"
},
{
- "category": "EVALUATION",
- "pattern": "@ge 2"
+ "category": "ATTACK",
+ "pattern": "@lt 1"
},
{
- "category": "EVALUATION",
- "pattern": "@ge 2"
+ "category": "ATTACK",
+ "pattern": "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d"
},
{
- "category": "EVALUATION",
- "pattern": "@ge 3"
+ "category": "ATTACK",
+ "pattern": "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w"
},
{
- "category": "EVALUATION",
- "pattern": "@ge 3"
+ "category": "ATTACK",
+ "pattern": "@rx (?:bhttp/d|<(?:html|meta)b)"
},
{
- "category": "EVALUATION",
- "pattern": "@ge 4"
+ "category": "ATTACK",
+ "pattern": "@rx [nr]"
},
{
- "category": "EVALUATION",
- "pattern": "@ge 4"
+ "category": "ATTACK",
+ "pattern": "@rx [nr]"
},
{
- "category": "EVALUATION",
- "pattern": "@ge 1"
+ "category": "ATTACK",
+ "pattern": "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:"
},
{
- "category": "EVALUATION",
- "pattern": "@ge 1"
+ "category": "ATTACK",
+ "pattern": "@rx [nr]"
},
{
- "category": "EVALUATION",
- "pattern": "@ge 2"
+ "category": "ATTACK",
+ "pattern": "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)"
},
{
- "category": "EVALUATION",
- "pattern": "@ge 2"
+ "category": "ATTACK",
+ "pattern": "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)"
},
{
- "category": "EVALUATION",
- "pattern": "@ge 3"
+ "category": "ATTACK",
+ "pattern": "@rx unix:[^|]*|"
},
{
- "category": "EVALUATION",
- "pattern": "@ge 3"
+ "category": "ATTACK",
+ "pattern": "@lt 2"
},
{
- "category": "EVALUATION",
- "pattern": "@ge 4"
+ "category": "ATTACK",
+ "pattern": "@lt 2"
},
{
- "category": "EVALUATION",
- "pattern": "@ge 4"
+ "category": "ATTACK",
+ "pattern": "@rx [nr]"
},
{
- "category": "EVALUATION",
- "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
+ "category": "ATTACK",
+ "pattern": "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b"
},
{
- "category": "EVALUATION",
- "pattern": "@eq 1"
+ "category": "ATTACK",
+ "pattern": "@lt 3"
},
{
- "category": "EVALUATION",
- "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
+ "category": "ATTACK",
+ "pattern": "@lt 3"
},
{
- "category": "EVALUATION",
- "pattern": "@lt 1"
+ "category": "ATTACK",
+ "pattern": "@gt 0"
},
{
- "category": "EVALUATION",
- "pattern": "@lt 1"
+ "category": "ATTACK",
+ "pattern": "@rx ."
},
{
- "category": "EVALUATION",
- "pattern": "@lt 2"
+ "category": "ATTACK",
+ "pattern": "@gt 1"
},
{
- "category": "EVALUATION",
- "pattern": "@lt 2"
+ "category": "ATTACK",
+ "pattern": "@rx TX:paramcounter_(.*)"
},
{
- "category": "EVALUATION",
- "pattern": "@lt 3"
+ "category": "ATTACK",
+ "pattern": "@rx (][^]]+$|][^]]+[)"
},
{
- "category": "EVALUATION",
- "pattern": "@lt 3"
+ "category": "ATTACK",
+ "pattern": "@lt 4"
},
{
- "category": "EVALUATION",
+ "category": "ATTACK",
"pattern": "@lt 4"
},
{
- "category": "EVALUATION",
- "pattern": "@lt 4"
+ "category": "ATTACK",
+ "pattern": "@rx ["
},
{
- "category": "LEAKAGES",
+ "category": "PHP",
"pattern": "@lt 1"
},
{
- "category": "LEAKAGES",
+ "category": "PHP",
"pattern": "@lt 1"
},
{
- "category": "LEAKAGES",
- "pattern": "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>[To Parent Directory]
)"
+ "category": "PHP",
+ "pattern": "@pmFromFile php-errors.data"
},
{
- "category": "LEAKAGES",
- "pattern": "@rx ^#!s?/"
+ "category": "PHP",
+ "pattern": "@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b"
},
{
- "category": "LEAKAGES",
+ "category": "PHP",
+ "pattern": "@rx (?i)](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:(?:b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|[ckz][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[&,<>|]|(?:[--.0-9A-Z_a-z][\"'[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#*-0-9?-@_a-{]*)?x5c?)+[sv&,<>|]).*|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:4|[sv&),<>|].*))|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*)?|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|(?:e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)b"
},
{
- "category": "SQL",
- "pattern": "@rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])"
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[sv&)<>|]|a(?:dd(?:group|user)|getty|l(?:ias|pine)[sv&)<>|]|nsible-playbook|pt(?:-get|itude[sv&)<>|])|r(?:ch[sv&)<>|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm|xel)|b(?:a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[sv&)<>|]|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[sv&)<>|]|on(?:tab)?)|s(?:plit|vtool)|u(?:psfilter|rl[sv&)<>|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[sv&)<>|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[sv&)<>|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r)))|f(?:acter|(?:etch|lock|unction)[sv&)<>|]|grep|i(?:le(?:[sv&)<>|]|test)|(?:n(?:d|ger)|sh)[sv&)<>|])|o(?:ld[sv&)<>|]|reach)|ping|tp(?:stats|who))|g(?:awk[sv&)<>|]|core|e(?:ni(?:e[sv&)<>|]|soimage)|tfacl[sv&)<>|])|hci|i(?:mp[sv&)<>|]|nsh)|r(?:ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[sv&)<>|]|onice|p(?:6?tables|config)|spell)|j(?:ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:ill(?:[sv&)<>|]|all)|nife[sv&)<>|]|sshell)|l(?:a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|dconfig|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[sv&)<>|]|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[sv&)<>q|]|x[sv&)<>|])|ke[sv&)<>|]|ster.passwd|wk)|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[sv&)<>|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[sv&)<>|]|sm|wk)|c(?:.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[sv&)<>|]|map|o(?:de[sv&)<>|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:f(?:la)?tex|ksh)|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[sv&)<>|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[sv&)<>|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[sv&)<>|]|shd)|wd.db|ython[^sv])|r(?:ak(?:e[sv&)<>|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[sv&)<>|]|stic)|l(?:ogin|wrap)|m(?:dir[sv&)<>|]|user)|nano|oute[sv&)<>|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap)[sv&)<>|]|c(?:hed|r(?:een|ipt)[sv&)<>|])|diff|e(?:(?:lf|rvice)[sv&)<>|]|ndmail|t(?:arch|env|facl[sv&)<>|]|sid))|ftp|h(?:.distrib|(?:adow|ells)[sv&)<>|]|u(?:f|tdown[sv&)<>|]))|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[sv&)<>|]|datectl)|mux|ouch[sv&)<>|]|r(?:aceroute6?|off)|shark)|u(?:limit[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[sv&)<>|]|gr|mdiff|pw|rsh)|olatility[sv&)<>|])|w(?:a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))"
},
{
- "category": "SQL",
- "pattern": "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)"
+ "category": "RCE",
+ "pattern": "@pmFromFile windows-powershell-commands.data"
},
{
- "category": "SQL",
- "pattern": "@rx (?i:DB2 SQL error:|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|DB2 SQL error|db2_w+()"
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:(?:a[\"^]*(?:c|s[\"^]*n[\"^]*p)|e[\"^]*(?:b[\"^]*p|p[\"^]*(?:a[\"^]*l|c[\"^]*s[\"^]*v|s[\"^]*n)|[tx][\"^]*s[\"^]*n)|f[\"^]*(?:[cltw]|o[\"^]*r[\"^]*e[\"^]*a[\"^]*c[\"^]*h)|i[\"^]*(?:[cr][\"^]*m|e[\"^]*x|h[\"^]*y|i|p[\"^]*(?:a[\"^]*l|c[\"^]*s[\"^]*v|m[\"^]*o|s[\"^]*n)|s[\"^]*e|w[\"^]*(?:m[\"^]*i|r))|m[\"^]*(?:a[\"^]*n|[dipv]|o[\"^]*u[\"^]*n[\"^]*t)|o[\"^]*g[\"^]*v|p[\"^]*(?:o[\"^]*p|u[\"^]*s[\"^]*h)[\"^]*d|t[\"^]*r[\"^]*c[\"^]*m|w[\"^]*j[\"^]*b)[\"^]*[sv,.-/;-<>].*|c[\"^]*(?:(?:(?:d|h[\"^]*d[\"^]*i[\"^]*r|v[\"^]*p[\"^]*a)[\"^]*|p[\"^]*(?:[ip][\"^]*)?)[sv,.-/;-<>].*|l[\"^]*(?:(?:[cipv]|h[\"^]*y)[\"^]*[sv,.-/;-<>].*|s)|n[\"^]*s[\"^]*n)|d[\"^]*(?:(?:b[\"^]*p|e[\"^]*l|i[\"^]*(?:f[\"^]*f|r))[\"^]*[sv,.-/;-<>].*|n[\"^]*s[\"^]*n)|g[\"^]*(?:(?:(?:(?:a[\"^]*)?l|b[\"^]*p|d[\"^]*r|h[\"^]*y|(?:w[\"^]*m[\"^]*)?i|j[\"^]*b|[u-v])[\"^]*|c[\"^]*(?:[ims][\"^]*)?|m[\"^]*(?:o[\"^]*)?|s[\"^]*(?:n[\"^]*(?:p[\"^]*)?|v[\"^]*))[sv,.-/;-<>].*|e[\"^]*r[\"^]*r|p[\"^]*(?:(?:s[\"^]*)?[sv,.-/;-<>].*|v))|l[\"^]*s|n[\"^]*(?:(?:a[\"^]*l|d[\"^]*r|[iv]|m[\"^]*o|s[\"^]*n)[\"^]*[sv,.-/;-<>].*|p[\"^]*s[\"^]*s[\"^]*c)|r[\"^]*(?:(?:(?:(?:b[\"^]*)?p|e[\"^]*n|(?:w[\"^]*m[\"^]*)?i|j[\"^]*b|n[\"^]*[ip])[\"^]*|d[\"^]*(?:r[\"^]*)?|m[\"^]*(?:(?:d[\"^]*i[\"^]*r|o)[\"^]*)?|s[\"^]*n[\"^]*(?:p[\"^]*)?|v[\"^]*(?:p[\"^]*a[\"^]*)?)[sv,.-/;-<>].*|c[\"^]*(?:j[\"^]*b[\"^]*[sv,.-/;-<>].*|s[\"^]*n)|u[\"^]*j[\"^]*b)|s[\"^]*(?:(?:(?:a[\"^]*(?:j[\"^]*b|l|p[\"^]*s|s[\"^]*v)|b[\"^]*p|[civ]|w[\"^]*m[\"^]*i)[\"^]*|l[\"^]*(?:s[\"^]*)?|p[\"^]*(?:(?:j[\"^]*b|p[\"^]*s|s[\"^]*v)[\"^]*)?)[sv,.-/;-<>].*|h[\"^]*c[\"^]*m|u[\"^]*j[\"^]*b))(?:.[\"^]*[0-9A-Z_a-z]+)?b"
},
{
- "category": "SQL",
- "pattern": "@rx (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)"
+ "category": "RCE",
+ "pattern": "@rx $(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]"
},
{
- "category": "SQL",
- "pattern": "@rx (?i)Dynamic SQL Error"
+ "category": "RCE",
+ "pattern": "@rx b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))"
},
{
- "category": "SQL",
- "pattern": "@rx (?i)Exception (?:condition )?d+. Transaction rollback."
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|[ckz][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)[sv&)<>|]"
},
{
- "category": "SQL",
- "pattern": "@rx (?i)org.hsqldb.jdbc"
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:a(?:ddgroup|xel)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:g(?:passwd|rp)|pass|sh)|lang++|oproc|ron)|d(?:iff[sv&)<>|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[sv&)<>|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|erl5?|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[sv&)<>|])|tar(?:diff|grep)?|wd.db|ython[2-3])|r(?:(?:bas|ealpat)h|m(?:dir[sv&)<>|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h.distri|pwd.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[sv&)<>|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "!@rx [0-9]s*'s*[0-9]"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx !-d"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@pmFromFile unix-shell.data"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ^(s*)s+{"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ^(s*)s+{"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ba[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-\"%',0-9@-Z_a-z]+=[^sv]"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@pmFromFile restricted-upload.data"
},
{
- "category": "SQL",
- "pattern": "@rx (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)"
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:t[\"^]*i[\"^]*m[\"^]*e|[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:a[\"^]*(?:c[\"^]*c[\"^]*c[\"^]*h[\"^]*e[\"^]*c[\"^]*k[\"^]*c[\"^]*o[\"^]*n[\"^]*s[\"^]*o[\"^]*l[\"^]*e|d[\"^]*(?:p[\"^]*l[\"^]*u[\"^]*s|v[\"^]*p[\"^]*a[\"^]*c[\"^]*k)|(?:g[\"^]*e[\"^]*n[\"^]*t[\"^]*e[\"^]*x[\"^]*e[\"^]*c[\"^]*u[\"^]*t[\"^]*o|s[\"^]*p[\"^]*n[\"^]*e[\"^]*t[\"^]*_[\"^]*c[\"^]*o[\"^]*m[\"^]*p[\"^]*i[\"^]*l[\"^]*e)[\"^]*r|p[\"^]*p[\"^]*(?:i[\"^]*n[\"^]*s[\"^]*t[\"^]*a[\"^]*l[\"^]*l[\"^]*e[\"^]*r|v[\"^]*l[\"^]*p)|t[\"^]*(?:[sv,.-/;-<>].*|b[\"^]*r[\"^]*o[\"^]*k[\"^]*e[\"^]*r))|b[\"^]*(?:a[\"^]*s[\"^]*h|g[\"^]*i[\"^]*n[\"^]*f[\"^]*o|i[\"^]*t[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|c[\"^]*(?:d[\"^]*b|e[\"^]*r[\"^]*t[\"^]*(?:o[\"^]*c|r[\"^]*e[\"^]*q|u[\"^]*t[\"^]*i[\"^]*l)|l[\"^]*_[\"^]*(?:i[\"^]*n[\"^]*v[\"^]*o[\"^]*c[\"^]*a[\"^]*t[\"^]*i[\"^]*o[\"^]*n|l[\"^]*o[\"^]*a[\"^]*d[\"^]*a[\"^]*s[\"^]*s[\"^]*e[\"^]*m[\"^]*b[\"^]*l[\"^]*y|m[\"^]*u[\"^]*t[\"^]*e[\"^]*x[\"^]*v[\"^]*e[\"^]*r[\"^]*i[\"^]*f[\"^]*i[\"^]*e[\"^]*r[\"^]*s)|m[\"^]*(?:d(?:[\"^]*(?:k[\"^]*e[\"^]*y|l[\"^]*3[\"^]*2))?|s[\"^]*t[\"^]*p)|o[\"^]*(?:m[\"^]*s[\"^]*v[\"^]*c[\"^]*s|n[\"^]*(?:f[\"^]*i[\"^]*g[\"^]*s[\"^]*e[\"^]*c[\"^]*u[\"^]*r[\"^]*i[\"^]*t[\"^]*y[\"^]*p[\"^]*o[\"^]*l[\"^]*i[\"^]*c[\"^]*y|h[\"^]*o[\"^]*s[\"^]*t|t[\"^]*r[\"^]*o[\"^]*l)|r[\"^]*e[\"^]*g[\"^]*e[\"^]*n)|r[\"^]*e[\"^]*a[\"^]*t[\"^]*e[\"^]*d[\"^]*u[\"^]*m[\"^]*p|s[\"^]*(?:c(?:[\"^]*r[\"^]*i[\"^]*p[\"^]*t)?|i)|u[\"^]*s[\"^]*t[\"^]*o[\"^]*m[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l[\"^]*h[\"^]*o[\"^]*s[\"^]*t)|d[\"^]*(?:a[\"^]*t[\"^]*a[\"^]*s[\"^]*v[\"^]*c[\"^]*u[\"^]*t[\"^]*i[\"^]*l|e[\"^]*(?:f[\"^]*a[\"^]*u[\"^]*l[\"^]*t[\"^]*p[\"^]*a[\"^]*c[\"^]*k|s[\"^]*k(?:[\"^]*t[\"^]*o[\"^]*p[\"^]*i[\"^]*m[\"^]*g[\"^]*d[\"^]*o[\"^]*w[\"^]*n[\"^]*l[\"^]*d[\"^]*r)?|v[\"^]*(?:i[\"^]*c[\"^]*e[\"^]*c[\"^]*r[\"^]*e[\"^]*d[\"^]*e[\"^]*n[\"^]*t[\"^]*i[\"^]*a[\"^]*l[\"^]*d[\"^]*e[\"^]*p[\"^]*l[\"^]*o[\"^]*y[\"^]*m[\"^]*e[\"^]*n[\"^]*t|t[\"^]*o[\"^]*o[\"^]*l[\"^]*s[\"^]*l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*e[\"^]*r))|f[\"^]*s[\"^]*(?:h[\"^]*i[\"^]*m|v[\"^]*c)|i[\"^]*(?:a[\"^]*n[\"^]*t[\"^]*z|s[\"^]*k[\"^]*s[\"^]*h[\"^]*a[\"^]*d[\"^]*o[\"^]*w)|n[\"^]*(?:s[\"^]*c[\"^]*m[\"^]*d|x)|o[\"^]*t[\"^]*n[\"^]*e[\"^]*t|u[\"^]*m[\"^]*p[\"^]*6[\"^]*4|x[\"^]*c[\"^]*a[\"^]*p)|e[\"^]*(?:s[\"^]*e[\"^]*n[\"^]*t[\"^]*u[\"^]*t[\"^]*l|v[\"^]*e[\"^]*n[\"^]*t[\"^]*v[\"^]*w[\"^]*r|x[\"^]*(?:c[\"^]*e[\"^]*l|p[\"^]*(?:a[\"^]*n[\"^]*d|l[\"^]*o[\"^]*r[\"^]*e[\"^]*r)|t[\"^]*(?:e[\"^]*x[\"^]*p[\"^]*o[\"^]*r[\"^]*t|r[\"^]*a[\"^]*c[\"^]*3[\"^]*2)))|f[\"^]*(?:i[\"^]*n[\"^]*(?:d[\"^]*s[\"^]*t|g[\"^]*e)[\"^]*r|l[\"^]*t[\"^]*m[\"^]*c|o[\"^]*r[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s|s[\"^]*(?:i(?:[\"^]*a[\"^]*n[\"^]*y[\"^]*c[\"^]*p[\"^]*u)?|u[\"^]*t[\"^]*i[\"^]*l)|t[\"^]*p)|g[\"^]*(?:f[\"^]*x[\"^]*d[\"^]*o[\"^]*w[\"^]*n[\"^]*l[\"^]*o[\"^]*a[\"^]*d[\"^]*w[\"^]*r[\"^]*a[\"^]*p[\"^]*p[\"^]*e[\"^]*r|p[\"^]*s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|h[\"^]*h|i[\"^]*(?:e[\"^]*(?:4[\"^]*u[\"^]*i[\"^]*n[\"^]*i[\"^]*t|a[\"^]*d[\"^]*v[\"^]*p[\"^]*a[\"^]*c[\"^]*k|e[\"^]*x[\"^]*e[\"^]*c|f[\"^]*r[\"^]*a[\"^]*m[\"^]*e)|l[\"^]*a[\"^]*s[\"^]*m|m[\"^]*e[\"^]*w[\"^]*d[\"^]*b[\"^]*l[\"^]*d|n[\"^]*(?:f[\"^]*d[\"^]*e[\"^]*f[\"^]*a[\"^]*u[\"^]*l[\"^]*t[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a[\"^]*l|s[\"^]*t[\"^]*a[\"^]*l[\"^]*l[\"^]*u[\"^]*t[\"^]*i)[\"^]*l)|j[\"^]*s[\"^]*c|l[\"^]*(?:a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*-[\"^]*v[\"^]*s[\"^]*d[\"^]*e[\"^]*v[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l|d[\"^]*i[\"^]*f[\"^]*d[\"^]*e)|m[\"^]*(?:a[\"^]*(?:k[\"^]*e[\"^]*c[\"^]*a[\"^]*b|n[\"^]*a[\"^]*g[\"^]*e[\"^]*-[\"^]*b[\"^]*d[\"^]*e|v[\"^]*i[\"^]*n[\"^]*j[\"^]*e[\"^]*c[\"^]*t)|f[\"^]*t[\"^]*r[\"^]*a[\"^]*c[\"^]*e|i[\"^]*c[\"^]*r[\"^]*o[\"^]*s[\"^]*o[\"^]*f[\"^]*t|m[\"^]*c|p[\"^]*c[\"^]*m[\"^]*d[\"^]*r[\"^]*u[\"^]*n|s[\"^]*(?:(?:b[\"^]*u[\"^]*i[\"^]*l|o[\"^]*h[\"^]*t[\"^]*m[\"^]*e)[\"^]*d|c[\"^]*o[\"^]*n[\"^]*f[\"^]*i[\"^]*g|d[\"^]*(?:e[\"^]*p[\"^]*l[\"^]*o[\"^]*y|t)|h[\"^]*t[\"^]*(?:a|m[\"^]*l)|i[\"^]*e[\"^]*x[\"^]*e[\"^]*c|p[\"^]*u[\"^]*b|x[\"^]*s[\"^]*l))|n[\"^]*(?:e[\"^]*t[\"^]*s[\"^]*h|t[\"^]*d[\"^]*s[\"^]*u[\"^]*t[\"^]*i[\"^]*l)|o[\"^]*(?:d[\"^]*b[\"^]*c[\"^]*c[\"^]*o[\"^]*n[\"^]*f|f[\"^]*f[\"^]*l[\"^]*i[\"^]*n[\"^]*e[\"^]*s[\"^]*c[\"^]*a[\"^]*n[\"^]*n[\"^]*e[\"^]*r[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l|n[\"^]*e[\"^]*d[\"^]*r[\"^]*i[\"^]*v[\"^]*e[\"^]*s[\"^]*t[\"^]*a[\"^]*n[\"^]*d[\"^]*a[\"^]*l[\"^]*o[\"^]*n[\"^]*e[\"^]*u[\"^]*p[\"^]*d[\"^]*a[\"^]*t[\"^]*e[\"^]*r|p[\"^]*e[\"^]*n[\"^]*c[\"^]*o[\"^]*n[\"^]*s[\"^]*o[\"^]*l[\"^]*e)|p[\"^]*(?:c[\"^]*(?:a[\"^]*l[\"^]*u[\"^]*a|w[\"^]*(?:r[\"^]*u[\"^]*n|u[\"^]*t[\"^]*l))|(?:e[\"^]*s[\"^]*t[\"^]*e|s)[\"^]*r|(?:k[\"^]*t[\"^]*m[\"^]*o|u[\"^]*b[\"^]*p[\"^]*r)[\"^]*n|n[\"^]*p[\"^]*u[\"^]*t[\"^]*i[\"^]*l|o[\"^]*w[\"^]*e[\"^]*r[\"^]*p[\"^]*n[\"^]*t|r[\"^]*(?:e[\"^]*s[\"^]*e[\"^]*n[\"^]*t[\"^]*a[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*h[\"^]*o[\"^]*s[\"^]*t|i[\"^]*n[\"^]*t(?:[\"^]*b[\"^]*r[\"^]*m)?|o[\"^]*(?:c[\"^]*d[\"^]*u[\"^]*m[\"^]*p|t[\"^]*o[\"^]*c[\"^]*o[\"^]*l[\"^]*h[\"^]*a[\"^]*n[\"^]*d[\"^]*l[\"^]*e[\"^]*r)))|r[\"^]*(?:a[\"^]*s[\"^]*a[\"^]*u[\"^]*t[\"^]*o[\"^]*u|c[\"^]*s[\"^]*i|(?:d[\"^]*r[\"^]*l[\"^]*e[\"^]*a[\"^]*k[\"^]*d[\"^]*i[\"^]*a|p[\"^]*c[\"^]*p[\"^]*i[\"^]*n)[\"^]*g|e[\"^]*(?:g(?:[\"^]*(?:a[\"^]*s[\"^]*m|e[\"^]*d[\"^]*i[\"^]*t|i[\"^]*(?:n[\"^]*i|s[\"^]*t[\"^]*e[\"^]*r[\"^]*-[\"^]*c[\"^]*i[\"^]*m[\"^]*p[\"^]*r[\"^]*o[\"^]*v[\"^]*i[\"^]*d[\"^]*e[\"^]*r)|s[\"^]*v[\"^]*(?:c[\"^]*s|r[\"^]*3[\"^]*2)))?|(?:m[\"^]*o[\"^]*t|p[\"^]*l[\"^]*a[\"^]*c)[\"^]*e)|u[\"^]*n[\"^]*(?:d[\"^]*l[\"^]*l[\"^]*3[\"^]*2|(?:e[\"^]*x[\"^]*e|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)[\"^]*h[\"^]*e[\"^]*l[\"^]*p[\"^]*e[\"^]*r|o[\"^]*n[\"^]*c[\"^]*e))|s[\"^]*(?:c[\"^]*(?:[sv,.-/;-<>].*|h[\"^]*t[\"^]*a[\"^]*s[\"^]*k[\"^]*s|r[\"^]*i[\"^]*p[\"^]*t[\"^]*r[\"^]*u[\"^]*n[\"^]*n[\"^]*e[\"^]*r)|e[\"^]*t[\"^]*(?:r[\"^]*e[\"^]*s|t[\"^]*i[\"^]*n[\"^]*g[\"^]*s[\"^]*y[\"^]*n[\"^]*c[\"^]*h[\"^]*o[\"^]*s[\"^]*t|u[\"^]*p[\"^]*a[\"^]*p[\"^]*i)|h[\"^]*(?:d[\"^]*o[\"^]*c[\"^]*v[\"^]*w|e[\"^]*l[\"^]*l[\"^]*3[\"^]*2)|q[\"^]*(?:l[\"^]*(?:d[\"^]*u[\"^]*m[\"^]*p[\"^]*e[\"^]*r|(?:t[\"^]*o[\"^]*o[\"^]*l[\"^]*s[\"^]*)?p[\"^]*s)|u[\"^]*i[\"^]*r[\"^]*r[\"^]*e[\"^]*l)|s[\"^]*h|t[\"^]*o[\"^]*r[\"^]*d[\"^]*i[\"^]*a[\"^]*g|y[\"^]*(?:n[\"^]*c[\"^]*a[\"^]*p[\"^]*p[\"^]*v[\"^]*p[\"^]*u[\"^]*b[\"^]*l[\"^]*i[\"^]*s[\"^]*h[\"^]*i[\"^]*n[\"^]*g[\"^]*s[\"^]*e[\"^]*r[\"^]*v[\"^]*e[\"^]*r|s[\"^]*s[\"^]*e[\"^]*t[\"^]*u[\"^]*p))|t[\"^]*(?:e[\"^]*[sv,.-/;-<>].*|r[\"^]*a[\"^]*c[\"^]*k[\"^]*e[\"^]*r|t[\"^]*(?:d[\"^]*i[\"^]*n[\"^]*j[\"^]*e[\"^]*c[\"^]*t|t[\"^]*r[\"^]*a[\"^]*c[\"^]*e[\"^]*r))|u[\"^]*(?:n[\"^]*r[\"^]*e[\"^]*g[\"^]*m[\"^]*p[\"^]*2|p[\"^]*d[\"^]*a[\"^]*t[\"^]*e|r[\"^]*l|t[\"^]*i[\"^]*l[\"^]*i[\"^]*t[\"^]*y[\"^]*f[\"^]*u[\"^]*n[\"^]*c[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*s)|v[\"^]*(?:b[\"^]*c|e[\"^]*r[\"^]*c[\"^]*l[\"^]*s[\"^]*i[\"^]*d|i[\"^]*s[\"^]*u[\"^]*a[\"^]*l[\"^]*u[\"^]*i[\"^]*a[\"^]*v[\"^]*e[\"^]*r[\"^]*i[\"^]*f[\"^]*y[\"^]*n[\"^]*a[\"^]*t[\"^]*i[\"^]*v[\"^]*e|s[\"^]*(?:i[\"^]*i[\"^]*s[\"^]*e[\"^]*x[\"^]*e[\"^]*l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h|j[\"^]*i[\"^]*t[\"^]*d[\"^]*e[\"^]*b[\"^]*u[\"^]*g[\"^]*g)[\"^]*e[\"^]*r)|w[\"^]*(?:a[\"^]*b|(?:f|m[\"^]*i)[\"^]*c|i[\"^]*n[\"^]*(?:g[\"^]*e[\"^]*t|r[\"^]*m|w[\"^]*o[\"^]*r[\"^]*d)|l[\"^]*r[\"^]*m[\"^]*d[\"^]*r|o[\"^]*r[\"^]*k[\"^]*f[\"^]*o[\"^]*l[\"^]*d[\"^]*e[\"^]*r[\"^]*s|s[\"^]*(?:(?:c[\"^]*r[\"^]*i[\"^]*p|r[\"^]*e[\"^]*s[\"^]*e)[\"^]*t|l)|t[\"^]*[sv,.-/;-<>].*|u[\"^]*a[\"^]*u[\"^]*c[\"^]*l[\"^]*t)|x[\"^]*w[\"^]*i[\"^]*z[\"^]*a[\"^]*r[\"^]*d|z[\"^]*i[\"^]*p[\"^]*f[\"^]*l[\"^]*d[\"^]*r)(?:.[\"^]*[0-9A-Z_a-z]+)?b"
},
{
- "category": "SQL",
- "pattern": "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)"
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:t[\"^]*i[\"^]*m[\"^]*e|[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:a[\"^]*(?:s[\"^]*s[\"^]*o[\"^]*c|t[\"^]*(?:m[\"^]*a[\"^]*d[\"^]*m|t[\"^]*r[\"^]*i[\"^]*b)|u[\"^]*(?:d[\"^]*i[\"^]*t[\"^]*p[\"^]*o[\"^]*l|t[\"^]*o[\"^]*(?:c[\"^]*(?:h[\"^]*k|o[\"^]*n[\"^]*v)|(?:f[\"^]*m|m[\"^]*o[\"^]*u[\"^]*n)[\"^]*t)))|b[\"^]*(?:c[\"^]*d[\"^]*(?:b[\"^]*o[\"^]*o|e[\"^]*d[\"^]*i)[\"^]*t|(?:d[\"^]*e[\"^]*h[\"^]*d|o[\"^]*o[\"^]*t)[\"^]*c[\"^]*f[\"^]*g|i[\"^]*t[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|c[\"^]*(?:a[\"^]*c[\"^]*l[\"^]*s|e[\"^]*r[\"^]*t[\"^]*(?:r[\"^]*e[\"^]*q|u[\"^]*t[\"^]*i[\"^]*l)|h[\"^]*(?:c[\"^]*p|d[\"^]*i[\"^]*r|g[\"^]*(?:l[\"^]*o[\"^]*g[\"^]*o[\"^]*n|p[\"^]*o[\"^]*r[\"^]*t|u[\"^]*s[\"^]*r)|k[\"^]*(?:d[\"^]*s[\"^]*k|n[\"^]*t[\"^]*f[\"^]*s))|l[\"^]*e[\"^]*a[\"^]*n[\"^]*m[\"^]*g[\"^]*r|m[\"^]*(?:d(?:[\"^]*k[\"^]*e[\"^]*y)?|s[\"^]*t[\"^]*p)|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|d[\"^]*(?:c[\"^]*(?:d[\"^]*i[\"^]*a[\"^]*g|g[\"^]*p[\"^]*o[\"^]*f[\"^]*i[\"^]*x)|e[\"^]*(?:f[\"^]*r[\"^]*a[\"^]*g|l)|f[\"^]*s[\"^]*(?:d[\"^]*i[\"^]*a|r[\"^]*m[\"^]*i)[\"^]*g|i[\"^]*(?:a[\"^]*n[\"^]*t[\"^]*z|r|s[\"^]*(?:k[\"^]*(?:c[\"^]*o[\"^]*(?:m[\"^]*p|p[\"^]*y)|p[\"^]*(?:a[\"^]*r[\"^]*t|e[\"^]*r[\"^]*f)|r[\"^]*a[\"^]*i[\"^]*d|s[\"^]*h[\"^]*a[\"^]*d[\"^]*o[\"^]*w)|p[\"^]*d[\"^]*i[\"^]*a[\"^]*g))|n[\"^]*s[\"^]*c[\"^]*m[\"^]*d|(?:o[\"^]*s[\"^]*k[\"^]*e|r[\"^]*i[\"^]*v[\"^]*e[\"^]*r[\"^]*q[\"^]*u[\"^]*e[\"^]*r)[\"^]*y)|e[\"^]*(?:n[\"^]*d[\"^]*l[\"^]*o[\"^]*c[\"^]*a[\"^]*l|v[\"^]*e[\"^]*n[\"^]*t[\"^]*c[\"^]*r[\"^]*e[\"^]*a[\"^]*t[\"^]*e)|E[\"^]*v[\"^]*n[\"^]*t[\"^]*c[\"^]*m[\"^]*d|f[\"^]*(?:c|i[\"^]*(?:l[\"^]*e[\"^]*s[\"^]*y[\"^]*s[\"^]*t[\"^]*e[\"^]*m[\"^]*s|n[\"^]*d[\"^]*s[\"^]*t[\"^]*r)|l[\"^]*a[\"^]*t[\"^]*t[\"^]*e[\"^]*m[\"^]*p|o[\"^]*r(?:[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s)?|r[\"^]*e[\"^]*e[\"^]*d[\"^]*i[\"^]*s[\"^]*k|s[\"^]*u[\"^]*t[\"^]*i[\"^]*l|(?:t[\"^]*y[\"^]*p|v[\"^]*e[\"^]*u[\"^]*p[\"^]*d[\"^]*a[\"^]*t)[\"^]*e)|g[\"^]*(?:e[\"^]*t[\"^]*(?:m[\"^]*a[\"^]*c|t[\"^]*y[\"^]*p[\"^]*e)|o[\"^]*t[\"^]*o|p[\"^]*(?:f[\"^]*i[\"^]*x[\"^]*u[\"^]*p|(?:r[\"^]*e[\"^]*s[\"^]*u[\"^]*l[\"^]*)?t|u[\"^]*p[\"^]*d[\"^]*a[\"^]*t[\"^]*e)|r[\"^]*a[\"^]*f[\"^]*t[\"^]*a[\"^]*b[\"^]*l)|h[\"^]*(?:e[\"^]*l[\"^]*p[\"^]*c[\"^]*t[\"^]*r|o[\"^]*s[\"^]*t[\"^]*n[\"^]*a[\"^]*m[\"^]*e)|i[\"^]*(?:c[\"^]*a[\"^]*c[\"^]*l[\"^]*s|f|p[\"^]*(?:c[\"^]*o[\"^]*n[\"^]*f[\"^]*i[\"^]*g|x[\"^]*r[\"^]*o[\"^]*u[\"^]*t[\"^]*e)|r[\"^]*f[\"^]*t[\"^]*p)|j[\"^]*e[\"^]*t[\"^]*p[\"^]*a[\"^]*c[\"^]*k|k[\"^]*(?:l[\"^]*i[\"^]*s[\"^]*t|s[\"^]*e[\"^]*t[\"^]*u[\"^]*p|t[\"^]*(?:m[\"^]*u[\"^]*t[\"^]*i[\"^]*l|p[\"^]*a[\"^]*s[\"^]*s))|l[\"^]*(?:o[\"^]*(?:d[\"^]*c[\"^]*t[\"^]*r|g[\"^]*(?:m[\"^]*a[\"^]*n|o[\"^]*f[\"^]*f))|p[\"^]*[q-r])|m[\"^]*(?:a[\"^]*(?:c[\"^]*f[\"^]*i[\"^]*l[\"^]*e|k[\"^]*e[\"^]*c[\"^]*a[\"^]*b|p[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|k[\"^]*(?:d[\"^]*i[\"^]*r|l[\"^]*i[\"^]*n[\"^]*k)|m[\"^]*c|o[\"^]*u[\"^]*n[\"^]*t[\"^]*v[\"^]*o[\"^]*l|q[\"^]*(?:b[\"^]*k[\"^]*u[\"^]*p|(?:t[\"^]*g[\"^]*)?s[\"^]*v[\"^]*c)|s[\"^]*(?:d[\"^]*t|i[\"^]*(?:e[\"^]*x[\"^]*e[\"^]*c|n[\"^]*f[\"^]*o[\"^]*3[\"^]*2)|t[\"^]*s[\"^]*c))|n[\"^]*(?:b[\"^]*t[\"^]*s[\"^]*t[\"^]*a[\"^]*t|e[\"^]*t[\"^]*(?:c[\"^]*f[\"^]*g|d[\"^]*o[\"^]*m|s[\"^]*(?:h|t[\"^]*a[\"^]*t))|f[\"^]*s[\"^]*(?:a[\"^]*d[\"^]*m[\"^]*i[\"^]*n|s[\"^]*(?:h[\"^]*a[\"^]*r[\"^]*e|t[\"^]*a[\"^]*t))|l[\"^]*(?:b[\"^]*m[\"^]*g[\"^]*r|t[\"^]*e[\"^]*s[\"^]*t)|s[\"^]*l[\"^]*o[\"^]*o[\"^]*k[\"^]*u[\"^]*p|t[\"^]*(?:b[\"^]*a[\"^]*c[\"^]*k[\"^]*u[\"^]*p|c[\"^]*m[\"^]*d[\"^]*p[\"^]*r[\"^]*o[\"^]*m[\"^]*p[\"^]*t|f[\"^]*r[\"^]*s[\"^]*u[\"^]*t[\"^]*l))|o[\"^]*(?:f[\"^]*f[\"^]*l[\"^]*i[\"^]*n[\"^]*e|p[\"^]*e[\"^]*n[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s)|p[\"^]*(?:a[\"^]*(?:g[\"^]*e[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*c[\"^]*o[\"^]*n[\"^]*f[\"^]*i|t[\"^]*h[\"^]*p[\"^]*i[\"^]*n)[\"^]*g|(?:b[\"^]*a[\"^]*d[\"^]*m[\"^]*i|k[\"^]*t[\"^]*m[\"^]*o)[\"^]*n|e[\"^]*(?:n[\"^]*t[\"^]*n[\"^]*t|r[\"^]*f[\"^]*m[\"^]*o[\"^]*n)|n[\"^]*p[\"^]*u[\"^]*(?:n[\"^]*a[\"^]*t[\"^]*t[\"^]*e[\"^]*n[\"^]*d|t[\"^]*i[\"^]*l)|o[\"^]*(?:p[\"^]*d|w[\"^]*e[\"^]*r[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l)|r[\"^]*n[\"^]*(?:c[\"^]*n[\"^]*f[\"^]*g|(?:d[\"^]*r[\"^]*v|m[\"^]*n[\"^]*g)[\"^]*r|j[\"^]*o[\"^]*b[\"^]*s|p[\"^]*o[\"^]*r[\"^]*t|q[\"^]*c[\"^]*t[\"^]*l)|u[\"^]*(?:b[\"^]*p[\"^]*r[\"^]*n|s[\"^]*h[\"^]*(?:d|p[\"^]*r[\"^]*i[\"^]*n[\"^]*t[\"^]*e[\"^]*r[\"^]*c[\"^]*o[\"^]*n[\"^]*n[\"^]*e[\"^]*c[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*s))|w[\"^]*(?:l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*e[\"^]*r|s[\"^]*h))|q[\"^]*(?:a[\"^]*p[\"^]*p[\"^]*s[\"^]*r[\"^]*v|p[\"^]*r[\"^]*o[\"^]*c[\"^]*e[\"^]*s[\"^]*s|u[\"^]*s[\"^]*e[\"^]*r|w[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a)|r[\"^]*(?:d(?:[\"^]*p[\"^]*s[\"^]*i[\"^]*g[\"^]*n)?|e[\"^]*(?:f[\"^]*s[\"^]*u[\"^]*t[\"^]*i[\"^]*l|g(?:[\"^]*(?:i[\"^]*n[\"^]*i|s[\"^]*v[\"^]*r[\"^]*3[\"^]*2))?|l[\"^]*o[\"^]*g|(?:(?:p[\"^]*a[\"^]*d[\"^]*m[\"^]*i|s[\"^]*c[\"^]*a)[\"^]*)?n|x[\"^]*e[\"^]*c)|i[\"^]*s[\"^]*e[\"^]*t[\"^]*u[\"^]*p|m[\"^]*d[\"^]*i[\"^]*r|o[\"^]*b[\"^]*o[\"^]*c[\"^]*o[\"^]*p[\"^]*y|p[\"^]*c[\"^]*(?:i[\"^]*n[\"^]*f[\"^]*o|p[\"^]*i[\"^]*n[\"^]*g)|s[\"^]*h|u[\"^]*n[\"^]*d[\"^]*l[\"^]*l[\"^]*3[\"^]*2|w[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a)|s[\"^]*(?:a[\"^]*n|c[\"^]*(?:h[\"^]*t[\"^]*a[\"^]*s[\"^]*k[\"^]*s|w[\"^]*c[\"^]*m[\"^]*d)|e[\"^]*(?:c[\"^]*e[\"^]*d[\"^]*i[\"^]*t|r[\"^]*v[\"^]*e[\"^]*r[\"^]*(?:(?:c[\"^]*e[\"^]*i[\"^]*p|w[\"^]*e[\"^]*r)[\"^]*o[\"^]*p[\"^]*t[\"^]*i[\"^]*n|m[\"^]*a[\"^]*n[\"^]*a[\"^]*g[\"^]*e[\"^]*r[\"^]*c[\"^]*m[\"^]*d)|t[\"^]*x)|f[\"^]*c|(?:h[\"^]*o[\"^]*w[\"^]*m[\"^]*o[\"^]*u[\"^]*n|u[\"^]*b[\"^]*s)[\"^]*t|x[\"^]*s[\"^]*t[\"^]*r[\"^]*a[\"^]*c[\"^]*e|y[\"^]*s[\"^]*(?:o[\"^]*c[\"^]*m[\"^]*g[\"^]*r|t[\"^]*e[\"^]*m[\"^]*i[\"^]*n[\"^]*f[\"^]*o))|t[\"^]*(?:a[\"^]*(?:k[\"^]*e[\"^]*o[\"^]*w[\"^]*n|p[\"^]*i[\"^]*c[\"^]*f[\"^]*g|s[\"^]*k[\"^]*(?:k[\"^]*i[\"^]*l[\"^]*l|l[\"^]*i[\"^]*s[\"^]*t))|(?:c[\"^]*m[\"^]*s[\"^]*e[\"^]*t[\"^]*u|f[\"^]*t)[\"^]*p|(?:(?:e[\"^]*l[\"^]*n[\"^]*e|i[\"^]*m[\"^]*e[\"^]*o[\"^]*u)[\"^]*|r[\"^]*a[\"^]*c[\"^]*e[\"^]*r[\"^]*(?:p[\"^]*)?)t|l[\"^]*n[\"^]*t[\"^]*a[\"^]*d[\"^]*m[\"^]*n|p[\"^]*m[\"^]*(?:t[\"^]*o[\"^]*o[\"^]*l|v[\"^]*s[\"^]*c[\"^]*m[\"^]*g[\"^]*r)|s[\"^]*(?:(?:d[\"^]*i[\"^]*s[\"^]*)?c[\"^]*o[\"^]*n|e[\"^]*c[\"^]*i[\"^]*m[\"^]*p|k[\"^]*i[\"^]*l[\"^]*l|p[\"^]*r[\"^]*o[\"^]*f)|y[\"^]*p[\"^]*e[\"^]*p[\"^]*e[\"^]*r[\"^]*f|z[\"^]*u[\"^]*t[\"^]*i[\"^]*l)|u[\"^]*n[\"^]*(?:e[\"^]*x[\"^]*p[\"^]*o[\"^]*s[\"^]*e|i[\"^]*q[\"^]*u[\"^]*e[\"^]*i[\"^]*d|l[\"^]*o[\"^]*d[\"^]*c[\"^]*t[\"^]*r)|v[\"^]*(?:o[\"^]*l|s[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|w[\"^]*(?:a[\"^]*i[\"^]*t[\"^]*f[\"^]*o[\"^]*r|b[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n|(?:d[\"^]*s|e[\"^]*(?:c|v[\"^]*t))[\"^]*u[\"^]*t[\"^]*i[\"^]*l|h[\"^]*(?:e[\"^]*r[\"^]*e|o[\"^]*a[\"^]*m[\"^]*i)|i[\"^]*n[\"^]*(?:n[\"^]*t(?:[\"^]*3[\"^]*2)?|r[\"^]*s)|m[\"^]*i[\"^]*c|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|x[\"^]*c[\"^]*o[\"^]*p[\"^]*y)(?:.[\"^]*[0-9A-Z_a-z]+)?b"
},
{
- "category": "SQL",
- "pattern": "@rx (?i:Warning: ibase_|Unexpected end of command in statement)"
+ "category": "RCE",
+ "pattern": "@lt 2"
},
{
- "category": "SQL",
- "pattern": "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)"
+ "category": "RCE",
+ "pattern": "@lt 2"
},
{
- "category": "SQL",
- "pattern": "@rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)"
+ "category": "RCE",
+ "pattern": "@rx (?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*.[sv].*b"
},
{
- "category": "SQL",
- "pattern": "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[(-)_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):"
+ "category": "RCE",
+ "pattern": "@rx (?:$(?:((?:(.*)|.*))|{.*})|[<>](.*)|[!?.+])"
},
{
- "category": "SQL",
- "pattern": "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)() [:|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er"
+ "category": "RCE",
+ "pattern": "@rx ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]"
},
{
- "category": "SQL",
- "pattern": "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)"
+ "category": "RCE",
+ "pattern": "@rx /"
},
{
- "category": "SQL",
- "pattern": "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)"
+ "category": "RCE",
+ "pattern": "@rx s"
},
{
- "category": "SQL",
- "pattern": "@lt 2"
+ "category": "RCE",
+ "pattern": "@rx ^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))"
},
{
- "category": "SQL",
- "pattern": "@lt 2"
+ "category": "RCE",
+ "pattern": "@rx /"
},
{
- "category": "SQL",
- "pattern": "@lt 3"
+ "category": "RCE",
+ "pattern": "@rx s"
},
{
- "category": "SQL",
- "pattern": "@lt 3"
+ "category": "RCE",
+ "pattern": "@rx ^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])"
},
{
- "category": "SQL",
- "pattern": "@lt 4"
+ "category": "RCE",
+ "pattern": "@rx /"
},
{
- "category": "SQL",
- "pattern": "@lt 4"
+ "category": "RCE",
+ "pattern": "@rx s"
},
{
- "category": "JAVA",
- "pattern": "@lt 1"
+ "category": "RCE",
+ "pattern": "@rx (?i).|(?:[sv]*|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|G[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?E[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?T|a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:b|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?t|r(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[jp])?|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ks])|b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[8-9][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?9|[au][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|c|(?:m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?p|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dfu]|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[gr])|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[bdx]|n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|q[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[c-dgi]|m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[chr][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|o|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dp]|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b)|j[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:j[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|q)|k[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)?|[nps]|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a|z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|v)|n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[cl]|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|o[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[at][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?x|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|f|(?:k[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?g|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cp]|r(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?y)?|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dv]|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dt]|[g-hu]|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cr]|b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l|[co][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ex]|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c)|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|l)|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|c)|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|z)|y[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)|z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h))"
},
{
- "category": "JAVA",
- "pattern": "@lt 1"
+ "category": "RCE",
+ "pattern": "@rx (?i)[-0-9_a-z]+(?:[\"'[-]]+|$+[!#*-0-9?-@x5c_a-{]+|``|[$<>]())[sv]*[-0-9_a-z]+"
},
{
- "category": "JAVA",
- "pattern": "@pmFromFile java-code-leakages.data"
+ "category": "RCE",
+ "pattern": "!@rx [0-9]s*'s*[0-9]"
},
{
- "category": "JAVA",
- "pattern": "@pmFromFile java-errors.data"
+ "category": "RCE",
+ "pattern": "@rx ;[sv]*.[sv]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)"
},
{
- "category": "JAVA",
- "pattern": "@lt 2"
+ "category": "RCE",
+ "pattern": "@rx rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)"
},
{
- "category": "JAVA",
- "pattern": "@lt 2"
+ "category": "RCE",
+ "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[\"-#%-&*--9A-Zx5c_a-z]+)?(?: ([ x5ca-z]+))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [+-][0-9]{4}\"?)? {[0-9]{1,20}+?}|UTHENTICATE [-0-9_a-z]{1,20}rn)|L(?:SUB (?:[\"-#*.-9A-Z_a-z~]+)? (?:[\"%-&*.-9A-Zx5c_a-z]+)?|ISTRIGHTS (?:[\"%-&*--9A-Zx5c_a-z]+)?)|S(?:TATUS (?:[\"%-&*--9A-Zx5c_a-z]+)? ((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+)|ETACL (?:[\"%-&*--9A-Zx5c_a-z]+)? [+-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%-&*--9A-Zx5c_a-z]+)?)"
},
{
- "category": "JAVA",
- "pattern": "@lt 3"
+ "category": "RCE",
+ "pattern": "@rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))"
},
{
- "category": "JAVA",
- "pattern": "@lt 3"
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|inks|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[^sv])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash|nap)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:3m|c|a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))"
},
{
- "category": "JAVA",
- "pattern": "@lt 4"
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:c|a(?:ll|tch)[sv&)<>|]|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))"
},
{
- "category": "JAVA",
- "pattern": "@lt 4"
+ "category": "RCE",
+ "pattern": "@pmFromFile unix-shell.data"
},
{
- "category": "PHP",
- "pattern": "@lt 1"
+ "category": "RCE",
+ "pattern": "@lt 3"
},
{
- "category": "PHP",
- "pattern": "@lt 1"
+ "category": "RCE",
+ "pattern": "@lt 3"
},
{
- "category": "PHP",
- "pattern": "@pmFromFile php-errors.data"
+ "category": "RCE",
+ "pattern": "@rx (?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))b"
},
{
- "category": "PHP",
- "pattern": "@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b"
+ "category": "RCE",
+ "pattern": "@rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:(?:itude)?[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|s(?:[sv&)<>|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[sv&)<>|]|m(?:[sv&)<>|]|diff)|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:[sv&)<>c|]|h(?:o(?:[sv&)<>|]|ami|is)?|iptail[sv&)<>|])|a(?:ll|tch)[sv&)<>|]|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))b"
},
{
- "category": "PHP",
- "pattern": "@rx (?i)].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))"
},
{
- "category": "PHP",
- "pattern": "@lt 2"
+ "category": "RCE",
+ "pattern": "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)"
},
{
- "category": "PHP",
- "pattern": "@lt 2"
+ "category": "RCE",
+ "pattern": "@rx rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)"
},
{
- "category": "PHP",
- "pattern": "@pmFromFile php-errors-pl2.data"
+ "category": "RCE",
+ "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [\"-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE [\"-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST [\"-#*--9A-Zx5c_a-z~]+? [\"-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&*--9A-Zx5c_a-z]+? [\"-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT [\"-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)"
},
{
- "category": "PHP",
- "pattern": "@lt 3"
+ "category": "RCE",
+ "pattern": "@rx rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)"
},
{
- "category": "PHP",
- "pattern": "@lt 3"
+ "category": "RCE",
+ "pattern": "@rx !(?:d|!)"
},
{
- "category": "PHP",
+ "category": "RCE",
"pattern": "@lt 4"
},
{
- "category": "PHP",
+ "category": "RCE",
"pattern": "@lt 4"
},
{
- "category": "IIS",
+ "category": "FIXATION",
"pattern": "@lt 1"
},
{
- "category": "IIS",
+ "category": "FIXATION",
"pattern": "@lt 1"
},
{
- "category": "IIS",
- "pattern": "@rx [a-z]:x5cinetpubb"
+ "category": "FIXATION",
+ "pattern": "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)"
},
{
- "category": "IIS",
- "pattern": "@rx (?:Microsoft OLE DB Provider for SQL Server(?:.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)
Timeout expired
)|internal server error
.*?part of the server has crashed or it has a configuration error.
|cannot connect to the server: timed out)"
+ "category": "FIXATION",
+ "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$"
},
{
- "category": "IIS",
- "pattern": "@pmFromFile iis-errors.data"
+ "category": "FIXATION",
+ "pattern": "@rx ^(?:ht|f)tps?://(.*?)/"
},
{
- "category": "IIS",
- "pattern": "!@rx ^404$"
+ "category": "FIXATION",
+ "pattern": "!@endsWith %{request_headers.host}"
},
{
- "category": "IIS",
- "pattern": "@rx bServer Error in.{0,50}?bApplicationb"
+ "category": "FIXATION",
+ "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$"
},
{
- "category": "IIS",
+ "category": "FIXATION",
+ "pattern": "@eq 0"
+ },
+ {
+ "category": "FIXATION",
"pattern": "@lt 2"
},
{
- "category": "IIS",
+ "category": "FIXATION",
"pattern": "@lt 2"
},
{
- "category": "IIS",
+ "category": "FIXATION",
"pattern": "@lt 3"
},
{
- "category": "IIS",
+ "category": "FIXATION",
"pattern": "@lt 3"
},
{
- "category": "IIS",
+ "category": "FIXATION",
"pattern": "@lt 4"
},
{
- "category": "IIS",
+ "category": "FIXATION",
"pattern": "@lt 4"
},
{
@@ -2507,6 +2435,78 @@
"category": "EVALUATION",
"pattern": "@lt 4"
},
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@streq GET /"
+ },
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@ipMatch 127.0.0.1,::1"
+ },
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@ipMatch 127.0.0.1,::1"
+ },
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@endsWith (internal dummy connection)"
+ },
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$"
+ },
+ {
+ "category": "IIS",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "IIS",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "IIS",
+ "pattern": "@rx [a-z]:x5cinetpubb"
+ },
+ {
+ "category": "IIS",
+ "pattern": "@rx (?:Microsoft OLE DB Provider for SQL Server(?:.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)
Timeout expired
)|internal server error
.*?part of the server has crashed or it has a configuration error.
|cannot connect to the server: timed out)"
+ },
+ {
+ "category": "IIS",
+ "pattern": "@pmFromFile iis-errors.data"
+ },
+ {
+ "category": "IIS",
+ "pattern": "!@rx ^404$"
+ },
+ {
+ "category": "IIS",
+ "pattern": "@rx bServer Error in.{0,50}?bApplicationb"
+ },
+ {
+ "category": "IIS",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "IIS",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "IIS",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "IIS",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "IIS",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "IIS",
+ "pattern": "@lt 4"
+ },
{
"category": "CORRELATION",
"pattern": "@eq 0"
diff --git a/waf_patterns/apache/attack.conf b/waf_patterns/apache/attack.conf
index bc47775..56620d3 100644
--- a/waf_patterns/apache/attack.conf
+++ b/waf_patterns/apache/attack.conf
@@ -1,34 +1,34 @@
# Apache ModSecurity rules for ATTACK
SecRuleEngine On
-SecRule REQUEST_URI "@lt 1" "id:1156,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1157,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" "id:1158,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" "id:1159,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx (?:bhttp/d|<(?:html|meta)b)" "id:1160,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx [nr]" "id:1161,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx [nr]" "id:1162,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" "id:1163,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx [nr]" "id:1164,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)" "id:1165,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)" "id:1166,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx unix:[^|]*|" "id:1167,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1168,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1169,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx [nr]" "id:1170,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" "id:1171,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1172,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1173,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@gt 0" "id:1174,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx ." "id:1175,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@gt 1" "id:1176,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx TX:paramcounter_(.*)" "id:1177,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx (][^]]+$|][^]]+[)" "id:1178,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1179,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1180,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx [" "id:1181,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "!@eq 0" "id:1182,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "!@within |%{tx.allowed_request_content_type_charset}|" "id:1183,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx ^content-types*:s*(.*)$" "id:1184,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" "id:1185,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@rx content-transfer-encoding:(.*)" "id:1186,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "!@eq 0" "id:1115,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "!@within |%{tx.allowed_request_content_type_charset}|" "id:1116,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx ^content-types*:s*(.*)$" "id:1117,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" "id:1118,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx content-transfer-encoding:(.*)" "id:1119,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1442,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1443,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" "id:1444,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" "id:1445,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx (?:bhttp/d|<(?:html|meta)b)" "id:1446,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx [nr]" "id:1447,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx [nr]" "id:1448,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" "id:1449,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx [nr]" "id:1450,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)" "id:1451,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)" "id:1452,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx unix:[^|]*|" "id:1453,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1454,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1455,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx [nr]" "id:1456,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" "id:1457,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1458,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1459,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@gt 0" "id:1460,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx ." "id:1461,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@gt 1" "id:1462,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx TX:paramcounter_(.*)" "id:1463,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx (][^]]+$|][^]]+[)" "id:1464,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1465,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1466,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@rx [" "id:1467,phase:1,deny,status:403,log,msg:'attack attack detected'"
diff --git a/waf_patterns/apache/bots.conf b/waf_patterns/apache/bots.conf
index 8f686d9..507b93b 100644
--- a/waf_patterns/apache/bots.conf
+++ b/waf_patterns/apache/bots.conf
@@ -1,591 +1,1777 @@
SecRuleEngine On
-SecRule REQUEST_HEADERS:User-Agent "@contains (^| )PTST\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains (^| )sentry\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains (sistrix|SISTRIX) [cC]rawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains 007ac9 Crawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains 2ip bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains YLT" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains 008\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains 13TABS" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains 192\.comAgent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains 2GDPR\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains 2ip\.ru" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains 360Spider" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Mozilla/5.0 (compatible; Ask Jeeves/Teoma; +http://about.ask.com/en/docs/about/webmasters.shtml)" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains A Patent Crawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains 404checker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains 404enemy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains 7Siters" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains 80legs" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains A6-Indexer" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains ADmantX" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains AHC\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains AISearchBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AIBOT" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ALittle\ Client" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains APIs-Google" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ASPSeek" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AWS Security Scanner" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Abonti" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Aboundex" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains AcademicBotRTU" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains AddSearchBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Aboundexbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Accoona-AI-Agent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Acunetix" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AdAuth\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains AddThis" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Adidxbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains AdsBot-Google([^-]|$)" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains AdsBot-Google-Mobile" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains AdsTxtCrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains AdvBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Ahrefs(Bot|SiteAudit)" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains AlexandriaOrgBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AdminLabs" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AdsTxtCrawlerTP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Adstxtaggregator" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Adyen HttpClient" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AfD-Verbotsverfahren" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AffiliateLabz\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AhrefsBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AiHitBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Aipbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Airmail" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Alexibot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Alibaba\.Security\.Heimdall" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AllSubmitter" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Alligator" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains AlphaBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Amazon CloudFront" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Amazonbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains AndersPinkBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains AnyEvent" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Apercite" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Anarchie" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Anarchy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Anarchy99" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AndroidDownloadManager" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Anemone" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AngleSharp" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Ankit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Ant\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Anthill" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Anturis Agent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AnyEvent-HTTP\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Apache Ant\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Apache Droid" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Apache OpenOffice" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Apache-HttpAsyncClient" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Apache-HttpClient" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ApacheBench" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Apexoo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AportWorm\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AppBeat\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains AppEngine-Google" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains AppInsights" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Applebot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ArchiveBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains AspiegelBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Atom Feed Robot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Audisto Crawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AppleSyndication" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Aprc\/[0-9]" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Arachmo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Arachnophilia" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Arukereso" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Asana\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Ask Jeeves" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AskQuickly" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Aspiegel" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Asterias" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Astute" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Atomseobot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Attach" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains AutomaticWPTester" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Autonomy" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains AwarioBot" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains AwarioRssBot" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains AwarioSmartBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains B2B Bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains B-l-i-t-z-B-O-T" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BBBike" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BCKLINKS" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains BDCbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BIGLOTRON" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BLEXBot\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BLP_bbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BTWebClient" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BDFetch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BKCTwitterUnshortener\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BLEXBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BPImageWalker" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains BUbiNG" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Baidu-YunGuanCe" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Baiduspider" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Bark[rR]owler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BackDoorBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BackStreet" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BackWeb" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Backlink-Ceck" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BacklinkCrawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BacklinkHttpStatus" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BacklinksExtendedBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BackupLand" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Bad-Neighborhood" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Badass" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Bandit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Barkrowler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BatchFTP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Battleztar Bazinga" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Battleztar\ Bazinga" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains BazQux" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BehloolBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Better Uptime Bot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BingPreview\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BitBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BitSightBot\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BegunAdvertising" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BetaBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Bewica-security-scan" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Bidtellect" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BigBozz" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Bigfoot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BingLocalSearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BingPreview" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Bitacle" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Bitrix link preview" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Black Hole" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BlackWidow" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Black\ Hole" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Blackboard" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BlogTraffic\/\d\.\d+ Feed-Fetcher" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BomboraBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Bot\.AraTurka\.com" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BoxcarBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BrandONbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BrandVerity" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BrightEdge Crawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains BublupBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Blackboard Safeassign" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BlockNote\.Net" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BlogBridge" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BlogPulseLive" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BlogSearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Bloglines" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Bloglovin" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Blogtrottr" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Blow" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BlowFish" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Boardreader" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Bolt" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Boost\.Beast" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BotALot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Braintree-Webhooks" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Branch Metrics API" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Branch-Passthrough" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Brandprotect" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Brandwatch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Brodie\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Browsershots" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Buck" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Buck\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Buddy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BuiltBotTough" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BuiltWith" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Bullseye" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BunnySlippers" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Burf Search" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Butterfly\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains BuzzSumo" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Bytespider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CAAM\/[0-9]" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CATExplorador" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains CC Metadata Scaper" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains CCBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains CISPA Webcrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Caliperbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains CapsuleChecker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CERT\.at-Statistics-Survey" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CISPA Vulnerability Notification" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CISPA Web Analyser" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CJNetworkQuality" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CODE87" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CSHttp" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CSSCheck" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CakePHP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Calculon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Canary%20Mail" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CaretNail" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CazoodleBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Cegbfeieh" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CensysInspect" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Cerberian Drtrs" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ChangesMeter" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Charlotte" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains ChatGPT-User" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains CheckMarkNetwork\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Chrome-Lighthouse" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Cincraw" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Clickagy" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Cliqzbot\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CheTeam" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CheckHost" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CheeseBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CherryPicker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ChinaClaw" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Chirp\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Chlooe" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Chromaxa" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CirrusExplorer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Citoid" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Claritybot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Clarsentia" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ClaudeBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Cliqzbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Cloud mapping" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CloudEndure" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains CloudFlare-AlwaysOnline" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains CloudFlare-Prefetch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Cloud\ mapping" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Cloudflare-Healthchecks" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Cloudflare-SSLDetector" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Cloudflare-Traffic-Manager" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Cloudinary" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Cocolyzebot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Companybook-Crawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ContextAd Bot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains CookieHubScan" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Cookiebot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains CrawlyProjectCrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains CriteoBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Cogentbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ColdFusion" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Collector" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CommaFeed" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Commons-HttpClient" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Contextual Code Sites Explorer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CookieReports" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Copier" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CopyRightCheck" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Copyscape" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Cosmos" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Cosmos4j\.feedback" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Covario-IDS" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Craftbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Craw\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Crawling\ at\ Home\ Project" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CrazyWebCrawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Crescent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Criteo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Crowsnest" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains CrunchBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains CrystalSemanticsBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Cutbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains CyberPatrol" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Cula\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Curious" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Curious George" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Custo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains CyotekWebCopy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DAP\/NetHTTP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DBLBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DIIbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DMBrowser" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DNSPod-reporting" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DSearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DTS Agent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DTS\ Agent" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains DareBoost" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains DataForSeoBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DataCha0s" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DataXu" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DatabaseDriverMysqli" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DatadogSynthetics" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Datafeedwatch" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Datanyze" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Dataprovider\.com" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Daum\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains DeuSu\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Diffbot\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Digg Deeper" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Digincore bot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Discordbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Disqus" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DataparkSearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Daum(oa)?[ \/][0-9]" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Demon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DeuSu" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Deusu" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Devil" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Digg" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Digincore" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DigitalPebble" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Dirbuster" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Disco" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Discobot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Discourse Forum Onebox" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Discoverybot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Dispatch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Dispatch\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Disqus\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DittoSpyder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DnBCrawler-Analytics" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains DnyzBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Domain Re-Animator Bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Dolphin http client" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DomCopBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DomainAppender" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DomainCrawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DomainLabz" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DomainSigmaCrawler" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains DomainStatsBot" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Domains Project\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Dragonbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Dubbotbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains DuckDuckBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains DuckDuckGo-Favicons-Bot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains EZID" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Domains\ Project" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Donuts Content Explorer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Dotbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Download Wonder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Download\ Wonder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DowntimeDetector" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Dragonfly" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Drip" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Drupal \(\+http:\/\/drupal\.org\/\)" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DuplexWeb-Google" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains DynatraceSynthetic" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains EARTHCOM" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ECCP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ECCP/1.0" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains EMail Exractor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains EMail Wolf" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains EMail\ Siphon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains EMail\ Wolf" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Easy-Thumb" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains EasyDL" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Ebingbong" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Ecxi" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains EirGrabber" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ElectricMonk" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains EmailWolf" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Embarcadero" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Embed PHP Library" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Embedly" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains EveryoneSocialBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Expanse" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Experibot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains EroCrawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains EventMachine HttpClient" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Everwall Link Expander" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Evidon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Evil" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Evrinid" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Exabot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ExactSearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ExaleadCloudview" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Excel\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ExoRank" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Exploratodo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Express WebPictures" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Express\ WebPictures" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains ExtLinksBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Eyeotabot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains FAST Enterprise Crawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains FAST-WebCrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Facebot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains FeedValidator" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Extractor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ExtractorPro" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Extreme Picture Finder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Extreme\ Picture\ Finder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains EyeNetIE" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Ezooms" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FHscan" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FacebookBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Faraday v" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FavOrg" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Faveeo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Favicon downloader" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Feed Wrangler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FeedBooster" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FeedBucket" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FeedBunch\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FeedBurner" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FeedViewer\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FeedZcollector" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Feedable\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Feedbin" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Feedfetcher-Google" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Feedly" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FeedshowOnline" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Feedshow\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Feedspot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Feedwind\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains FemtosearchBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Fetch\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Fever" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains FindITAnswersbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Flamingo_SearchEngine" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Fetch API" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Fetch\/[0-9]" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Fever\/[0-9]" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Fiery%20Feeds" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Filestack" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Fimap" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Firefox/7.0" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FlashGet" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FlipboardBrowserProxy" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains FlipboardProxy" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains FreeWebMonitoring SiteChecker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FlipboardRSS" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Flock\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Florienzh\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Flunky" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Foobot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ForusP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FoundSeoTool" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Freeuploader" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains FreshRSS" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains FreshpingBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Friendica" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FrontPage" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Funnelback" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Fuzz" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Fuzz Faster U Fool" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains FyberSpider" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Fyrebot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains G2 Web Services" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains G-i-g-a-b-o-t" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GIS-LABS" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains GPTBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains GarlikCrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains GeedoBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GRequests" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GT::WWW" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GTmetrix" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GalaxyBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GeedoProductSearch" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Genieo" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Gigablast" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GentleSource" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GermCrawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GetCode" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GetLinkInfo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GetRight" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GetURLInfo\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GetWeb" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Getintent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Geziyor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Ghost Inspector" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GigablastOpenSource" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Gigabot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains GingerCrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Gluten Free Crawler\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains GnowitNewsbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GitHub-Hookshot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Go [\d\.]* package http" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Go http package" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Go!Zilla" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Go-Ahead-Got-It" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Go-http-client" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Google Favicon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GoSpotCheck" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GoZilla" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Gofeed" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Goldfire Server" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GomezAgent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Goodzer\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google AppsViewer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google Desktop" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google Keyword Suggestion" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google Keyword Tool" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google PP Default" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google Page Speed Insights" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google Search Console" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Google Web Preview" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Google-Adwords-Instant" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Google-Certificates-Bridge" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google favicon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google-Ads" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google-Adwords" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google-Apps-Script" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google-Calendar-Importer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google-HTTP-Java-Client" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google-HotelAdsVerifier" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Google-InspectionTool" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Google-PhysicalWeb" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google-Podcast" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google-Publisher-Plugin" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Google-Read-Aloud" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Google-Safety" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google-SMTP-STS" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google-SearchByImage" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Google-Site-Verification" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Google-Structured-Data-Testing-Tool" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google-Transparency-Report" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google-Youtube-Links" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Google-speakr" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GoogleDocs" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GoogleHC\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains GoogleOther" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Googlebot-Image" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Googlebot-Mobile" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Googlebot-News" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Googlebot-Video" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Googlebot\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Gowikibot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GoogleProber" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GoogleProducer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GoogleSites" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Gookey" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Gotit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GrabNet" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Grabber" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Grafula" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Grammarly" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GrapeFX" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains GrapeshotCrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Grobbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains GroupHigh\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains GroupMeBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Gwene" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GreatNews" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Gregarius" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GridBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains GuzzleHttp" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HAA(A)?RTLAND http client" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HEADMasterSEO" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HMView" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HTMLparser" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HTTP Banner Detection" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HTTP-Header-Abfrage" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HTTP-Tiny" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HTTP::Lite" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HTTPMon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HTTP_Compression_Test" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HTTPie" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains HTTrack" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Haansoft" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Hadi Agent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HaosouSpider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HappyApps-WebCheck" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Hardenize" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Harvest" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Hatena" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Havij" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HaxerMen" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains HeadlessChrome" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HeartRails_Capture" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Heritrix" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Hexometer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Hloader" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Holmes" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HonesoSearchEngine" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HonoluluBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HootSuite Image proxy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Hootsuite-WebFeed" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HostTracker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HttpComponents" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains HttpUrlConnection" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains HubSpot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains IAS crawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ICBot\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ICC-Crawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains INETDEX-BOT" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HubSpot " "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HubSpot-Link-Resolver" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Humanlinks" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains HybridBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains IDBTE4M" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains IDBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains IDG Twitter Links Resolver" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains IDwhois\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains IODC" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains IPS\/[0-9]" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains IPWorks HTTP\/S Component" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains IRLbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains IZaBEE" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Iblog" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Id-search" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains IdeelaborPlagiaat" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Iframely" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains IlTrovatore" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains IlseBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Image Fetch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Image Sucker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ImageEngine\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ImageVisu\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Image\ Fetch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Image\ Sucker" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains ImagesiftBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Imagga" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains InAGist" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains InDesign%20CC" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Inboxb0t" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains IndeedBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains InterfaxScanBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Indy Library" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Indy\ Library" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains InetURL" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains InfoNaviRobot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains InfoTekies" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains InfoWizards Reciprocal Link" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Information\ Security\ Team\ InfraSec\ Scanner" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains InfraSec\ Scanner" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Instapaper" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Integrity" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Intelliseek" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains InterGET" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Internet Ninja" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains InternetMeasurement" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains IonCrawl" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains InternetSeer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Internet\ Ninja" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Iria" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Irokez" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Iskanie" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains IstellaBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains James BOT" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Jamie's Spider" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Jetslide" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains JAHHO" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains JOC\ Web\ Spider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains JS-Kit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains JamesBOT" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Jaunt\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Java.*outbrain" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Jbrofuzz" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains JennyBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Jersey\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains JetCar" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Jetty" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains JobboerseBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Jooblebot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Jugendschutzprogramm-Crawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains K7MLWCBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains KStandBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Kemvibot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains KeybaseBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains KomodiaBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains KosmioBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Landau-Media-Spider" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Laserlikebot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Leikibot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains LightspeedSystemsCrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Linespider" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Linguee Bot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains LinkArchiver" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains LinkedInBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains LinkisBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Livelap[bB]ot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Luminator-robots" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains MBCrawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Jigsaw" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains JikeSpider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains JobFeed discovery" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Jobboerse" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Jobg8 URL Monitor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Jobrapido" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Jobsearch1\.5" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains JoinVision Generic" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains JolokiaPwn" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Joomla" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Jorgee" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains JungleKeyThumbnail" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains JustView" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Jyxobot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains KOCMOHABT" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Kaspersky Lab CFR link resolver" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Kelny\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Kenjin\ Spider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Kerrigan\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains KeyCDN" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Keybot\ Translation-Search-Machine" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Keyword Density" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Keyword\ Density" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Keywords Research" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains KickFire" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains KimonoLabs\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Kinza" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Kml-Google" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Kozmosbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains KumKie" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LNSpiderguy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LWP::Simple" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LYT\.SR" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains L\.webis" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Lanshanbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Larbin" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Lavf\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Leap" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LeechFTP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LeechGet" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LexiBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Lftp" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LibVLC" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LibWeb" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Libwhisker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Licorne" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LieBaoFast" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Liferea\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Lighthouse" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Lightspeedsystems" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Likse" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Link Valet" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LinkAlarm\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LinkAnalyser" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LinkExaminer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LinkPreview" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LinkScan" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LinkTiger" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LinkWalker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Linkbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LinkextractorPro" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LinkpadBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LinksManager" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LinqiaMetadataDownloaderBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LinqiaRSSBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LinqiaScrapeBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Lipperhey" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Lipperhey\ Spider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Litemage_walker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Lmspider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LoadImpactRload" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains LongURL API" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Ltx71" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Lucee \(CFML Engine\)" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Lush Http Client" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MFC_Tear_Sample" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MIDown tool" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MIDown\ tool" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MIIxpc" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains MJ12bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MQQBrowser" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MS Web Services Client Protocol" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MSFrontPage" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MSIECrawler" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains MTRobot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains MaCoCu" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Mail\.RU_Bot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Mastodon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MVAClient" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MacOutlook\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mag-Net" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Magnet" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MagpieRSS" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mail.RU_Bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mail::STS" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MailChimp" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mail\.Ru" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Majestic-SEO" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Majestic12" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Majestic\ SEO" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mandrill" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MapperCmd" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MarkMonitor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MarkWatch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mass Downloader" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mass\ Downloader" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Masscan" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mata Hari" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mata\ Hari" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains MauiBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Mediapartners \(Googlebot\)" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mb2345Browser" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MeanPath\ Bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Meanpathbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mediametric" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Mediapartners-Google" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Mediatoolkitbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains MegaIndex" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MegaIndex\.ru" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains MeltwaterNews" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains MetaInspector" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains MetaJobBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Melvil Rawi" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MemGator" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains MetaURI" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Miniflux\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains MixnodeCache\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains MojeekBot\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Monsidobot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains MoodleBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Metaspinner" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Metauri" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MicroMessenger" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Microsearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Microsoft Data Access" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Microsoft Office" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Microsoft Outlook" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Microsoft Windows Network Diagnostics" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Microsoft-WebDAV-MiniRedir" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MicrosoftPreview" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Microsoft\ Data\ Access" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Microsoft\ URL\ Control" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Microsoft\.Data\.Mashup" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mindjet" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Minefield" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Miniature\.io" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Miniflux" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Miro-HttpClient" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mister PiX" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mister\ PiX" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mnogosearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Moblie\ Safari" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mojeek" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mojolicious" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mojolicious \(Perl\)" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mollie" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MolokaiBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MonTools" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Monit\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Monitority\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Moreover" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains MuckRack" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Multiviewbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains NAVER Blog Rssbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains NING\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains NINJA bot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains NIXStatsbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains NTENTbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Neevabot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains NerdByNature\.Bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Morfeus Fucking Scanner" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Morfeus\ Fucking\ Scanner" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Morning Paper" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MovableType" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mozlila" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mr.4x3" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mr\.4x3 Powered" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Mrcgiguy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Msrabot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MuckRack\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Musobot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MxToolbox\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NETCRAFT" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NG-Search" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NICErsPRO" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NLNZ_IAHarvester" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NPbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Najdi\.si" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Name Intelligence" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NameFo\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Name\ Intelligence" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Nameprotect" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Navroad" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NearSite" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Needle" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Nessus" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Net Vampire" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NetAnts" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NetLyzer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NetMechanic" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NetNewsWire" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NetShelter ContentScan" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NetSpider" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains NetSystemsResearch" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains NetcraftSurveyAgent" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Neticle Crawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NetTrack" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NetZIP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Net\ Vampire" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Netcraft" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Netpursual" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Netsparker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Nettrack" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Netvibes" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains NewsBlur" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains NextCloud" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Nicecrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Nimbostratus-Bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Neustar WPM" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NeutrinoAPI" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NewRelicPinger" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NewsBlur .*Finder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NewsGator" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Nexgate Ruby Client" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NextGenSearchBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Nibbler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NihilScio" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Niki-bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Nikto" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NimbleCrawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Nimbostratus" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Ninja" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Nmap" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Nmap Scripting Engine" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NodePing" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Nodemeter" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Norton-Safeweb" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Notifixious" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains NotionEmbedder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Nuclei" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Nutch" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Nuzzel" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains OAI-SearchBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Ocarinabot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains OdklBot\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains OpenGraphCheck" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains OpenHoseBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains OrangeBot\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Nymesis" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains OMSC" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains OPPO A33" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Observatory\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Ocelli\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Octopus" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Offline Explorer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Offline Navigator" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Offline\ Explorer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Offline\ Navigator" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains OgScrper" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains OnCrawl" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Online Domain Tools" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Open Source RSS" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains OpenCalaisSemanticProxy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains OpenLinkProfiler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains OpenVAS" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Openfind" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Openstat\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Openvas" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Optimizer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains OrangeBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains OrangeSpider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Orbiter" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains OrgProbe\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains OutclicksBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains PR-CY\.RU" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains PagePeeker\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains OutfoxBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Outlook-Express" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Outlook-iOS" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Owler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Owlin" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains OxfordCloudService" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PDF24 URL To PDF" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PECL::HTTP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PHPCrawl" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains POE-Component-Client-HTTP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PRTG Network Monitor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PTST " "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PTST\/[0-9]+" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Page Valet" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PageAnalyzer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PageFreezer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PageGrabber" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PagePeeker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PageScorer" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains PageThing" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Page\ Analyzer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pagespeed\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Pandalytics" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains PaperLiBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Panopta" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Panscient" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Papa Foto" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Papa\ Foto" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pavuk" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PayPal IPN" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Pcore-HTTP" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains PerplexityBot\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains PetalBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains PhantomJS" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains PhxBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains PiplBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pearltrees" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Peew" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PeoplePal" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Perlu -" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Petalbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PhantomJS Screenshoter" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PhantomJS\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Photon\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pi-Monster" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Picscout" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Picsearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PictureFinder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Piepmatz" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pimonster" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PingAdmin\.Ru" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PingSpot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pingability" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pingdom" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pingoscope" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pixray" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pizilla" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Plagger\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PleaseCrawl" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pleroma " "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Ploetz \+ Zeller" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Plukkie" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PocketImageCache" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains PocketParser" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Primalbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains PrivacyAwareBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Pulsepoint" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pockey" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PodcastAddict\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Polymail\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pompos" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Porkbun" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Port Monitor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PostPost" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PostmanRuntime" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PowerPoint\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Prebid" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Prerender" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Priceonomics Analysis Engine" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PrintFriendly" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PritTorrent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Prlog" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ProPowerBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ProWebWalker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Probethenet" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Project ?25499" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Project-Resonance" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Protopage" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Proximic" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Psbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pu_iN" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Pump" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PxBroker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains PyCurl" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Python-httplib2" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Python-urllib" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains QQDownload" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Qirina Hurdler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains QrafterPro" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Qseero" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Qualidator" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains QueryN Metasearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains QueryN\ Metasearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Quick-Crawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains QuiteRSS" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Quora Link Preview" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Qwantify" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ROI Hunter" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RPT-HTTPClient" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RSSMix\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RSSOwl" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains RSSingBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Radian6" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RadioPublicImageResizer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Railgun\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Rainbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RankActive" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains RankActiveLinkBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Refindbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains RegionStuttgartBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains RetrevoPageAnalyzer" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ReverseEngineeringBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains RewriteCond %{HTTP_USER_AGENT} ^$|\<|\>|\'|\%|\_iRc|\_Works|\@\$x|\<\?|\$x0e|\+select\+|\+union\+|1\,\1\,1\,|2icommerce|3GSE|4all|59\.64\.153\.|88\.0\.106\.|98|85\.17\.|A\_Browser|ABAC|Abont|abot|Accept|Access|Accoo|AceFTP|Acme|ActiveTouristBot|Address|Adopt|adress|adressendeutschland|ADSARobot|agent|ah\-ha|Ahead|AESOP\_com\_SpiderMan|aipbot|Alarm|Albert|Alek|Alexibot|Alligator|AllSubmitter|alma|almaden|ALot|Alpha|aktuelles|Akregat|Amfi|amzn\_assoc|Anal|Anarchie|andit|Anon|AnotherBot|Ansearch|AnswerBus|antivirx|Apexoo|appie|Aqua_Products|Arachmo|archive|arian|ASPSe|ASSORT|aster|Atari|ATHENS|AtHome|Atlocal|Atomic_Email_Hunter|Atomz|Atrop|^attach|attrib|autoemailspider|autohttp|axod|batch|b2w|Back|BackDoorBot|BackStreet|BackWeb|Badass|Baid|Bali|Bandit|Baidu|Barry|BasicHTTP|BatchFTP|bdfetch|beat|Become|Beij|BenchMark|berts|bew|big.brother|Bigfoot|Bilgi|Bison|Bitacle|Biz360|Black|Black.Hole|BlackWidow|bladder.fusion|Blaiz|Blog.Checker|Blogl|BlogPeople|Blogshares.Spiders|Bloodhound|Blow|bmclient|Board|BOI|boitho|Bond|Bookmark.search.tool|boris|Bost|Boston.Project|BotRightHere|Bot.mailto:craftbot@yahoo.com|BotALot|botpaidtoclick|botw|brandwatch|BravoBrian|Brok|Bropwers|Broth|browseabit|BrowseX|Browsezilla|Bruin|bsalsa|Buddy|Build|Built|Bulls|bumblebee|Bunny|Busca|Busi|Buy|bwh3|c\-spider|CafeK|Cafi|camel|Cand|captu|Catch|cd34|Ceg|CFNetwork|cgichk|Cha0s|Chang|chaos|Char|char\(32\,35\)|charlotte|CheeseBot|Chek|CherryPicker|chill|ChinaClaw|CICC|Cisco|Cita|Clam|Claw|Click.Bot|clipping|clshttp|Clush|COAST|ColdFusion|Coll|Comb|commentreader|Compan|contact|Control|contype|Conc|Conv|Copernic|Copi|Copy|Coral|Corn|core-project|cosmos|costa|cr4nk|crank|craft|Crap|Crawler0|Crazy|Cres|cs\-CZ|cuill|Curl|Custo|Cute|CSHttp|Cyber|cyberalert|^DA$|daoBot|DARK|Data|Daten|Daum|dcbot|dcs|Deep|DepS|Detect|Deweb|Diam|Digger|Digimarc|digout4uagent|DIIbot|Dillo|Ding|DISC|discobot|Disp|Ditto|DLC|DnloadMage|DotBot|Doubanbot|Download|Download.Demon|Download.Devil|Download.Wonder|Downloader|drag|DreamPassport|Drec|Drip|dsdl|dsok|DSurf|DTAAgent|DTS|Dual|dumb|DynaWeb|e\-collector|eag|earn|EARTHCOM|EasyDL|ebin|EBM-APPLE|EBrowse|eCatch|echo|ecollector|Edco|edgeio|efp\@gmx\.net|EirGrabber|email|Email.Extractor|EmailCollector|EmailSearch|EmailSiphon|EmailWolf|Emer|empas|Enfi|Enhan|Enterprise\_Search|envolk|erck|EroCr|ESurf|Eval|Evil|Evere|EWH|Exabot|Exact|EXPLOITER|Expre|Extra|ExtractorPro|EyeN|FairAd|Fake|FANG|FAST|fastlwspider|FavOrg|Favorites.Sweeper|Faxo|FDM\_1|FDSE|fetch|FEZhead|Filan|FileHound|find|Firebat|Firefox.2\.0|Firs|Flam|Flash|FlickBot|Flip|fluffy|flunky|focus|Foob|Fooky|Forex|Forum|ForV|Fost|Foto|Foun|Franklin.Locator|freefind|FreshDownload|FrontPage|FSurf|Fuck|Fuer|futile|Fyber|Gais|GalaxyBot|Galbot|Gamespy\_Arcade|GbPl|Gener|geni|Geona|Get|gigabaz|Gira|Ginxbot|gluc|glx.?v|gnome|Go.Zilla|Goldfire|Google.Wireless.Transcoder|Googlebot\-Image|Got\-It|GOFORIT|gonzo|GornKer|GoSearch|^gotit$|gozilla|grab|Grabber|GrabNet|Grub|Grup|Graf|Green.Research|grub|grub\-client|gsa\-cra|GSearch|GT\:\:WWW|GuideBot|guruji|gvfs|Gyps|hack|haha|hailo|Harv|Hatena|Hax|Head|Helm|herit|hgre|hhjhj\@yahoo|Hippo|hloader|HMView|holm|holy|HomePageSearch|HooWWWer|HouxouCrawler|HMSE|HPPrint|htdig|HTTPConnect|httpdown|http.generic|HTTPGet|httplib|HTTPRetriever|HTTrack|human|Huron|hverify|Hybrid|Hyper|ia\_archiver|iaskspi|IBM\_Planetwide|iCCra|ichiro|ID\-Search|IDA|IDBot|IEAuto|IEMPT|iexplore\.exe|iGetter|Ilse|Iltrov|Image|Image.Stripper|Image.Sucker|imagefetch|iimds\_monitor|Incutio|IncyWincy|Indexer|Industry.Program|Indy|InetURL|informant|InfoNav|InfoTekies|Ingelin|Innerpr|Inspect|InstallShield.DigitalWizard|Insuran\.|Intellig|Intelliseek|InterGET|Internet.Ninja|Internet.x|Internet\_Explorer|InternetLinkagent|InternetSeer.com|Intraf|IP2|Ipsel|Iria|IRLbot|Iron33|Irvine|ISC\_Sys|iSilo|ISRCCrawler|ISSpi|IUPUI.Research.Bot|Jady|Jaka|Jam|^Java|java\/|Java\(tm\)|JBH.agent|Jenny|JetB|JetC|jeteye|jiro|JoBo|JOC|jupit|Just|Jyx|Kapere|kash|Kazo|KBee|Kenjin|Kernel|Keywo|KFSW|KKma|Know|kosmix|KRAE|KRetrieve|Krug|ksibot|ksoap|Kum|KWebGet|Lachesis|lanshan|Lapo|larbin|leacher|leech|LeechFTP|LeechGet|leipzig\.de|Lets|Lexi|lftp|Libby|libcrawl|libcurl|libfetch|libghttp|libWeb|libwhisker|libwww|libwww\-FM|libwww\-perl|LightningDownload|likse|Linc|Link|Link.Sleuth|LinkextractorPro|Linkie|LINKS.ARoMATIZED|LinkScan|linktiger|LinkWalker|Lint|List|lmcrawler|LMQ|LNSpiderguy|loader|LocalcomBot|Locu|London|lone|looksmart|loop|Lork|LTH\_|lwp\-request|LWP|lwp-request|lwp-trivial|Mac.Finder|Macintosh\;.I\;.PPC|Mac\_F|magi|Mag\-Net|Magnet|Magp|Mail.Sweeper|main|majest|Mam|Mana|MarcoPolo|mark.blonin|MarkWatch|MaSagool|Mass|Mass.Downloader|Mata|mavi|McBot|Mecha|MCspider|mediapartners|^Memo|MEGAUPLOAD|MetaProducts.Download.Express|Metaspin|Mete|Microsoft.Data.Access|Microsoft.URL|Microsoft\_Internet\_Explorer|MIDo|MIIx|miner|Mira|MIRE|Mirror|Miss|Missauga|Missigua.Locator|Missouri.College.Browse|Mist|Mizz|MJ12|mkdb|mlbot|MLM|MMMoCrawl|MnoG|moge|Moje|Monster|Monza.Browser|Mooz|Moreoverbot|MOT\-MPx220|mothra\/netscan|mouse|MovableType|Mozdex|Mozi\!|^Mozilla$|Mozilla\/1\.22|Mozilla\/22|^Mozilla\/3\.0.\(compatible|Mozilla\/3\.Mozilla\/2\.01|Mozilla\/4\.0\(compatible|Mozilla\/4\.08|Mozilla\/4\.61.\(Macintosh|Mozilla\/5\.0|Mozilla\/7\.0|Mozilla\/8|Mozilla\/9|Mozilla\:|Mozilla\/Firefox|^Mozilla.*Indy|^Mozilla.*NEWT|^Mozilla*MSIECrawler|Mp3Bot|MPF|MRA|MS.FrontPage|MS.?Search|MSFrontPage|MSIE\_6\.0|MSIE6|MSIECrawler|msnbot\-media|msnbot\-Products|MSNPTC|MSProxy|MSRBOT|multithreaddb|musc|MVAC|MWM|My\_age|MyApp|MyDog|MyEng|MyFamilyBot|MyGetRight|MyIE2|mysearch|myurl|NAG|NAMEPROTECT|NASA.Search|nationaldirectory|Naver|Navr|Near|NetAnts|netattache|Netcach|NetCarta|Netcraft|NetCrawl|NetMech|netprospector|NetResearchServer|NetSp|Net.Vampire|netX|NetZ|Neut|newLISP|NewsGatorInbox|NEWT|NEWT.ActiveX|Next|^NG|NICE|nikto|Nimb|Ninja|Ninte|NIPGCrawler|Noga|nogo|Noko|Nomad|Norb|noxtrumbot|NPbot|NuSe|Nutch|Nutex|NWSp|Obje|Ocel|Octo|ODI3|oegp|Offline|Offline.Explorer|Offline.Navigator|OK.Mozilla|omg|Omni|Onfo|onyx|OpaL|OpenBot|Openf|OpenTextSiteCrawler|OpenU|Orac|OrangeBot|Orbit|Oreg|osis|Outf|Owl|P3P|PackRat|PageGrabber|PagmIEDownload|pansci|Papa|Pars|Patw|pavu|Pb2Pb|pcBrow|PEAR|PEER|PECL|pepe|Perl|PerMan|PersonaPilot|Persuader|petit|PHP|PHP.vers|PHPot|Phras|PicaLo|Piff|Pige|pigs|^Ping|Pingd|PingALink|Pipe|Plag|Plant|playstarmusic|Pluck|Pockey|POE\-Com|Poirot|Pomp|Port.Huron|Post|powerset|Preload|press|Privoxy|Probe|Program.Shareware|Progressive.Download|ProPowerBot|prospector|Provider.Protocol.Discover|ProWebWalker|Prowl|Proxy|Prozilla|psbot|PSurf|psycheclone|^puf$|Pulse|Pump|PushSite|PussyCat|PuxaRapido|PycURL|Pyth|PyQ|QuepasaCreep|Query|Quest|QRVA|Qweer|radian|Radiation|Rambler|RAMP|RealDownload|Reap|Recorder|RedCarpet|RedKernel|ReGet|relevantnoise|replacer|Repo|requ|Rese|Retrieve|Rip|Rix|RMA|Roboz|Rogue|Rover|RPT\-HTTP|Rsync|RTG30|.ru\)|ruby|Rufus|Salt|Sample|SAPO|Sauger|savvy|SBIder|SBP|SCAgent|scan|SCEJ\_|Sched|Schizo|Schlong|Schmo|Scout|Scooter|Scorp|ScoutOut|SCrawl|screen|script|SearchExpress|searchhippo|Searchme|searchpreview|searchterms|Second.Street.Research|Security.Kol|Seekbot|Seeker|Sega|Sensis|Sept|Serious|Sezn|Shai|Share|Sharp|Shaz|shell|shelo|Sherl|Shim|Shiretoko|ShopWiki|SickleBot|Simple|Siph|sitecheck|SiteCrawler|SiteSnagger|Site.Sniper|SiteSucker|sitevigil|SiteX|Sleip|Slide|Slurpy.Verifier|Sly|Smag|SmartDownload|Smurf|sna\-|snag|Snake|Snapbot|Snip|Snoop|So\-net|SocSci|sogou|Sohu|solr|sootle|Soso|SpaceBison|Spad|Span|spanner|Speed|Spegla|Sphere|Sphider|spider|SpiderBot|SpiderEngine|SpiderView|Spin|sproose|Spurl|Spyder|Squi|SQ.Webscanner|sqwid|Sqworm|SSM\_Ag|Stack|Stamina|stamp|Stanford|Statbot|State|Steel|Strateg|Stress|Strip|studybot|Style|subot|Suck|Sume|sun4m|Sunrise|SuperBot|SuperBro|Supervi|Surf4Me|SuperHTTP|Surfbot|SurfWalker|Susi|suza|suzu|Sweep|sygol|syncrisis|Systems|Szukacz|Tagger|Tagyu|tAke|Talkro|TALWinHttpClient|tamu|Tandem|Tarantula|tarspider|tBot|TCF|Tcs\/1|TeamSoft|Tecomi|Teleport|Telesoft|Templeton|Tencent|Terrawiz|Test|TexNut|trivial|Turnitin|The.Intraformant|TheNomad|Thomas|TightTwatBot|Timely|Titan|TMCrawler|TMhtload|toCrawl|Todobr|Tongco|topic|Torrent|Track|translate|Traveler|TREEVIEW|True|Tunnel|turing|Turnitin|TutorGig|TV33\_Mercator|Twat|Tweak|Twice|Twisted.PageGetter|Tygo|ubee|UCmore|UdmSearch|UIowaCrawler|Ultraseek|UMBC|unf|UniversalFeedParser|unknown|UPG1|UtilMind|URLBase|URL.Control|URL\_Spider\_Pro|urldispatcher|URLGetFile|urllib|URLSpiderPro|URLy|User\-Agent|UserAgent|USyd|Vacuum|vagabo|Valet|Valid|Vamp|vayala|VB\_|VCI|VERI\~LI|verif|versus|via|Viewer|virtual|visibilitygap|Visual|vobsub|Void|VoilaBot|voyager|vspider|VSyn|w\:PACBHO60|w0000t|W3C|w3m|w3search|walhello|Walker|Wand|WAOL|WAPT|Watch|Wavefire|wbdbot|Weather|web.by.mail|Web.Data.Extractor|Web.Downloader|Web.Ima|Web.Mole|Web.Sucker|Web2Mal|Web2WAP|WebaltBot|WebAuto|WebBandit|Webbot|WebCapture|WebCat|webcraft\@bea|Webclip|webcollage|WebCollector|WebCopier|WebCopy|WebCor|webcrawl|WebDat|WebDav|webdevil|webdownloader|Webdup|WebEMail|WebEMailExtrac|WebEnhancer|WebFetch|WebGo|WebHook|Webinator|WebInd|webitpr|WebFilter|WebFountain|WebLea|Webmaster|WebmasterWorldForumBot|WebMin|WebMirror|webmole|webpic|WebPin|WebPix|WebReaper|WebRipper|WebRobot|WebSauger|WebSite|Website.eXtractor|Website.Quester|WebSnake|webspider|Webster|WebStripper|websucker|WebTre|WebVac|webwalk|WebWasher|WebWeasel|WebWhacker|WebZIP|Wells|WEP\_S|WEP.Search.00|WeRelateBot|wget|Whack|Whacker|whiz|WhosTalking|Widow|Win67|window.location|Windows.95\;|Windows.95\)|Windows.98\;|Windows.98\)|Winodws|Wildsoft.Surfer|WinHT|winhttp|WinHttpRequest|WinHTTrack|Winnie.Poh|wire|WISEbot|wisenutbot|wish|Wizz|WordP|Works|world|WUMPUS|Wweb|WWWC|WWWOFFLE|WWW\-Collector|WWW.Mechanize|www.ranks.nl|wwwster|^x$|X12R1|x\-Tractor|Xaldon|Xenu|XGET|xirq|Y\!OASIS|Y\!Tunnel|yacy|YaDirectBot|Yahoo\-MMAudVid|YahooSeeker|YahooYSMcm|Yamm|Yand|yang|Yeti|Yoono|yori|Yotta|YTunnel|Zade|zagre|ZBot|Zeal|ZeBot|zerx|Zeus|ZIPCode|Zixy|zmao|Zyborg [NC]" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains RidderBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Rivva" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RankFlex" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RankSonicSiteAuditor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RankingBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RankingBot2" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Rankivabot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RankurBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RapidLoad\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Re-re" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Re-re Studio" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ReGet" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ReactorNetty" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Readability" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RealDownload" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RealPlayer%20Downloader" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Reaper" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RebelMouse" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Recorder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RecurPost\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RedesScrapy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ReederForMac" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Reeder\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RepoMonkey" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ResponseCodeTest" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RestSharp" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Riddler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Ripper" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Rival IQ" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Robosourcer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Robozilla" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RocketCrawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Rogerbot" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains RuxitSynthetic" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains RyteBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains SBL-BOT" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains RyowlEngine" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SAP NetWeaver Application Server" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SBIder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SEO Browser" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SEOCentro" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains SEOkicks" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SEOkicks-Robot" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains SEOlizer" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains SWIMGBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains S[eE][mM]rushBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains SafeDNSBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains SafeSearch microdata crawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SEOlyt" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SEOlyticsCrawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SEOprofiler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SEOsearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SEOstats" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SISTRIX" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SMRF URL Expander" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SMTBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SMUrlExpander" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SPDYCheck" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SPEng" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SSL Labs" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SalesIntelligent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Saleslift" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SauceNAO" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Scamadviser-Frontend" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ScanAlert" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Scanbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Scoop" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ScopeContentAG-HTTP-Client" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains ScoutJet" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ScoutURLMonitor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ScrapeBox Page Scanner" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Scrapy" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Screaming Frog SEO Spider" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains SearchAtlas" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Screaming" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ScreenShotService" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ScreenerBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ScrepyBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Scrubby" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Scrutiny\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Search37" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SearchExpress" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SearchSight" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SearchWP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Searchestate" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SearchmetricsBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Seeker" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Seekport" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains SemanticScholarBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SeekportBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SemanticJuice" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Semiocast HTTP client" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Semrush" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SemrushBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sendsay\.Ru" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains SentiBot" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains SenutoBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Seo Servis" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SeoCheck" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SeoCherryBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SeoSiteCheckup" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Seobility" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains SeobilityBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains SerendeputyBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains SeznamBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains SimpleCrawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Seomoz" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Seznam" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Shelob" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Shodan" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ShopWiki" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Shoppimon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ShortLinkTranslate" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sideqik" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Siege" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains SimplePie" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains SimpleScraper" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SimplyFast" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Siphon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Site Sucker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Site-Shot\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Site24x7" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SiteBar" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains SiteCheckerBotCrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Siteimprove\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SiteCondor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SiteExplorer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SiteGuardian" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SiteIndexed" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SiteLockSpider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SiteMonitor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SiteSnagger" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SiteSucker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SiteTruth" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Site\ Sucker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sitebeam" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sitebulb\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Siteimprove" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sitemap(s)? Generator" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SitemapGenerator" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Siteshooter B0t" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sitevigil" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains SkypeUriPreview" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Slack-ImgProxy" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Slackbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Slurp" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Snacktory" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Snap URL Preview Service" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Slack\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SlySearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SmartDownload" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Snake" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SnapSearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Snapbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Snappy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Snarfer\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SniffRSS" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Snoopy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SnowHaze Search" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains SocialRankIOBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Sogou" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Sonic" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Storebot-Google" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains StorygizeBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains StractBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Streamline3Bot\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Superfeedr" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains SurdotlyBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sociscraper" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sogou\ web\ spider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SortSite" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sosospider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sottopop" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SpaceBison" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SpamExperts" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Spammen" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SpankBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Spanner" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Spawning-AI" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Spbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Specificfeeds" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SpeedKit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Spider_Bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Spider_Bot/3.0" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Spinn3r" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sprinklr " "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SputnikBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sqlmap" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sqlworm" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sqworm" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains StackRambler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Statastico\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Statically-" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains StatusCake" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Steeler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Stratagems Kumo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Stripe\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Stripper" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Stroke\.cz" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains StudioFACA" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains StumbleUpon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sucker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Sucuri" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SuperBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SuperHTTP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Surfbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Surphace Scout" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains SurveyBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Synapse" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Suzuran" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Swiftbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Symfony BrowserKit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Symfony2 BrowserKit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains SynHttpClient-Built" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Synapse\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Syndirella\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Sysomos" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Taboolabot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains TangibleeBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains TelegramBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Teoma" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Szukacz" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains T0PHackTeam" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains T8Abot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains TLSProbe\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Tarantula\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Taringa UGC" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains TarmotGezgin" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Teleport" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains TeleportPro" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Telesoft" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Telesphoreo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Telesphorep" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Tenon\.io" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Test Certificate Info" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Tetrahedron" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains TextRazor Downloader" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains The Drop Reaper" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains The Expert HTML Source Viewer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains The Intraformant" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains The Knowledge AI" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains TheNomad" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains The\ Intraformant" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Thinklab" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ThumbSniper" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Thumbor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Thumbshots" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains TightTwatBot" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains TinEye" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Tiny Tiny RSS" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains TombaPublicWebCrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ToutiaoSpider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains TinyTestBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Titan" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Toata" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Toweyabot" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Traackr\.com" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains TrendsmapResolver" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Trove" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Tracemyfile" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Trackuity" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains TrapitAgent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Trendiction" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Trendictionbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Trendsmap" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains True_Robot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains TryJsoup" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains TulipChain" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Turingos" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Turnitin" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains TweetmemeBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains TurnitinBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Tweetminster" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Tweezler\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains TwengaBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Twice" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Twikle" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Twingly" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Twitterbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Twurly" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains UT-Dorkbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Twisted PageGetter" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Typhoeus" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains URL Verifier" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains URLTester" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains URL\/Emacs" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains URLitor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains URLy Warning" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains URLy\ Warning" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains URLy\.Warning" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains UdmSearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains UnisterBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains UniversalFeedParser" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Unshorten\.It" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Untiny" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains UnwindFetchor" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Upflow" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Uptime-Kuma" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains UptimeRobot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Uptimebot\.org" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains UsineNouvelleCrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains VKRobot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Validator\.nu" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Valve\/Steam" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Uptimia" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains UrlTrends Ranking Updater" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Urlcheckr" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Urlstat" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains V-BOT" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains VB Project" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains VB\ Project" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains VSAgent\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains VSB-TUO\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains VYU2" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Vacuum" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Vagabondo" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains VelenPublicWebCrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Veoozbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Vercelbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Viber" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Vigil\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains VoluumDSP-content-bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains VeriCiteCrawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Verity" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains VidibleScraper" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Virusdie" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Visual Rights Group" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains VoidEYE" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Voil" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Voltron" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Vulnbusters Meter" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains W3C-checklink" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains W3C-mobileOK" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains W3C_CSS_Validator" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains W3C_I18n-Checker" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains W3C_Unicorn" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains W3C_Validator" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains WeSEE:Search" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WAC-OFU" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WASALive-Bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WBSearchBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WDT\.io" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WEBDAV" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WEPA" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WISENutbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WP Engine Install Performance API" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WP Rocket" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WPScan" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WWW-Collector-E" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WWW-Mechanize" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WWW::Document" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WWW::Mechanize" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WWWOFFLE" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WakeletLinkExpander" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Wallpapers" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Wallpapers/3.0" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WallpapersHD" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Wallpapers\/[0-9]+" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Wappalyzer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WatchMouse" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WbSrch\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WeLikeLinks" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WeSEE" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web Auto" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web Collage" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web Enhancer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web Fetch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web Fuck" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web Pix" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web Sauger" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web Sucker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web spyder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web-sniffer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebAuto" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebBandit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebCapture" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebClient\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebCollage" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebCookies" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebCopier" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebCorp" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains WebDataStats" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains WellKnownBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebDoc" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebEnhancer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebFetch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebFuck" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebGazer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebGo IS" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebGo\ IS" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebImageCollector" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebImages" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebIndex" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebLeacher" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebPix" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebReaper" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebSauger" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebSniffer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebStripper" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebSucker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebThumbnail" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebWhacker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebZIP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web\ Auto" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web\ Collage" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web\ Enhancer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web\ Fetch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web\ Fuck" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web\ Pix" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web\ Sauger" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Web\ Sucker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Webalta" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Webauskunft" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebmasterWorldForumBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Webshag" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Webshot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Website Quester" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebsiteExtractor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WebsiteQuester" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Website\ Quester" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Websnapr" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Webster" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Webthumb\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Wfuzz\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Whack" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Whacker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WhatCMS" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WhatWeb" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains WhatsApp" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WhatsMyIP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Whatweb" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WhereGoes\?" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Whibse" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WhoAPI\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WhoRunsCoinHive" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Whynder Magnet" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Widow" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WinHTTP\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WinHTTrack" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WinHttp-Autoproxy-Service" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WinPodder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Windows-RSS-Platform" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WiseGuys\ Robot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Woko" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Wolfram HTTPClient" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Wonderbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Woobot" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains WordPress\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains WordupInfoSearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Word\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains WordupinfoSearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Wotbox" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Wprecon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Wtrace" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains XING-contenttabreceiver" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Xaldon\ WebSpider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Xaldon_WebSpider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains XaxisSemanticsClassifier" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains XenForo\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Xenu" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Xenu Link Sleuth" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Y!J" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains YaK\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Y!J-[A-Z][A-Z][A-Z]" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains YP\.PL" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Yaanb" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Yahoo Link Preview" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains YandexRenderResourcesBot\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Yellowbrandprotectionbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains Yeti" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains YisouSpider" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains YouBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains YahooCacheSystem" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains YahooMailProxy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains YahooYSMcm" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains YandeG" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Yandex(?!Search)" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Yo-yo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains YoYs\.net" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Yoleo Consumer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains YottaaMonitor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains YoudaoBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Your-Website-Sucks" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Zabbix" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Zade" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Zapier" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Zauba" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Zemanta Aggregator" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Zend\\Http\\Client" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Zend_Http_Client" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Zermelo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Zeus" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Zeus " "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Zitebot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ZmEu" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ZnHTTP" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ZnajdzFoto" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Zombie\.js" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains ZoomBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains Zoom\.Mac" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains ZoominfoBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ZoteroTranslationServer" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains ZumBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ZuperlistBot\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains [Cc]urebot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains [cC]laude[bB]ot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains [pP]ingdom" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains [wW]get" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ^Apache-HttpClient" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ^BW\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ^LCC " "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ^PHP-Curl-Class" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ^curl" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains acapbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains acoonbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains adbeat_bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ZyBorg" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains [a-z0-9\-_]*(bot|crawl|archiver|transcoder|spider|uptime|validator|fetcher|cron|checker|reader|extractor|monitoring|analyzer|scraper)" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Aether" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Amazon CloudFront" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Amazon Simple Notification Service Agent$" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Amazon-Route53-Health-Check-Service" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^COMODO DCV" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Calypso v\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Corax" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^DHSH" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^DangDang" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^DavClnt" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Expanse" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^FDM " "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Goose\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Grabber" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Gradle\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^HTTPClient\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^HTTPing" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Java\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Jeode\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Jetty\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Mail\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Mget" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Microsoft URL Control" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Mikrotik\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^NG\/[0-9\.]" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^NING\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Netlab360" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Nuclei" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^PHP-AYMAPI\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^PHP\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^RMA\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Ruby|Ruby\/[0-9]" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^Swurl " "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^TLS tester " "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^VSE\/[0-9]" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^WordPress\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^XRL\/[0-9]" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^ZmEu" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^b0t$" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^bluefish " "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^docker\/[0-9]" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^git\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^npm\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^pip\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^pnpm\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^twine\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ^ureq" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains a3logics\.in" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains a\.pr-cy\.ru" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains aboutthedomain" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains acebookexternalhit\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains acoon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains acrylicapps\.com\/pulp" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains adbeat" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains adressendeutschland" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains adreview\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains adscanner" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains aiHitBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains aiohttp" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains antibot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains arabot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains archive\.org_bot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains awesomecrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains axios" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains backlinkcrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains betaBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains bidswitchbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains bingbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains adstxt-worker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains adstxt\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains affilimate-puppeteer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains agentslug" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains aihit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains aiohttp\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains akka-http\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains akula\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains alertra" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains alexa site audit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains allloadin" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains alyze\.info" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains amagit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains annotate_google" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains anthropic-ai" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains apimon\.de" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains arachnode" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains archive.org_bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains aria2" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains arquivo-web-crawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains asafaweb" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains asynchttp" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains attohttpc" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains autocite" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains autoemailspider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains awin\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains axios\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains backlink-check" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains baidu\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains basicstate" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains baypup\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains biNu image cacher" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains biglotron" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains binlar" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains bitlybot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains blogmuraBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains bnf\.fr_bot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains bot-pge\.chlooe\.com" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains botify" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains brainobot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains buzzbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains cXensebot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains careerbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains centurybot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains biz_Directory" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains boitho\.com-dc" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains caam dot crwlr at gmail dot com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains catexplorador" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains censys" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains cf-facebook" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains cg-eye" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains changedetection" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains check_http" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains citeseerxbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains chatterino-api-cache" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains checkprivacy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains chkme\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains clark-crawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains clips\.ua\.ac\.be" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains cmcm\.com" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains coccoc" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains collection@infegy\.com" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains content crawler spider" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains contxbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains coccocbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains cognitiveseo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains cohere-ai" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains colly -" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains commonscan" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains contactbigdatafr" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains contentkingapp" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains convera" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains copyright sheriff" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains cortex\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains crawler4j" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains datagnionbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains dcrawl" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains deadlinkchecker" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains deepnoc" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains developers\.google\.com\/\+\/web\/snippet" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains discobot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains domaincrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains dotbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains curb" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains curl" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains cuwhois\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains cybo\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains dBpoweramp" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains dataforseobot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains dataprovider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ddline" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains deeris" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains delve\.ai" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains demandbase-bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains developers\.google\.com\/\+\/web\/snippet\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains dlvr" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains docoloc" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains dotMailer content retrieval" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains dotSemantic" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains downforeveryoneorjustme" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains downnotifier" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains drupact" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains e\.ventures Investment Crawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains dubaiindex" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains eCairn-Grabber" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains eCatch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains eContext\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains ec2linkfinder" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains edisterbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains electricmonk" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains elisabot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains epicbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains eright" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains elefent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains endo\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains europarchive\.org" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ev-crawler\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains evc-batch" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains exabot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains everyfeed-spider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains exif" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains ezooms" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains facebookcatalog\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains facebookcatalog" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains facebookexternalhit" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains fedoraplanet" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains feedbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains filterdb\.iss\.net\/crawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains facebookexternalua" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains facebookplatform" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains facebookscraper" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains fairshare" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains fasthttp" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains faviconarchive" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains faviconkit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains feeder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains feeltiptop" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains findlink" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains findthatfile" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains findxbot" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains fluffy" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains fr-crawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains fuelbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains flynxapp" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains forensiq" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains fragFINN\.de" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains free thumbnails" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains frontman" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains g00g1e\.net" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains g2reader-bot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains gnam gnam spider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains gSOAP\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ganarvisitas" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains gdnplus\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains geek-tools" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains getprismatic" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains getroot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains github-camo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains github\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains go-mtasts\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains gobuster" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains gobyus" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains gofetch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains gooblog" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains google-xrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains grub\.org" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains gslfbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains gopher" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains gosquared-thumbnailer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains grabify" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains grokkit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains grouphigh" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains grub-client" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains gvfs\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains hackney\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains help@dataminr\.com" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains heritrix" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains historious" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains hkedcity" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains hledejLevne\.cz" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains hosterstats" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ht:\/\/check" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains htdig" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains htmlyse" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains http-get" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains http-kit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains http-request\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains httpRequest" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains http\.rb\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains http_get" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains https:\/\/developers\.cloudflare\.com\/security-center\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains http_request2" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains http_requester" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains httphr" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains httpscheck" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains httpssites_power" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains httpunit" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains httpx" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains hypestat" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains hyscore\.io" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ia_archiver" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains httrack" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains huaweisymantec" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains i2kconnect\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains iGooglePortal" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains iThemes Sync\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains iZSearch" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains ichiro" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains imrbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains infoobot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains inoreader" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains igdeSpyder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains imagineeasy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains imgsizer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains inbound\.li parser" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains infegy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains infohelfer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains inpwrd\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains instabid" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains integromedb" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains intelium_bot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains ip-web-crawler\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains internetVista monitor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains internetVista\ monitor" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains internet_archive" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains internetwache" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains intraVnews" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains iplabel" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains ips-agent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains iqdb\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains isUp\.li" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains isitup\.org" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains iskanie" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains it2media-domain-crawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains jpg-newsbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains jyxobot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains lb-spider" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains libwww-perl" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains linkapediabot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains iubenda-radar" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains janforman" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains javelin\.io" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains jobo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains khttp\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains knows\.is" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains kouio" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains kube-probe" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains kubectl" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains kulturarw3" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains leakix\.net" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains letsencrypt" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains libwww" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains limber\.io" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains link-check" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains linkCheck" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains link_thumbnailer" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains linkdex" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains lipperhey" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains lkxscan" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains lssbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains lssrocketcrawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains linkdexbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains linkfluence" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains linkpeek" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains livedoor ScreenShot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains localsearch-web" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains longurl-r-package" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains looid\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains looksystems\.net" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains lscache_runner" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains ltx71" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains lua-resty-http" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains lwp-request" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains lwp-trivial" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains lycos" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains mShots" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains mabontland" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains magpie-crawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains mappydata" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains memorybot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains meta-externalagent\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains meta-externalfetcher\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains mindUpBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains minicrawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains mlbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains moatbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains msnbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains msrbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains nerdybot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains netEstate NE Crawler" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains netresearchserver" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains newsharecounts" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains makecontact\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains marketinggrader" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains masscan\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains mattermost" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains meanpathbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains mediawords" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains mio_httpc" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains mixdata dot com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains mixed-content-scan" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains mixnode" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains mogimogi" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains monitis" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains montastic" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains mowser" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains muhstik-scan" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains myseosnapshot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains nWormFeedFinder" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains nagios" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains nationalarchives" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains nbertaupete95" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains netEstate\ NE\ Crawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains netresearch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains nettle" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains newsme" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains newspaper\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains niki-bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains nghttp2" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains nineconnections" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains node-fetch" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains officestorebot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains node-superagent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains node-urllib" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains node\.io" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains nominet\.org\.uk" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains nominet\.uk" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains notifyninja" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains nuhk" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains nutch" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains nyawc\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains oBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains oegp" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains okhttp" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains omgili" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains online-webceo-bot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains openindexspider" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains outbrain" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains openai" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains orion-semantics" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ow\.ly" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ownCloud News" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains page scorer" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains page2rss" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains page\ scorer" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains page_verifier" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains panscient" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains phpcrawl" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains pinterest\.com\/bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains parsijoo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains pcBrowser" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains peerindex" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains php-requests" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains phpservermon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ping\.blo\.gs" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains pinterest\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains plumanalytics" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains polaris\ version" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains postano" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains postfix-mta-sts-resolver" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains postplanner\.com" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains postrank" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains probe-image-size" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains probely\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains probethenet" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains prospectb2b" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains proximic" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains psbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains purebot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains python-opengraph" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains pshtt, https scanning" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains pulsetic\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains python-httpx" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains python-requests" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains redditbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains rogerbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains rssbot\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains scribdbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains search\.marginalia\.nu" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains seekbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains seewithkids" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains semanticbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains sempi\.tech" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains queuedriver" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains quic-go-HTTP\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains redback\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains request\.js" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains reqwest\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ripz" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains safe-agent-scanner" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains sc-downloader" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains scalaj-http" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains scan\.lol" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains scooter" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains search\.thunderstone" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains searchenginepromotionhelp" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains semanticdiscovery" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains semanticjuice" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains sentry\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains seo-nastroj\.cz" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains seo4ajax" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains seobility" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains seocompany" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains seoscanners" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains seostar\.co" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains serpstatbot\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains sitebot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains siteexplorer\.info" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains smtbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains spbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains seositecheckup" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains seostar" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains serpstatbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains servernfo" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains sexsearcher" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains shortURL lengthener" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains shrinktheweb" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains siteripz" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains sitexy\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains sli-systems\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains slider\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains slurp" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains sniptracker" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains sogou web" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains sogouspider" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains sovereign\.ai" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains sp_auditbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains spaziodati" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains speedy" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains startmebot\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains spray-can" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains spyfu" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains spyonweb" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains sqlmap" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ssl-tools" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains suchen" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains summify" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains t3versionsBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains tagoobot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains theoldreader\.com" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains tigerbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains toplistbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains swcd " "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains sysscan" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains tAkeOut" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains tchelebi\.io" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains techiaith\.cymru" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains teoma" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains terrainformatica" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains testuri" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains theinternetrules" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains timewe\.net" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains topster" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains touche\.com" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains tracemyfile" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains trendictionbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains trovitBot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains trendspottr" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains truwoGPS" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains tweetedtimes" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains twengabot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains um-LN" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains urlappendbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains vebidoobot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains vercel-screenshot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains virustotal" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains twibble" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ubermetrics-technologies" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains uclassify" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains ultimate_sitemap_parser" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains unchaos" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains unirest-java" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains unshortenit" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains updated" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains updown\.io daemon" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains urlresolver" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains vBSEO" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains via ggpht\.com GoogleImageProxy" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains visionutils" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains vkShare" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains voilabot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains vuhuvBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains wbsearchbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains web-archive-net\.com\.bot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains webcompanycrawler" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains voltron" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains voyager\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains w3af\.org" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains wangling" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains web-capture\.net" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains webcollage" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains webgains-bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains webkit2png" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains webmastercoffee" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains webmeup-crawler" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains webmon " "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains wocbot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains woobot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains woorankreview\/" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains woriobot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains webprosbot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains webscreenie" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains websitepulse agent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains webtech\/" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains wf84" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains wget" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains wkhtmlto" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains wmtips" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains woorankreview" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains worldping-api" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains wotbox" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains www\.uptime\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains wpif" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains wprecon\.com survey" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains wscheck" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains www\.monitor\.us" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains x09Mozilla" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains x22Mozilla" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains xovibot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains yacybot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains yandex\.com\/bots" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains xpymep([0-9]?)\.exe" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains yacy" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains yanga" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains yoozBot" "id:3000,phase:1,deny,status:403"
-SecRule REQUEST_HEADERS:User-Agent "@contains zenback bot" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains yeti" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains yomins\.com" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains yoogliFetchAgent" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains yourls\.org" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains zgrab" "id:3000,phase:1,deny,status:403"
diff --git a/waf_patterns/apache/detection.conf b/waf_patterns/apache/detection.conf
index 1108987..48fe4cb 100644
--- a/waf_patterns/apache/detection.conf
+++ b/waf_patterns/apache/detection.conf
@@ -1,12 +1,12 @@
# Apache ModSecurity rules for DETECTION
SecRuleEngine On
+SecRule REQUEST_URI "@lt 1" "id:1043,phase:1,deny,status:403,log,msg:'detection attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1044,phase:1,deny,status:403,log,msg:'detection attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1045,phase:1,deny,status:403,log,msg:'detection attack detected'"
-SecRule REQUEST_URI "@pmFromFile scanners-user-agents.data" "id:1046,phase:1,deny,status:403,log,msg:'detection attack detected'"
+SecRule REQUEST_URI "@pmFromFile scanners-user-agents.data" "id:1045,phase:1,deny,status:403,log,msg:'detection attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1046,phase:1,deny,status:403,log,msg:'detection attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1047,phase:1,deny,status:403,log,msg:'detection attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1048,phase:1,deny,status:403,log,msg:'detection attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1048,phase:1,deny,status:403,log,msg:'detection attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1049,phase:1,deny,status:403,log,msg:'detection attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1050,phase:1,deny,status:403,log,msg:'detection attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1050,phase:1,deny,status:403,log,msg:'detection attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1051,phase:1,deny,status:403,log,msg:'detection attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1052,phase:1,deny,status:403,log,msg:'detection attack detected'"
diff --git a/waf_patterns/apache/enforcement.conf b/waf_patterns/apache/enforcement.conf
index 8c6a54a..6f8de6b 100644
--- a/waf_patterns/apache/enforcement.conf
+++ b/waf_patterns/apache/enforcement.conf
@@ -1,115 +1,115 @@
# Apache ModSecurity rules for ENFORCEMENT
SecRuleEngine On
-SecRule REQUEST_URI "@lt 1" "id:1035,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1036,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@within %{tx.allowed_methods}" "id:1037,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1038,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1039,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1040,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1041,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1042,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1043,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1053,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1054,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx (?i)^(?:get /[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sv]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?)[sv]+[.-9A-Z_a-z]+)$" "id:1055,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^"';=])*$" "id:1056,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx ^d+$" "id:1057,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^(?:GET|HEAD)$" "id:1058,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx ^0?$" "id:1059,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^(?:GET|HEAD)$" "id:1060,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@eq 0" "id:1061,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" "id:1062,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@streq POST" "id:1063,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 0" "id:1064,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 0" "id:1065,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@eq 0" "id:1066,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@eq 0" "id:1067,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx (d+)-(d+)" "id:1068,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt %{tx.1}" "id:1069,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx b(?:keep-alive|close),s?(?:keep-alive|close)b" "id:1070,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx x25" "id:1071,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateUrlEncoding" "id:1072,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^(?i)application/x-www-form-urlencoded" "id:1073,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx x25" "id:1074,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateUrlEncoding" "id:1075,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 1" "id:1076,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateUtf8Encoding" "id:1077,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx %u[fF]{2}[0-9a-fA-F]{2}" "id:1078,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateByteRange 1-255" "id:1079,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 0" "id:1080,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^$" "id:1081,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^$" "id:1082,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx ^OPTIONS$" "id:1083,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@pm AppleWebKit Android Business Enterprise Entreprise" "id:1084,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^$" "id:1085,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx ^OPTIONS$" "id:1086,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 0" "id:1087,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^$" "id:1088,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx ^0$" "id:1089,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 0" "id:1090,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx (?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)" "id:1091,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 1" "id:1092,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt %{tx.max_num_args}" "id:1093,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 1" "id:1094,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt %{tx.arg_name_length}" "id:1095,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 1" "id:1096,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt %{tx.arg_length}" "id:1097,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 1" "id:1098,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt %{tx.total_arg_length}" "id:1099,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 1" "id:1100,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^(?i)multipart/form-data" "id:1101,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt %{tx.max_file_size}" "id:1102,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 1" "id:1103,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt %{tx.combined_file_sizes}" "id:1104,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['"w.()+,/:=?<>@#*-]+)*$" "id:1105,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^[^;s]+" "id:1106,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@within %{tx.allowed_request_content_type}" "id:1107,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx charsets*=s*["']?([^;"'s]+)" "id:1108,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@within %{tx.allowed_request_content_type_charset}" "id:1109,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx charset.*?charset" "id:1110,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@within %{tx.allowed_http_versions}" "id:1111,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx .([^.]+)$" "id:1112,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@within %{tx.restricted_extensions}" "id:1113,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx .[^.~]+~(?:/.*|)$" "id:1114,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^.*$" "id:1115,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@within %{tx.restricted_headers_basic}" "id:1116,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt 50" "id:1117,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" "id:1118,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@streq JSON" "id:1119,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx (?i)x5cu[0-9a-f]{4}" "id:1120,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@contains #" "id:1121,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt 1" "id:1122,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1123,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1124,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}" "id:1125,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@endsWith .pdf" "id:1126,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@endsWith .pdf" "id:1127,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}" "id:1128,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx %[0-9a-fA-F]{2}" "id:1129,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateByteRange 9,10,13,32-126,128-255" "id:1130,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 0" "id:1131,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ['";=]" "id:1132,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx ^0$" "id:1133,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 0" "id:1134,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^.*$" "id:1135,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@within %{tx.restricted_headers_extended}" "id:1136,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1137,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1138,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateByteRange 32-36,38-126" "id:1139,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq 0" "id:1140,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx ^(?:OPTIONS|CONNECT)$" "id:1141,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@pm AppleWebKit Android" "id:1142,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@ge 1" "id:1143,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^(?i)up" "id:1144,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt 0" "id:1145,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$" "id:1146,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)" "id:1147,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1148,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1149,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@endsWith .pdf" "id:1150,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}" "id:1151,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" "id:1152,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" "id:1153,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx ^(?:?[01])?$" "id:1154,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]" "id:1155,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1106,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1107,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@within %{tx.allowed_methods}" "id:1108,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1109,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1110,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1111,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1112,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1113,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1114,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1329,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1330,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx (?i)^(?:get /[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sv]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?)[sv]+[.-9A-Z_a-z]+)$" "id:1331,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^"';=])*$" "id:1332,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx ^d+$" "id:1333,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^(?:GET|HEAD)$" "id:1334,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx ^0?$" "id:1335,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^(?:GET|HEAD)$" "id:1336,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@eq 0" "id:1337,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" "id:1338,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@streq POST" "id:1339,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 0" "id:1340,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 0" "id:1341,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@eq 0" "id:1342,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@eq 0" "id:1343,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx (d+)-(d+)" "id:1344,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt %{tx.1}" "id:1345,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx b(?:keep-alive|close),s?(?:keep-alive|close)b" "id:1346,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx x25" "id:1347,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateUrlEncoding" "id:1348,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^(?i)application/x-www-form-urlencoded" "id:1349,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx x25" "id:1350,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateUrlEncoding" "id:1351,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 1" "id:1352,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateUtf8Encoding" "id:1353,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx %u[fF]{2}[0-9a-fA-F]{2}" "id:1354,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange 1-255" "id:1355,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 0" "id:1356,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^$" "id:1357,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^$" "id:1358,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx ^OPTIONS$" "id:1359,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@pm AppleWebKit Android Business Enterprise Entreprise" "id:1360,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^$" "id:1361,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx ^OPTIONS$" "id:1362,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 0" "id:1363,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^$" "id:1364,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx ^0$" "id:1365,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 0" "id:1366,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx (?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)" "id:1367,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 1" "id:1368,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt %{tx.max_num_args}" "id:1369,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 1" "id:1370,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt %{tx.arg_name_length}" "id:1371,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 1" "id:1372,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt %{tx.arg_length}" "id:1373,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 1" "id:1374,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt %{tx.total_arg_length}" "id:1375,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 1" "id:1376,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^(?i)multipart/form-data" "id:1377,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt %{tx.max_file_size}" "id:1378,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 1" "id:1379,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt %{tx.combined_file_sizes}" "id:1380,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['"w.()+,/:=?<>@#*-]+)*$" "id:1381,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^[^;s]+" "id:1382,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@within %{tx.allowed_request_content_type}" "id:1383,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx charsets*=s*["']?([^;"'s]+)" "id:1384,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@within %{tx.allowed_request_content_type_charset}" "id:1385,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx charset.*?charset" "id:1386,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@within %{tx.allowed_http_versions}" "id:1387,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx .([^.]+)$" "id:1388,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@within %{tx.restricted_extensions}" "id:1389,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx .[^.~]+~(?:/.*|)$" "id:1390,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^.*$" "id:1391,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@within %{tx.restricted_headers_basic}" "id:1392,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt 50" "id:1393,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" "id:1394,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@streq JSON" "id:1395,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx (?i)x5cu[0-9a-f]{4}" "id:1396,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@contains #" "id:1397,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt 1" "id:1398,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1399,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1400,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}" "id:1401,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@endsWith .pdf" "id:1402,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@endsWith .pdf" "id:1403,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}" "id:1404,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx %[0-9a-fA-F]{2}" "id:1405,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange 9,10,13,32-126,128-255" "id:1406,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 0" "id:1407,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ['";=]" "id:1408,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx ^0$" "id:1409,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 0" "id:1410,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^.*$" "id:1411,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@within %{tx.restricted_headers_extended}" "id:1412,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1413,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1414,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange 32-36,38-126" "id:1415,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq 0" "id:1416,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx ^(?:OPTIONS|CONNECT)$" "id:1417,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@pm AppleWebKit Android" "id:1418,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@ge 1" "id:1419,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^(?i)up" "id:1420,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt 0" "id:1421,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$" "id:1422,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)" "id:1423,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1424,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1425,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@endsWith .pdf" "id:1426,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}" "id:1427,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" "id:1428,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" "id:1429,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx ^(?:?[01])?$" "id:1430,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]" "id:1431,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
diff --git a/waf_patterns/apache/evaluation.conf b/waf_patterns/apache/evaluation.conf
index 06a2e4c..f41c1b0 100644
--- a/waf_patterns/apache/evaluation.conf
+++ b/waf_patterns/apache/evaluation.conf
@@ -1,57 +1,57 @@
# Apache ModSecurity rules for EVALUATION
SecRuleEngine On
-SecRule REQUEST_URI "@ge 1" "id:1468,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 1" "id:1469,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 2" "id:1470,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 2" "id:1471,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 3" "id:1472,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 3" "id:1473,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 4" "id:1474,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 4" "id:1475,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 1" "id:1476,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 1" "id:1477,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 2" "id:1478,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 2" "id:1479,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 3" "id:1480,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 3" "id:1481,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 4" "id:1482,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 4" "id:1483,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge %{tx.inbound_anomaly_score_threshold}" "id:1484,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@eq 1" "id:1485,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge %{tx.inbound_anomaly_score_threshold}" "id:1486,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1487,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1488,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1489,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1490,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1491,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1492,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1493,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1494,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 1" "id:1600,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 1" "id:1601,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 2" "id:1602,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 2" "id:1603,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 3" "id:1604,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 3" "id:1605,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 4" "id:1606,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 4" "id:1607,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 1" "id:1608,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 1" "id:1609,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 2" "id:1610,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 2" "id:1611,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 3" "id:1612,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 3" "id:1613,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 4" "id:1614,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge 4" "id:1615,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge %{tx.outbound_anomaly_score_threshold}" "id:1616,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@eq 1" "id:1617,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge %{tx.outbound_anomaly_score_threshold}" "id:1618,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1619,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1620,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1621,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1622,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1623,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1624,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1625,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1626,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 1" "id:1052,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 1" "id:1053,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 2" "id:1054,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 2" "id:1055,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 3" "id:1056,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 3" "id:1057,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 4" "id:1058,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 4" "id:1059,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 1" "id:1060,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 1" "id:1061,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 2" "id:1062,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 2" "id:1063,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 3" "id:1064,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 3" "id:1065,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 4" "id:1066,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 4" "id:1067,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge %{tx.inbound_anomaly_score_threshold}" "id:1068,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@eq 1" "id:1069,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge %{tx.inbound_anomaly_score_threshold}" "id:1070,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1071,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1072,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1073,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1074,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1075,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1076,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1077,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1078,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 1" "id:1582,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 1" "id:1583,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 2" "id:1584,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 2" "id:1585,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 3" "id:1586,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 3" "id:1587,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 4" "id:1588,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 4" "id:1589,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 1" "id:1590,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 1" "id:1591,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 2" "id:1592,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 2" "id:1593,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 3" "id:1594,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 3" "id:1595,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 4" "id:1596,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge 4" "id:1597,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge %{tx.outbound_anomaly_score_threshold}" "id:1598,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@eq 1" "id:1599,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge %{tx.outbound_anomaly_score_threshold}" "id:1600,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1601,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1602,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1603,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1604,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1605,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1606,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1607,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1608,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
diff --git a/waf_patterns/apache/exceptions.conf b/waf_patterns/apache/exceptions.conf
index 5976c2b..523c80e 100644
--- a/waf_patterns/apache/exceptions.conf
+++ b/waf_patterns/apache/exceptions.conf
@@ -1,8 +1,8 @@
# Apache ModSecurity rules for EXCEPTIONS
SecRuleEngine On
-SecRule REQUEST_URI "@streq GET /" "id:1030,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
-SecRule REQUEST_URI "@ipMatch 127.0.0.1,::1" "id:1031,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
-SecRule REQUEST_URI "@ipMatch 127.0.0.1,::1" "id:1032,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
-SecRule REQUEST_URI "@endsWith (internal dummy connection)" "id:1033,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
-SecRule REQUEST_URI "@rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$" "id:1034,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
+SecRule REQUEST_URI "@streq GET /" "id:1609,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
+SecRule REQUEST_URI "@ipMatch 127.0.0.1,::1" "id:1610,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
+SecRule REQUEST_URI "@ipMatch 127.0.0.1,::1" "id:1611,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
+SecRule REQUEST_URI "@endsWith (internal dummy connection)" "id:1612,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
+SecRule REQUEST_URI "@rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$" "id:1613,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
diff --git a/waf_patterns/apache/fixation.conf b/waf_patterns/apache/fixation.conf
index 14ac959..9aa0af3 100644
--- a/waf_patterns/apache/fixation.conf
+++ b/waf_patterns/apache/fixation.conf
@@ -1,17 +1,17 @@
# Apache ModSecurity rules for FIXATION
SecRuleEngine On
-SecRule REQUEST_URI "@lt 1" "id:1430,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1431,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)" "id:1432,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" "id:1433,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "@rx ^(?:ht|f)tps?://(.*?)/" "id:1434,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "!@endsWith %{request_headers.host}" "id:1435,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" "id:1436,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "@eq 0" "id:1437,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1438,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1439,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1440,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1441,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1442,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1443,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1534,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1535,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)" "id:1536,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" "id:1537,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "@rx ^(?:ht|f)tps?://(.*?)/" "id:1538,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "!@endsWith %{request_headers.host}" "id:1539,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" "id:1540,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "@eq 0" "id:1541,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1542,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1543,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1544,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1545,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1546,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1547,phase:1,deny,status:403,log,msg:'fixation attack detected'"
diff --git a/waf_patterns/apache/generic.conf b/waf_patterns/apache/generic.conf
index d60f821..395c1d2 100644
--- a/waf_patterns/apache/generic.conf
+++ b/waf_patterns/apache/generic.conf
@@ -1,21 +1,21 @@
# Apache ModSecurity rules for GENERIC
SecRuleEngine On
-SecRule REQUEST_URI "@lt 1" "id:1296,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1297,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[["'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)["'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[["'`](?:debug|error|info|trace|warn)["'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[["'`](?:(?:resolv|cach)e|main|extensions)["'`]])" "id:1298,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(" "id:1299,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@pmFromFile ssrf.data" "id:1300,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@rx (?:__proto__|constructors*(?:.|[)s*prototype)" "id:1301,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@rx Process[sv]*.[sv]*spawn[sv]*(" "id:1302,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|"[^"]+"|'[^']+'|`[^`]+`)).*)" "id:1303,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@rx ^data:(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*" "id:1304,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1305,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1306,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))" "id:1307,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@rx [s*constructors*]" "id:1308,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@rx @{.*}" "id:1309,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1310,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1311,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1312,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1313,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1145,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1146,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[["'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)["'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[["'`](?:debug|error|info|trace|warn)["'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[["'`](?:(?:resolv|cach)e|main|extensions)["'`]])" "id:1147,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(" "id:1148,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@pmFromFile ssrf.data" "id:1149,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@rx (?:__proto__|constructors*(?:.|[)s*prototype)" "id:1150,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@rx Process[sv]*.[sv]*spawn[sv]*(" "id:1151,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|"[^"]+"|'[^']+'|`[^`]+`)).*)" "id:1152,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@rx ^data:(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*" "id:1153,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1154,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1155,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))" "id:1156,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@rx [s*constructors*]" "id:1157,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@rx @{.*}" "id:1158,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1159,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1160,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1161,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1162,phase:1,deny,status:403,log,msg:'generic attack detected'"
diff --git a/waf_patterns/apache/iis.conf b/waf_patterns/apache/iis.conf
index c5d5d45..6ccb0a9 100644
--- a/waf_patterns/apache/iis.conf
+++ b/waf_patterns/apache/iis.conf
@@ -1,16 +1,16 @@
# Apache ModSecurity rules for IIS
SecRuleEngine On
-SecRule REQUEST_URI "@lt 1" "id:1553,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1554,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "@rx [a-z]:x5cinetpubb" "id:1555,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "@rx (?:Microsoft OLE DB Provider for SQL Server(?:.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)
Timeout expired
)|internal server error
.*?part of the server has crashed or it has a configuration error.
|cannot connect to the server: timed out)" "id:1556,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "@pmFromFile iis-errors.data" "id:1557,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "!@rx ^404$" "id:1558,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "@rx bServer Error in.{0,50}?bApplicationb" "id:1559,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1560,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1561,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1562,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1563,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1564,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1565,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1614,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1615,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@rx [a-z]:x5cinetpubb" "id:1616,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@rx (?:Microsoft OLE DB Provider for SQL Server(?:.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)
Timeout expired
)|internal server error
.*?part of the server has crashed or it has a configuration error.
|cannot connect to the server: timed out)" "id:1617,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@pmFromFile iis-errors.data" "id:1618,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "!@rx ^404$" "id:1619,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@rx bServer Error in.{0,50}?bApplicationb" "id:1620,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1621,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1622,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1623,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1624,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1625,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1626,phase:1,deny,status:403,log,msg:'iis attack detected'"
diff --git a/waf_patterns/apache/java.conf b/waf_patterns/apache/java.conf
index 826bca1..337f6d1 100644
--- a/waf_patterns/apache/java.conf
+++ b/waf_patterns/apache/java.conf
@@ -1,37 +1,37 @@
# Apache ModSecurity rules for JAVA
SecRuleEngine On
-SecRule REQUEST_URI "@lt 1" "id:1444,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1445,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx java.lang.(?:runtime|processbuilder)" "id:1446,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx (?:runtime|processbuilder)" "id:1447,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx (?:unmarshaller|base64data|java.)" "id:1448,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" "id:1449,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx (?:runtime|processbuilder)" "id:1450,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@pmFromFile java-classes.data" "id:1451,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx .*.(?:jsp|jspx).*$" "id:1452,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" "id:1453,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1454,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1455,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" "id:1456,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx xacxedx00x05" "id:1457,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" "id:1458,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" "id:1459,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx javab.+(?:runtime|processbuilder)" "id:1460,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx (?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)" "id:1461,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1462,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1463,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" "id:1464,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1465,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1466,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)" "id:1467,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1531,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1532,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@pmFromFile java-code-leakages.data" "id:1533,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@pmFromFile java-errors.data" "id:1534,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1535,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1536,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1537,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1538,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1539,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1540,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1232,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1233,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx java.lang.(?:runtime|processbuilder)" "id:1234,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx (?:runtime|processbuilder)" "id:1235,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx (?:unmarshaller|base64data|java.)" "id:1236,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" "id:1237,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx (?:runtime|processbuilder)" "id:1238,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@pmFromFile java-classes.data" "id:1239,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx .*.(?:jsp|jspx).*$" "id:1240,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" "id:1241,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1242,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1243,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" "id:1244,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx xacxedx00x05" "id:1245,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" "id:1246,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" "id:1247,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx javab.+(?:runtime|processbuilder)" "id:1248,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx (?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)" "id:1249,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1250,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1251,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" "id:1252,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1253,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1254,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)" "id:1255,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1432,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1433,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@pmFromFile java-code-leakages.data" "id:1434,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@pmFromFile java-errors.data" "id:1435,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1436,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1437,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1438,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1439,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1440,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1441,phase:1,deny,status:403,log,msg:'java attack detected'"
diff --git a/waf_patterns/apache/leakages.conf b/waf_patterns/apache/leakages.conf
index e1f48c4..5164375 100644
--- a/waf_patterns/apache/leakages.conf
+++ b/waf_patterns/apache/leakages.conf
@@ -1,14 +1,14 @@
# Apache ModSecurity rules for LEAKAGES
SecRuleEngine On
-SecRule REQUEST_URI "@lt 1" "id:1495,phase:1,deny,status:403,log,msg:'leakages attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1496,phase:1,deny,status:403,log,msg:'leakages attack detected'"
-SecRule REQUEST_URI "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>[To Parent Directory]
)" "id:1497,phase:1,deny,status:403,log,msg:'leakages attack detected'"
-SecRule REQUEST_URI "@rx ^#!s?/" "id:1498,phase:1,deny,status:403,log,msg:'leakages attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1499,phase:1,deny,status:403,log,msg:'leakages attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1500,phase:1,deny,status:403,log,msg:'leakages attack detected'"
-SecRule REQUEST_URI "@rx ^5d{2}$" "id:1501,phase:1,deny,status:403,log,msg:'leakages attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1502,phase:1,deny,status:403,log,msg:'leakages attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1503,phase:1,deny,status:403,log,msg:'leakages attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1504,phase:1,deny,status:403,log,msg:'leakages attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1505,phase:1,deny,status:403,log,msg:'leakages attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1178,phase:1,deny,status:403,log,msg:'leakages attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1179,phase:1,deny,status:403,log,msg:'leakages attack detected'"
+SecRule REQUEST_URI "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>[To Parent Directory]
)" "id:1180,phase:1,deny,status:403,log,msg:'leakages attack detected'"
+SecRule REQUEST_URI "@rx ^#!s?/" "id:1181,phase:1,deny,status:403,log,msg:'leakages attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1182,phase:1,deny,status:403,log,msg:'leakages attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1183,phase:1,deny,status:403,log,msg:'leakages attack detected'"
+SecRule REQUEST_URI "@rx ^5d{2}$" "id:1184,phase:1,deny,status:403,log,msg:'leakages attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1185,phase:1,deny,status:403,log,msg:'leakages attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1186,phase:1,deny,status:403,log,msg:'leakages attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1187,phase:1,deny,status:403,log,msg:'leakages attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1188,phase:1,deny,status:403,log,msg:'leakages attack detected'"
diff --git a/waf_patterns/apache/lfi.conf b/waf_patterns/apache/lfi.conf
index 62f5db7..b703ec3 100644
--- a/waf_patterns/apache/lfi.conf
+++ b/waf_patterns/apache/lfi.conf
@@ -1,16 +1,16 @@
# Apache ModSecurity rules for LFI
SecRuleEngine On
-SecRule REQUEST_URI "@lt 1" "id:1187,phase:1,deny,status:403,log,msg:'lfi attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1188,phase:1,deny,status:403,log,msg:'lfi attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[0-1]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" "id:1189,phase:1,deny,status:403,log,msg:'lfi attack detected'"
-SecRule REQUEST_URI "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))" "id:1190,phase:1,deny,status:403,log,msg:'lfi attack detected'"
-SecRule REQUEST_URI "@pmFromFile lfi-os-files.data" "id:1191,phase:1,deny,status:403,log,msg:'lfi attack detected'"
-SecRule REQUEST_URI "@pmFromFile restricted-files.data" "id:1192,phase:1,deny,status:403,log,msg:'lfi attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1193,phase:1,deny,status:403,log,msg:'lfi attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1194,phase:1,deny,status:403,log,msg:'lfi attack detected'"
-SecRule REQUEST_URI "@pmFromFile lfi-os-files.data" "id:1195,phase:1,deny,status:403,log,msg:'lfi attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1196,phase:1,deny,status:403,log,msg:'lfi attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1197,phase:1,deny,status:403,log,msg:'lfi attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1198,phase:1,deny,status:403,log,msg:'lfi attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1199,phase:1,deny,status:403,log,msg:'lfi attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1030,phase:1,deny,status:403,log,msg:'lfi attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1031,phase:1,deny,status:403,log,msg:'lfi attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[0-1]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" "id:1032,phase:1,deny,status:403,log,msg:'lfi attack detected'"
+SecRule REQUEST_URI "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))" "id:1033,phase:1,deny,status:403,log,msg:'lfi attack detected'"
+SecRule REQUEST_URI "@pmFromFile lfi-os-files.data" "id:1034,phase:1,deny,status:403,log,msg:'lfi attack detected'"
+SecRule REQUEST_URI "@pmFromFile restricted-files.data" "id:1035,phase:1,deny,status:403,log,msg:'lfi attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1036,phase:1,deny,status:403,log,msg:'lfi attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1037,phase:1,deny,status:403,log,msg:'lfi attack detected'"
+SecRule REQUEST_URI "@pmFromFile lfi-os-files.data" "id:1038,phase:1,deny,status:403,log,msg:'lfi attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1039,phase:1,deny,status:403,log,msg:'lfi attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1040,phase:1,deny,status:403,log,msg:'lfi attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1041,phase:1,deny,status:403,log,msg:'lfi attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1042,phase:1,deny,status:403,log,msg:'lfi attack detected'"
diff --git a/waf_patterns/apache/php.conf b/waf_patterns/apache/php.conf
index 941dee9..27bad38 100644
--- a/waf_patterns/apache/php.conf
+++ b/waf_patterns/apache/php.conf
@@ -1,42 +1,42 @@
# Apache ModSecurity rules for PHP
SecRuleEngine On
-SecRule REQUEST_URI "@lt 1" "id:1269,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1270,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@rx (?:" "id:1292,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+))(?:;|$)?" "id:1293,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1294,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1295,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1541,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1542,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@pmFromFile php-errors.data" "id:1543,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b" "id:1544,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@rx (?i)" "id:1102,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+))(?:;|$)?" "id:1103,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1104,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1105,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1468,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1469,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "@pmFromFile php-errors.data" "id:1470,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b" "id:1471,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "@rx (?i)](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:7["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:(?:b["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|[ckz]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[&,<>|]|(?:[--.0-9A-Z_a-z]["'[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#*-0-9?-@_a-{]*)?x5c?)+[sv&,<>|]).*|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:4|[sv&),<>|].*))|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*)?|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|(?:e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|v["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)b" "id:1217,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[sv&)<>|]|a(?:dd(?:group|user)|getty|l(?:ias|pine)[sv&)<>|]|nsible-playbook|pt(?:-get|itude[sv&)<>|])|r(?:ch[sv&)<>|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm|xel)|b(?:a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[sv&)<>|]|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[sv&)<>|]|on(?:tab)?)|s(?:plit|vtool)|u(?:psfilter|rl[sv&)<>|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[sv&)<>|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[sv&)<>|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r)))|f(?:acter|(?:etch|lock|unction)[sv&)<>|]|grep|i(?:le(?:[sv&)<>|]|test)|(?:n(?:d|ger)|sh)[sv&)<>|])|o(?:ld[sv&)<>|]|reach)|ping|tp(?:stats|who))|g(?:awk[sv&)<>|]|core|e(?:ni(?:e[sv&)<>|]|soimage)|tfacl[sv&)<>|])|hci|i(?:mp[sv&)<>|]|nsh)|r(?:ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[sv&)<>|]|onice|p(?:6?tables|config)|spell)|j(?:ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:ill(?:[sv&)<>|]|all)|nife[sv&)<>|]|sshell)|l(?:a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|dconfig|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[sv&)<>|]|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[sv&)<>q|]|x[sv&)<>|])|ke[sv&)<>|]|ster.passwd|wk)|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[sv&)<>|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[sv&)<>|]|sm|wk)|c(?:.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[sv&)<>|]|map|o(?:de[sv&)<>|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:f(?:la)?tex|ksh)|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[sv&)<>|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[sv&)<>|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[sv&)<>|]|shd)|wd.db|ython[^sv])|r(?:ak(?:e[sv&)<>|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[sv&)<>|]|stic)|l(?:ogin|wrap)|m(?:dir[sv&)<>|]|user)|nano|oute[sv&)<>|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap)[sv&)<>|]|c(?:hed|r(?:een|ipt)[sv&)<>|])|diff|e(?:(?:lf|rvice)[sv&)<>|]|ndmail|t(?:arch|env|facl[sv&)<>|]|sid))|ftp|h(?:.distrib|(?:adow|ells)[sv&)<>|]|u(?:f|tdown[sv&)<>|]))|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[sv&)<>|]|datectl)|mux|ouch[sv&)<>|]|r(?:aceroute6?|off)|shark)|u(?:limit[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[sv&)<>|]|gr|mdiff|pw|rsh)|olatility[sv&)<>|])|w(?:a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))" "id:1218,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@pmFromFile windows-powershell-commands.data" "id:1219,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:[nr;`{]|||?|&&?)[sv]*[sv"'-(,@]*(?:["'.-9A-Z_a-z]+/|(?:["'x5c^]*[0-9A-Z_a-z]["'x5c^]*:.*|[ "'.-9A-Zx5c^-_a-z]*)x5c)?["^]*(?:(?:a["^]*(?:c|s["^]*n["^]*p)|e["^]*(?:b["^]*p|p["^]*(?:a["^]*l|c["^]*s["^]*v|s["^]*n)|[tx]["^]*s["^]*n)|f["^]*(?:[cltw]|o["^]*r["^]*e["^]*a["^]*c["^]*h)|i["^]*(?:[cr]["^]*m|e["^]*x|h["^]*y|i|p["^]*(?:a["^]*l|c["^]*s["^]*v|m["^]*o|s["^]*n)|s["^]*e|w["^]*(?:m["^]*i|r))|m["^]*(?:a["^]*n|[dipv]|o["^]*u["^]*n["^]*t)|o["^]*g["^]*v|p["^]*(?:o["^]*p|u["^]*s["^]*h)["^]*d|t["^]*r["^]*c["^]*m|w["^]*j["^]*b)["^]*[sv,.-/;-<>].*|c["^]*(?:(?:(?:d|h["^]*d["^]*i["^]*r|v["^]*p["^]*a)["^]*|p["^]*(?:[ip]["^]*)?)[sv,.-/;-<>].*|l["^]*(?:(?:[cipv]|h["^]*y)["^]*[sv,.-/;-<>].*|s)|n["^]*s["^]*n)|d["^]*(?:(?:b["^]*p|e["^]*l|i["^]*(?:f["^]*f|r))["^]*[sv,.-/;-<>].*|n["^]*s["^]*n)|g["^]*(?:(?:(?:(?:a["^]*)?l|b["^]*p|d["^]*r|h["^]*y|(?:w["^]*m["^]*)?i|j["^]*b|[u-v])["^]*|c["^]*(?:[ims]["^]*)?|m["^]*(?:o["^]*)?|s["^]*(?:n["^]*(?:p["^]*)?|v["^]*))[sv,.-/;-<>].*|e["^]*r["^]*r|p["^]*(?:(?:s["^]*)?[sv,.-/;-<>].*|v))|l["^]*s|n["^]*(?:(?:a["^]*l|d["^]*r|[iv]|m["^]*o|s["^]*n)["^]*[sv,.-/;-<>].*|p["^]*s["^]*s["^]*c)|r["^]*(?:(?:(?:(?:b["^]*)?p|e["^]*n|(?:w["^]*m["^]*)?i|j["^]*b|n["^]*[ip])["^]*|d["^]*(?:r["^]*)?|m["^]*(?:(?:d["^]*i["^]*r|o)["^]*)?|s["^]*n["^]*(?:p["^]*)?|v["^]*(?:p["^]*a["^]*)?)[sv,.-/;-<>].*|c["^]*(?:j["^]*b["^]*[sv,.-/;-<>].*|s["^]*n)|u["^]*j["^]*b)|s["^]*(?:(?:(?:a["^]*(?:j["^]*b|l|p["^]*s|s["^]*v)|b["^]*p|[civ]|w["^]*m["^]*i)["^]*|l["^]*(?:s["^]*)?|p["^]*(?:(?:j["^]*b|p["^]*s|s["^]*v)["^]*)?)[sv,.-/;-<>].*|h["^]*c["^]*m|u["^]*j["^]*b))(?:.["^]*[0-9A-Z_a-z]+)?b" "id:1220,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx $(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]" "id:1221,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))" "id:1222,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:^|=)[sv]*(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:7["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:b["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|[ckz]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|(?:h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h|v["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)[sv&)<>|]" "id:1223,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:^|=)[sv]*(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:a(?:ddgroup|xel)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:g(?:passwd|rp)|pass|sh)|lang++|oproc|ron)|d(?:iff[sv&)<>|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[sv&)<>|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|erl5?|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[sv&)<>|])|tar(?:diff|grep)?|wd.db|ython[2-3])|r(?:(?:bas|ealpat)h|m(?:dir[sv&)<>|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h.distri|pwd.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[sv&)<>|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))" "id:1224,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "!@rx [0-9]s*'s*[0-9]" "id:1225,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx !-d" "id:1226,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@pmFromFile unix-shell.data" "id:1227,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx ^(s*)s+{" "id:1228,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx ^(s*)s+{" "id:1229,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx ba["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-"%',0-9@-Z_a-z]+=[^sv]" "id:1230,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@pmFromFile restricted-upload.data" "id:1231,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:t["^]*i["^]*m["^]*e|[nr;`{]|||?|&&?)[sv]*[sv"'-(,@]*(?:["'.-9A-Z_a-z]+/|(?:["'x5c^]*[0-9A-Z_a-z]["'x5c^]*:.*|[ "'.-9A-Zx5c^-_a-z]*)x5c)?["^]*(?:a["^]*(?:c["^]*c["^]*c["^]*h["^]*e["^]*c["^]*k["^]*c["^]*o["^]*n["^]*s["^]*o["^]*l["^]*e|d["^]*(?:p["^]*l["^]*u["^]*s|v["^]*p["^]*a["^]*c["^]*k)|(?:g["^]*e["^]*n["^]*t["^]*e["^]*x["^]*e["^]*c["^]*u["^]*t["^]*o|s["^]*p["^]*n["^]*e["^]*t["^]*_["^]*c["^]*o["^]*m["^]*p["^]*i["^]*l["^]*e)["^]*r|p["^]*p["^]*(?:i["^]*n["^]*s["^]*t["^]*a["^]*l["^]*l["^]*e["^]*r|v["^]*l["^]*p)|t["^]*(?:[sv,.-/;-<>].*|b["^]*r["^]*o["^]*k["^]*e["^]*r))|b["^]*(?:a["^]*s["^]*h|g["^]*i["^]*n["^]*f["^]*o|i["^]*t["^]*s["^]*a["^]*d["^]*m["^]*i["^]*n)|c["^]*(?:d["^]*b|e["^]*r["^]*t["^]*(?:o["^]*c|r["^]*e["^]*q|u["^]*t["^]*i["^]*l)|l["^]*_["^]*(?:i["^]*n["^]*v["^]*o["^]*c["^]*a["^]*t["^]*i["^]*o["^]*n|l["^]*o["^]*a["^]*d["^]*a["^]*s["^]*s["^]*e["^]*m["^]*b["^]*l["^]*y|m["^]*u["^]*t["^]*e["^]*x["^]*v["^]*e["^]*r["^]*i["^]*f["^]*i["^]*e["^]*r["^]*s)|m["^]*(?:d(?:["^]*(?:k["^]*e["^]*y|l["^]*3["^]*2))?|s["^]*t["^]*p)|o["^]*(?:m["^]*s["^]*v["^]*c["^]*s|n["^]*(?:f["^]*i["^]*g["^]*s["^]*e["^]*c["^]*u["^]*r["^]*i["^]*t["^]*y["^]*p["^]*o["^]*l["^]*i["^]*c["^]*y|h["^]*o["^]*s["^]*t|t["^]*r["^]*o["^]*l)|r["^]*e["^]*g["^]*e["^]*n)|r["^]*e["^]*a["^]*t["^]*e["^]*d["^]*u["^]*m["^]*p|s["^]*(?:c(?:["^]*r["^]*i["^]*p["^]*t)?|i)|u["^]*s["^]*t["^]*o["^]*m["^]*s["^]*h["^]*e["^]*l["^]*l["^]*h["^]*o["^]*s["^]*t)|d["^]*(?:a["^]*t["^]*a["^]*s["^]*v["^]*c["^]*u["^]*t["^]*i["^]*l|e["^]*(?:f["^]*a["^]*u["^]*l["^]*t["^]*p["^]*a["^]*c["^]*k|s["^]*k(?:["^]*t["^]*o["^]*p["^]*i["^]*m["^]*g["^]*d["^]*o["^]*w["^]*n["^]*l["^]*d["^]*r)?|v["^]*(?:i["^]*c["^]*e["^]*c["^]*r["^]*e["^]*d["^]*e["^]*n["^]*t["^]*i["^]*a["^]*l["^]*d["^]*e["^]*p["^]*l["^]*o["^]*y["^]*m["^]*e["^]*n["^]*t|t["^]*o["^]*o["^]*l["^]*s["^]*l["^]*a["^]*u["^]*n["^]*c["^]*h["^]*e["^]*r))|f["^]*s["^]*(?:h["^]*i["^]*m|v["^]*c)|i["^]*(?:a["^]*n["^]*t["^]*z|s["^]*k["^]*s["^]*h["^]*a["^]*d["^]*o["^]*w)|n["^]*(?:s["^]*c["^]*m["^]*d|x)|o["^]*t["^]*n["^]*e["^]*t|u["^]*m["^]*p["^]*6["^]*4|x["^]*c["^]*a["^]*p)|e["^]*(?:s["^]*e["^]*n["^]*t["^]*u["^]*t["^]*l|v["^]*e["^]*n["^]*t["^]*v["^]*w["^]*r|x["^]*(?:c["^]*e["^]*l|p["^]*(?:a["^]*n["^]*d|l["^]*o["^]*r["^]*e["^]*r)|t["^]*(?:e["^]*x["^]*p["^]*o["^]*r["^]*t|r["^]*a["^]*c["^]*3["^]*2)))|f["^]*(?:i["^]*n["^]*(?:d["^]*s["^]*t|g["^]*e)["^]*r|l["^]*t["^]*m["^]*c|o["^]*r["^]*f["^]*i["^]*l["^]*e["^]*s|s["^]*(?:i(?:["^]*a["^]*n["^]*y["^]*c["^]*p["^]*u)?|u["^]*t["^]*i["^]*l)|t["^]*p)|g["^]*(?:f["^]*x["^]*d["^]*o["^]*w["^]*n["^]*l["^]*o["^]*a["^]*d["^]*w["^]*r["^]*a["^]*p["^]*p["^]*e["^]*r|p["^]*s["^]*c["^]*r["^]*i["^]*p["^]*t)|h["^]*h|i["^]*(?:e["^]*(?:4["^]*u["^]*i["^]*n["^]*i["^]*t|a["^]*d["^]*v["^]*p["^]*a["^]*c["^]*k|e["^]*x["^]*e["^]*c|f["^]*r["^]*a["^]*m["^]*e)|l["^]*a["^]*s["^]*m|m["^]*e["^]*w["^]*d["^]*b["^]*l["^]*d|n["^]*(?:f["^]*d["^]*e["^]*f["^]*a["^]*u["^]*l["^]*t["^]*i["^]*n["^]*s["^]*t["^]*a["^]*l|s["^]*t["^]*a["^]*l["^]*l["^]*u["^]*t["^]*i)["^]*l)|j["^]*s["^]*c|l["^]*(?:a["^]*u["^]*n["^]*c["^]*h["^]*-["^]*v["^]*s["^]*d["^]*e["^]*v["^]*s["^]*h["^]*e["^]*l["^]*l|d["^]*i["^]*f["^]*d["^]*e)|m["^]*(?:a["^]*(?:k["^]*e["^]*c["^]*a["^]*b|n["^]*a["^]*g["^]*e["^]*-["^]*b["^]*d["^]*e|v["^]*i["^]*n["^]*j["^]*e["^]*c["^]*t)|f["^]*t["^]*r["^]*a["^]*c["^]*e|i["^]*c["^]*r["^]*o["^]*s["^]*o["^]*f["^]*t|m["^]*c|p["^]*c["^]*m["^]*d["^]*r["^]*u["^]*n|s["^]*(?:(?:b["^]*u["^]*i["^]*l|o["^]*h["^]*t["^]*m["^]*e)["^]*d|c["^]*o["^]*n["^]*f["^]*i["^]*g|d["^]*(?:e["^]*p["^]*l["^]*o["^]*y|t)|h["^]*t["^]*(?:a|m["^]*l)|i["^]*e["^]*x["^]*e["^]*c|p["^]*u["^]*b|x["^]*s["^]*l))|n["^]*(?:e["^]*t["^]*s["^]*h|t["^]*d["^]*s["^]*u["^]*t["^]*i["^]*l)|o["^]*(?:d["^]*b["^]*c["^]*c["^]*o["^]*n["^]*f|f["^]*f["^]*l["^]*i["^]*n["^]*e["^]*s["^]*c["^]*a["^]*n["^]*n["^]*e["^]*r["^]*s["^]*h["^]*e["^]*l["^]*l|n["^]*e["^]*d["^]*r["^]*i["^]*v["^]*e["^]*s["^]*t["^]*a["^]*n["^]*d["^]*a["^]*l["^]*o["^]*n["^]*e["^]*u["^]*p["^]*d["^]*a["^]*t["^]*e["^]*r|p["^]*e["^]*n["^]*c["^]*o["^]*n["^]*s["^]*o["^]*l["^]*e)|p["^]*(?:c["^]*(?:a["^]*l["^]*u["^]*a|w["^]*(?:r["^]*u["^]*n|u["^]*t["^]*l))|(?:e["^]*s["^]*t["^]*e|s)["^]*r|(?:k["^]*t["^]*m["^]*o|u["^]*b["^]*p["^]*r)["^]*n|n["^]*p["^]*u["^]*t["^]*i["^]*l|o["^]*w["^]*e["^]*r["^]*p["^]*n["^]*t|r["^]*(?:e["^]*s["^]*e["^]*n["^]*t["^]*a["^]*t["^]*i["^]*o["^]*n["^]*h["^]*o["^]*s["^]*t|i["^]*n["^]*t(?:["^]*b["^]*r["^]*m)?|o["^]*(?:c["^]*d["^]*u["^]*m["^]*p|t["^]*o["^]*c["^]*o["^]*l["^]*h["^]*a["^]*n["^]*d["^]*l["^]*e["^]*r)))|r["^]*(?:a["^]*s["^]*a["^]*u["^]*t["^]*o["^]*u|c["^]*s["^]*i|(?:d["^]*r["^]*l["^]*e["^]*a["^]*k["^]*d["^]*i["^]*a|p["^]*c["^]*p["^]*i["^]*n)["^]*g|e["^]*(?:g(?:["^]*(?:a["^]*s["^]*m|e["^]*d["^]*i["^]*t|i["^]*(?:n["^]*i|s["^]*t["^]*e["^]*r["^]*-["^]*c["^]*i["^]*m["^]*p["^]*r["^]*o["^]*v["^]*i["^]*d["^]*e["^]*r)|s["^]*v["^]*(?:c["^]*s|r["^]*3["^]*2)))?|(?:m["^]*o["^]*t|p["^]*l["^]*a["^]*c)["^]*e)|u["^]*n["^]*(?:d["^]*l["^]*l["^]*3["^]*2|(?:e["^]*x["^]*e|s["^]*c["^]*r["^]*i["^]*p["^]*t)["^]*h["^]*e["^]*l["^]*p["^]*e["^]*r|o["^]*n["^]*c["^]*e))|s["^]*(?:c["^]*(?:[sv,.-/;-<>].*|h["^]*t["^]*a["^]*s["^]*k["^]*s|r["^]*i["^]*p["^]*t["^]*r["^]*u["^]*n["^]*n["^]*e["^]*r)|e["^]*t["^]*(?:r["^]*e["^]*s|t["^]*i["^]*n["^]*g["^]*s["^]*y["^]*n["^]*c["^]*h["^]*o["^]*s["^]*t|u["^]*p["^]*a["^]*p["^]*i)|h["^]*(?:d["^]*o["^]*c["^]*v["^]*w|e["^]*l["^]*l["^]*3["^]*2)|q["^]*(?:l["^]*(?:d["^]*u["^]*m["^]*p["^]*e["^]*r|(?:t["^]*o["^]*o["^]*l["^]*s["^]*)?p["^]*s)|u["^]*i["^]*r["^]*r["^]*e["^]*l)|s["^]*h|t["^]*o["^]*r["^]*d["^]*i["^]*a["^]*g|y["^]*(?:n["^]*c["^]*a["^]*p["^]*p["^]*v["^]*p["^]*u["^]*b["^]*l["^]*i["^]*s["^]*h["^]*i["^]*n["^]*g["^]*s["^]*e["^]*r["^]*v["^]*e["^]*r|s["^]*s["^]*e["^]*t["^]*u["^]*p))|t["^]*(?:e["^]*[sv,.-/;-<>].*|r["^]*a["^]*c["^]*k["^]*e["^]*r|t["^]*(?:d["^]*i["^]*n["^]*j["^]*e["^]*c["^]*t|t["^]*r["^]*a["^]*c["^]*e["^]*r))|u["^]*(?:n["^]*r["^]*e["^]*g["^]*m["^]*p["^]*2|p["^]*d["^]*a["^]*t["^]*e|r["^]*l|t["^]*i["^]*l["^]*i["^]*t["^]*y["^]*f["^]*u["^]*n["^]*c["^]*t["^]*i["^]*o["^]*n["^]*s)|v["^]*(?:b["^]*c|e["^]*r["^]*c["^]*l["^]*s["^]*i["^]*d|i["^]*s["^]*u["^]*a["^]*l["^]*u["^]*i["^]*a["^]*v["^]*e["^]*r["^]*i["^]*f["^]*y["^]*n["^]*a["^]*t["^]*i["^]*v["^]*e|s["^]*(?:i["^]*i["^]*s["^]*e["^]*x["^]*e["^]*l["^]*a["^]*u["^]*n["^]*c["^]*h|j["^]*i["^]*t["^]*d["^]*e["^]*b["^]*u["^]*g["^]*g)["^]*e["^]*r)|w["^]*(?:a["^]*b|(?:f|m["^]*i)["^]*c|i["^]*n["^]*(?:g["^]*e["^]*t|r["^]*m|w["^]*o["^]*r["^]*d)|l["^]*r["^]*m["^]*d["^]*r|o["^]*r["^]*k["^]*f["^]*o["^]*l["^]*d["^]*e["^]*r["^]*s|s["^]*(?:(?:c["^]*r["^]*i["^]*p|r["^]*e["^]*s["^]*e)["^]*t|l)|t["^]*[sv,.-/;-<>].*|u["^]*a["^]*u["^]*c["^]*l["^]*t)|x["^]*w["^]*i["^]*z["^]*a["^]*r["^]*d|z["^]*i["^]*p["^]*f["^]*l["^]*d["^]*r)(?:.["^]*[0-9A-Z_a-z]+)?b" "id:1232,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:t["^]*i["^]*m["^]*e|[nr;`{]|||?|&&?)[sv]*[sv"'-(,@]*(?:["'.-9A-Z_a-z]+/|(?:["'x5c^]*[0-9A-Z_a-z]["'x5c^]*:.*|[ "'.-9A-Zx5c^-_a-z]*)x5c)?["^]*(?:a["^]*(?:s["^]*s["^]*o["^]*c|t["^]*(?:m["^]*a["^]*d["^]*m|t["^]*r["^]*i["^]*b)|u["^]*(?:d["^]*i["^]*t["^]*p["^]*o["^]*l|t["^]*o["^]*(?:c["^]*(?:h["^]*k|o["^]*n["^]*v)|(?:f["^]*m|m["^]*o["^]*u["^]*n)["^]*t)))|b["^]*(?:c["^]*d["^]*(?:b["^]*o["^]*o|e["^]*d["^]*i)["^]*t|(?:d["^]*e["^]*h["^]*d|o["^]*o["^]*t)["^]*c["^]*f["^]*g|i["^]*t["^]*s["^]*a["^]*d["^]*m["^]*i["^]*n)|c["^]*(?:a["^]*c["^]*l["^]*s|e["^]*r["^]*t["^]*(?:r["^]*e["^]*q|u["^]*t["^]*i["^]*l)|h["^]*(?:c["^]*p|d["^]*i["^]*r|g["^]*(?:l["^]*o["^]*g["^]*o["^]*n|p["^]*o["^]*r["^]*t|u["^]*s["^]*r)|k["^]*(?:d["^]*s["^]*k|n["^]*t["^]*f["^]*s))|l["^]*e["^]*a["^]*n["^]*m["^]*g["^]*r|m["^]*(?:d(?:["^]*k["^]*e["^]*y)?|s["^]*t["^]*p)|s["^]*c["^]*r["^]*i["^]*p["^]*t)|d["^]*(?:c["^]*(?:d["^]*i["^]*a["^]*g|g["^]*p["^]*o["^]*f["^]*i["^]*x)|e["^]*(?:f["^]*r["^]*a["^]*g|l)|f["^]*s["^]*(?:d["^]*i["^]*a|r["^]*m["^]*i)["^]*g|i["^]*(?:a["^]*n["^]*t["^]*z|r|s["^]*(?:k["^]*(?:c["^]*o["^]*(?:m["^]*p|p["^]*y)|p["^]*(?:a["^]*r["^]*t|e["^]*r["^]*f)|r["^]*a["^]*i["^]*d|s["^]*h["^]*a["^]*d["^]*o["^]*w)|p["^]*d["^]*i["^]*a["^]*g))|n["^]*s["^]*c["^]*m["^]*d|(?:o["^]*s["^]*k["^]*e|r["^]*i["^]*v["^]*e["^]*r["^]*q["^]*u["^]*e["^]*r)["^]*y)|e["^]*(?:n["^]*d["^]*l["^]*o["^]*c["^]*a["^]*l|v["^]*e["^]*n["^]*t["^]*c["^]*r["^]*e["^]*a["^]*t["^]*e)|E["^]*v["^]*n["^]*t["^]*c["^]*m["^]*d|f["^]*(?:c|i["^]*(?:l["^]*e["^]*s["^]*y["^]*s["^]*t["^]*e["^]*m["^]*s|n["^]*d["^]*s["^]*t["^]*r)|l["^]*a["^]*t["^]*t["^]*e["^]*m["^]*p|o["^]*r(?:["^]*f["^]*i["^]*l["^]*e["^]*s)?|r["^]*e["^]*e["^]*d["^]*i["^]*s["^]*k|s["^]*u["^]*t["^]*i["^]*l|(?:t["^]*y["^]*p|v["^]*e["^]*u["^]*p["^]*d["^]*a["^]*t)["^]*e)|g["^]*(?:e["^]*t["^]*(?:m["^]*a["^]*c|t["^]*y["^]*p["^]*e)|o["^]*t["^]*o|p["^]*(?:f["^]*i["^]*x["^]*u["^]*p|(?:r["^]*e["^]*s["^]*u["^]*l["^]*)?t|u["^]*p["^]*d["^]*a["^]*t["^]*e)|r["^]*a["^]*f["^]*t["^]*a["^]*b["^]*l)|h["^]*(?:e["^]*l["^]*p["^]*c["^]*t["^]*r|o["^]*s["^]*t["^]*n["^]*a["^]*m["^]*e)|i["^]*(?:c["^]*a["^]*c["^]*l["^]*s|f|p["^]*(?:c["^]*o["^]*n["^]*f["^]*i["^]*g|x["^]*r["^]*o["^]*u["^]*t["^]*e)|r["^]*f["^]*t["^]*p)|j["^]*e["^]*t["^]*p["^]*a["^]*c["^]*k|k["^]*(?:l["^]*i["^]*s["^]*t|s["^]*e["^]*t["^]*u["^]*p|t["^]*(?:m["^]*u["^]*t["^]*i["^]*l|p["^]*a["^]*s["^]*s))|l["^]*(?:o["^]*(?:d["^]*c["^]*t["^]*r|g["^]*(?:m["^]*a["^]*n|o["^]*f["^]*f))|p["^]*[q-r])|m["^]*(?:a["^]*(?:c["^]*f["^]*i["^]*l["^]*e|k["^]*e["^]*c["^]*a["^]*b|p["^]*a["^]*d["^]*m["^]*i["^]*n)|k["^]*(?:d["^]*i["^]*r|l["^]*i["^]*n["^]*k)|m["^]*c|o["^]*u["^]*n["^]*t["^]*v["^]*o["^]*l|q["^]*(?:b["^]*k["^]*u["^]*p|(?:t["^]*g["^]*)?s["^]*v["^]*c)|s["^]*(?:d["^]*t|i["^]*(?:e["^]*x["^]*e["^]*c|n["^]*f["^]*o["^]*3["^]*2)|t["^]*s["^]*c))|n["^]*(?:b["^]*t["^]*s["^]*t["^]*a["^]*t|e["^]*t["^]*(?:c["^]*f["^]*g|d["^]*o["^]*m|s["^]*(?:h|t["^]*a["^]*t))|f["^]*s["^]*(?:a["^]*d["^]*m["^]*i["^]*n|s["^]*(?:h["^]*a["^]*r["^]*e|t["^]*a["^]*t))|l["^]*(?:b["^]*m["^]*g["^]*r|t["^]*e["^]*s["^]*t)|s["^]*l["^]*o["^]*o["^]*k["^]*u["^]*p|t["^]*(?:b["^]*a["^]*c["^]*k["^]*u["^]*p|c["^]*m["^]*d["^]*p["^]*r["^]*o["^]*m["^]*p["^]*t|f["^]*r["^]*s["^]*u["^]*t["^]*l))|o["^]*(?:f["^]*f["^]*l["^]*i["^]*n["^]*e|p["^]*e["^]*n["^]*f["^]*i["^]*l["^]*e["^]*s)|p["^]*(?:a["^]*(?:g["^]*e["^]*f["^]*i["^]*l["^]*e["^]*c["^]*o["^]*n["^]*f["^]*i|t["^]*h["^]*p["^]*i["^]*n)["^]*g|(?:b["^]*a["^]*d["^]*m["^]*i|k["^]*t["^]*m["^]*o)["^]*n|e["^]*(?:n["^]*t["^]*n["^]*t|r["^]*f["^]*m["^]*o["^]*n)|n["^]*p["^]*u["^]*(?:n["^]*a["^]*t["^]*t["^]*e["^]*n["^]*d|t["^]*i["^]*l)|o["^]*(?:p["^]*d|w["^]*e["^]*r["^]*s["^]*h["^]*e["^]*l["^]*l)|r["^]*n["^]*(?:c["^]*n["^]*f["^]*g|(?:d["^]*r["^]*v|m["^]*n["^]*g)["^]*r|j["^]*o["^]*b["^]*s|p["^]*o["^]*r["^]*t|q["^]*c["^]*t["^]*l)|u["^]*(?:b["^]*p["^]*r["^]*n|s["^]*h["^]*(?:d|p["^]*r["^]*i["^]*n["^]*t["^]*e["^]*r["^]*c["^]*o["^]*n["^]*n["^]*e["^]*c["^]*t["^]*i["^]*o["^]*n["^]*s))|w["^]*(?:l["^]*a["^]*u["^]*n["^]*c["^]*h["^]*e["^]*r|s["^]*h))|q["^]*(?:a["^]*p["^]*p["^]*s["^]*r["^]*v|p["^]*r["^]*o["^]*c["^]*e["^]*s["^]*s|u["^]*s["^]*e["^]*r|w["^]*i["^]*n["^]*s["^]*t["^]*a)|r["^]*(?:d(?:["^]*p["^]*s["^]*i["^]*g["^]*n)?|e["^]*(?:f["^]*s["^]*u["^]*t["^]*i["^]*l|g(?:["^]*(?:i["^]*n["^]*i|s["^]*v["^]*r["^]*3["^]*2))?|l["^]*o["^]*g|(?:(?:p["^]*a["^]*d["^]*m["^]*i|s["^]*c["^]*a)["^]*)?n|x["^]*e["^]*c)|i["^]*s["^]*e["^]*t["^]*u["^]*p|m["^]*d["^]*i["^]*r|o["^]*b["^]*o["^]*c["^]*o["^]*p["^]*y|p["^]*c["^]*(?:i["^]*n["^]*f["^]*o|p["^]*i["^]*n["^]*g)|s["^]*h|u["^]*n["^]*d["^]*l["^]*l["^]*3["^]*2|w["^]*i["^]*n["^]*s["^]*t["^]*a)|s["^]*(?:a["^]*n|c["^]*(?:h["^]*t["^]*a["^]*s["^]*k["^]*s|w["^]*c["^]*m["^]*d)|e["^]*(?:c["^]*e["^]*d["^]*i["^]*t|r["^]*v["^]*e["^]*r["^]*(?:(?:c["^]*e["^]*i["^]*p|w["^]*e["^]*r)["^]*o["^]*p["^]*t["^]*i["^]*n|m["^]*a["^]*n["^]*a["^]*g["^]*e["^]*r["^]*c["^]*m["^]*d)|t["^]*x)|f["^]*c|(?:h["^]*o["^]*w["^]*m["^]*o["^]*u["^]*n|u["^]*b["^]*s)["^]*t|x["^]*s["^]*t["^]*r["^]*a["^]*c["^]*e|y["^]*s["^]*(?:o["^]*c["^]*m["^]*g["^]*r|t["^]*e["^]*m["^]*i["^]*n["^]*f["^]*o))|t["^]*(?:a["^]*(?:k["^]*e["^]*o["^]*w["^]*n|p["^]*i["^]*c["^]*f["^]*g|s["^]*k["^]*(?:k["^]*i["^]*l["^]*l|l["^]*i["^]*s["^]*t))|(?:c["^]*m["^]*s["^]*e["^]*t["^]*u|f["^]*t)["^]*p|(?:(?:e["^]*l["^]*n["^]*e|i["^]*m["^]*e["^]*o["^]*u)["^]*|r["^]*a["^]*c["^]*e["^]*r["^]*(?:p["^]*)?)t|l["^]*n["^]*t["^]*a["^]*d["^]*m["^]*n|p["^]*m["^]*(?:t["^]*o["^]*o["^]*l|v["^]*s["^]*c["^]*m["^]*g["^]*r)|s["^]*(?:(?:d["^]*i["^]*s["^]*)?c["^]*o["^]*n|e["^]*c["^]*i["^]*m["^]*p|k["^]*i["^]*l["^]*l|p["^]*r["^]*o["^]*f)|y["^]*p["^]*e["^]*p["^]*e["^]*r["^]*f|z["^]*u["^]*t["^]*i["^]*l)|u["^]*n["^]*(?:e["^]*x["^]*p["^]*o["^]*s["^]*e|i["^]*q["^]*u["^]*e["^]*i["^]*d|l["^]*o["^]*d["^]*c["^]*t["^]*r)|v["^]*(?:o["^]*l|s["^]*s["^]*a["^]*d["^]*m["^]*i["^]*n)|w["^]*(?:a["^]*i["^]*t["^]*f["^]*o["^]*r|b["^]*a["^]*d["^]*m["^]*i["^]*n|(?:d["^]*s|e["^]*(?:c|v["^]*t))["^]*u["^]*t["^]*i["^]*l|h["^]*(?:e["^]*r["^]*e|o["^]*a["^]*m["^]*i)|i["^]*n["^]*(?:n["^]*t(?:["^]*3["^]*2)?|r["^]*s)|m["^]*i["^]*c|s["^]*c["^]*r["^]*i["^]*p["^]*t)|x["^]*c["^]*o["^]*p["^]*y)(?:.["^]*[0-9A-Z_a-z]+)?b" "id:1233,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1234,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1235,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*.[sv].*b" "id:1236,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?:$(?:((?:(.*)|.*))|{.*})|[<>](.*)|[!?.+])" "id:1237,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]" "id:1238,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx /" "id:1239,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx s" "id:1240,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx ^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))" "id:1241,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx /" "id:1242,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx s" "id:1243,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx ^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])" "id:1244,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx /" "id:1245,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx s" "id:1246,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?i).|(?:[sv]*|t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:7["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|G["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?E["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?T|a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:b|(?:p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?t|r(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[jp])?|s(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ks])|b["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[8-9]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?9|[au]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|c|(?:m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?p|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dfu]|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[gr])|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[bdx]|n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|q["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|s(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?)|f["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[c-dgi]|m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|g["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[chr]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|o|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dp]|r["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b)|j["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:j["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|q)|k["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|l["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)?|[nps]|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a|z(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|v)|n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[cl]|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|(?:p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|o["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[at]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?x|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|f|(?:k["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?g|h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cp]|r(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?y)?|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|c(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dv]|(?:p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dt]|[g-hu]|s(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|v["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cr]|b["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l|[co]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ex]|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c)|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|l)|v["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:3["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|c)|x["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:x["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|z)|y["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)|z["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h))" "id:1247,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?i)[-0-9_a-z]+(?:["'[-]]+|$+[!#*-0-9?-@x5c_a-{]+|``|[$<>]())[sv]*[-0-9_a-z]+" "id:1248,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "!@rx [0-9]s*'s*[0-9]" "id:1249,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx ;[sv]*.[sv]*["']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)" "id:1250,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)" "id:1251,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:["-#%-&*--9A-Zx5c_a-z]+)?(?: ([ x5ca-z]+))?(?: "?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [+-][0-9]{4}"?)? {[0-9]{1,20}+?}|UTHENTICATE [-0-9_a-z]{1,20}rn)|L(?:SUB (?:["-#*.-9A-Z_a-z~]+)? (?:["%-&*.-9A-Zx5c_a-z]+)?|ISTRIGHTS (?:["%-&*--9A-Zx5c_a-z]+)?)|S(?:TATUS (?:["%-&*--9A-Zx5c_a-z]+)? ((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+)|ETACL (?:["%-&*--9A-Zx5c_a-z]+)? [+-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:["%-&*--9A-Zx5c_a-z]+)?)" "id:1252,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))" "id:1253,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:(?:^|=)[sv]*(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*|(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*)[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|inks|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[^sv])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash|nap)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:3m|c|a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))" "id:1254,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:(?:^|=)[sv]*(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*|(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*)[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:c|a(?:ll|tch)[sv&)<>|]|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))" "id:1255,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@pmFromFile unix-shell.data" "id:1256,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1257,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1258,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:(?:(?:a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))b" "id:1259,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:(?:itude)?[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|s(?:[sv&)<>|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[sv&)<>|]|m(?:[sv&)<>|]|diff)|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:[sv&)<>c|]|h(?:o(?:[sv&)<>|]|ami|is)?|iptail[sv&)<>|])|a(?:ll|tch)[sv&)<>|]|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))b" "id:1260,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:(?:^|=)[sv]*(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*|(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*)[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:(?:(?:a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))" "id:1261,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" "id:1262,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)" "id:1263,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) ["-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE ["-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE ["-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST ["-#*--9A-Zx5c_a-z~]+? ["-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME ["-#%-&*--9A-Zx5c_a-z]+? ["-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT ["-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) "?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE ["-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE ["-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)" "id:1264,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)" "id:1265,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@rx !(?:d|!)" "id:1266,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1267,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1268,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1480,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1481,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:7["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:(?:b["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|[ckz]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[&,<>|]|(?:[--.0-9A-Z_a-z]["'[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#*-0-9?-@_a-{]*)?x5c?)+[sv&,<>|]).*|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:4|[sv&),<>|].*))|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*)?|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|(?:e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|v["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)b" "id:1482,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[sv&)<>|]|a(?:dd(?:group|user)|getty|l(?:ias|pine)[sv&)<>|]|nsible-playbook|pt(?:-get|itude[sv&)<>|])|r(?:ch[sv&)<>|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm|xel)|b(?:a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[sv&)<>|]|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[sv&)<>|]|on(?:tab)?)|s(?:plit|vtool)|u(?:psfilter|rl[sv&)<>|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[sv&)<>|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[sv&)<>|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r)))|f(?:acter|(?:etch|lock|unction)[sv&)<>|]|grep|i(?:le(?:[sv&)<>|]|test)|(?:n(?:d|ger)|sh)[sv&)<>|])|o(?:ld[sv&)<>|]|reach)|ping|tp(?:stats|who))|g(?:awk[sv&)<>|]|core|e(?:ni(?:e[sv&)<>|]|soimage)|tfacl[sv&)<>|])|hci|i(?:mp[sv&)<>|]|nsh)|r(?:ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[sv&)<>|]|onice|p(?:6?tables|config)|spell)|j(?:ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:ill(?:[sv&)<>|]|all)|nife[sv&)<>|]|sshell)|l(?:a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|dconfig|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[sv&)<>|]|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[sv&)<>q|]|x[sv&)<>|])|ke[sv&)<>|]|ster.passwd|wk)|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[sv&)<>|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[sv&)<>|]|sm|wk)|c(?:.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[sv&)<>|]|map|o(?:de[sv&)<>|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:f(?:la)?tex|ksh)|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[sv&)<>|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[sv&)<>|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[sv&)<>|]|shd)|wd.db|ython[^sv])|r(?:ak(?:e[sv&)<>|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[sv&)<>|]|stic)|l(?:ogin|wrap)|m(?:dir[sv&)<>|]|user)|nano|oute[sv&)<>|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap)[sv&)<>|]|c(?:hed|r(?:een|ipt)[sv&)<>|])|diff|e(?:(?:lf|rvice)[sv&)<>|]|ndmail|t(?:arch|env|facl[sv&)<>|]|sid))|ftp|h(?:.distrib|(?:adow|ells)[sv&)<>|]|u(?:f|tdown[sv&)<>|]))|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[sv&)<>|]|datectl)|mux|ouch[sv&)<>|]|r(?:aceroute6?|off)|shark)|u(?:limit[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[sv&)<>|]|gr|mdiff|pw|rsh)|olatility[sv&)<>|])|w(?:a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))" "id:1483,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@pmFromFile windows-powershell-commands.data" "id:1484,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:[nr;`{]|||?|&&?)[sv]*[sv"'-(,@]*(?:["'.-9A-Z_a-z]+/|(?:["'x5c^]*[0-9A-Z_a-z]["'x5c^]*:.*|[ "'.-9A-Zx5c^-_a-z]*)x5c)?["^]*(?:(?:a["^]*(?:c|s["^]*n["^]*p)|e["^]*(?:b["^]*p|p["^]*(?:a["^]*l|c["^]*s["^]*v|s["^]*n)|[tx]["^]*s["^]*n)|f["^]*(?:[cltw]|o["^]*r["^]*e["^]*a["^]*c["^]*h)|i["^]*(?:[cr]["^]*m|e["^]*x|h["^]*y|i|p["^]*(?:a["^]*l|c["^]*s["^]*v|m["^]*o|s["^]*n)|s["^]*e|w["^]*(?:m["^]*i|r))|m["^]*(?:a["^]*n|[dipv]|o["^]*u["^]*n["^]*t)|o["^]*g["^]*v|p["^]*(?:o["^]*p|u["^]*s["^]*h)["^]*d|t["^]*r["^]*c["^]*m|w["^]*j["^]*b)["^]*[sv,.-/;-<>].*|c["^]*(?:(?:(?:d|h["^]*d["^]*i["^]*r|v["^]*p["^]*a)["^]*|p["^]*(?:[ip]["^]*)?)[sv,.-/;-<>].*|l["^]*(?:(?:[cipv]|h["^]*y)["^]*[sv,.-/;-<>].*|s)|n["^]*s["^]*n)|d["^]*(?:(?:b["^]*p|e["^]*l|i["^]*(?:f["^]*f|r))["^]*[sv,.-/;-<>].*|n["^]*s["^]*n)|g["^]*(?:(?:(?:(?:a["^]*)?l|b["^]*p|d["^]*r|h["^]*y|(?:w["^]*m["^]*)?i|j["^]*b|[u-v])["^]*|c["^]*(?:[ims]["^]*)?|m["^]*(?:o["^]*)?|s["^]*(?:n["^]*(?:p["^]*)?|v["^]*))[sv,.-/;-<>].*|e["^]*r["^]*r|p["^]*(?:(?:s["^]*)?[sv,.-/;-<>].*|v))|l["^]*s|n["^]*(?:(?:a["^]*l|d["^]*r|[iv]|m["^]*o|s["^]*n)["^]*[sv,.-/;-<>].*|p["^]*s["^]*s["^]*c)|r["^]*(?:(?:(?:(?:b["^]*)?p|e["^]*n|(?:w["^]*m["^]*)?i|j["^]*b|n["^]*[ip])["^]*|d["^]*(?:r["^]*)?|m["^]*(?:(?:d["^]*i["^]*r|o)["^]*)?|s["^]*n["^]*(?:p["^]*)?|v["^]*(?:p["^]*a["^]*)?)[sv,.-/;-<>].*|c["^]*(?:j["^]*b["^]*[sv,.-/;-<>].*|s["^]*n)|u["^]*j["^]*b)|s["^]*(?:(?:(?:a["^]*(?:j["^]*b|l|p["^]*s|s["^]*v)|b["^]*p|[civ]|w["^]*m["^]*i)["^]*|l["^]*(?:s["^]*)?|p["^]*(?:(?:j["^]*b|p["^]*s|s["^]*v)["^]*)?)[sv,.-/;-<>].*|h["^]*c["^]*m|u["^]*j["^]*b))(?:.["^]*[0-9A-Z_a-z]+)?b" "id:1485,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx $(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]" "id:1486,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))" "id:1487,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:^|=)[sv]*(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:7["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:b["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|[ckz]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|(?:h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h|v["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)[sv&)<>|]" "id:1488,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:^|=)[sv]*(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:a(?:ddgroup|xel)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:g(?:passwd|rp)|pass|sh)|lang++|oproc|ron)|d(?:iff[sv&)<>|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[sv&)<>|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|erl5?|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[sv&)<>|])|tar(?:diff|grep)?|wd.db|ython[2-3])|r(?:(?:bas|ealpat)h|m(?:dir[sv&)<>|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h.distri|pwd.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[sv&)<>|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))" "id:1489,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "!@rx [0-9]s*'s*[0-9]" "id:1490,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx !-d" "id:1491,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@pmFromFile unix-shell.data" "id:1492,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx ^(s*)s+{" "id:1493,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx ^(s*)s+{" "id:1494,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx ba["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-"%',0-9@-Z_a-z]+=[^sv]" "id:1495,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@pmFromFile restricted-upload.data" "id:1496,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:t["^]*i["^]*m["^]*e|[nr;`{]|||?|&&?)[sv]*[sv"'-(,@]*(?:["'.-9A-Z_a-z]+/|(?:["'x5c^]*[0-9A-Z_a-z]["'x5c^]*:.*|[ "'.-9A-Zx5c^-_a-z]*)x5c)?["^]*(?:a["^]*(?:c["^]*c["^]*c["^]*h["^]*e["^]*c["^]*k["^]*c["^]*o["^]*n["^]*s["^]*o["^]*l["^]*e|d["^]*(?:p["^]*l["^]*u["^]*s|v["^]*p["^]*a["^]*c["^]*k)|(?:g["^]*e["^]*n["^]*t["^]*e["^]*x["^]*e["^]*c["^]*u["^]*t["^]*o|s["^]*p["^]*n["^]*e["^]*t["^]*_["^]*c["^]*o["^]*m["^]*p["^]*i["^]*l["^]*e)["^]*r|p["^]*p["^]*(?:i["^]*n["^]*s["^]*t["^]*a["^]*l["^]*l["^]*e["^]*r|v["^]*l["^]*p)|t["^]*(?:[sv,.-/;-<>].*|b["^]*r["^]*o["^]*k["^]*e["^]*r))|b["^]*(?:a["^]*s["^]*h|g["^]*i["^]*n["^]*f["^]*o|i["^]*t["^]*s["^]*a["^]*d["^]*m["^]*i["^]*n)|c["^]*(?:d["^]*b|e["^]*r["^]*t["^]*(?:o["^]*c|r["^]*e["^]*q|u["^]*t["^]*i["^]*l)|l["^]*_["^]*(?:i["^]*n["^]*v["^]*o["^]*c["^]*a["^]*t["^]*i["^]*o["^]*n|l["^]*o["^]*a["^]*d["^]*a["^]*s["^]*s["^]*e["^]*m["^]*b["^]*l["^]*y|m["^]*u["^]*t["^]*e["^]*x["^]*v["^]*e["^]*r["^]*i["^]*f["^]*i["^]*e["^]*r["^]*s)|m["^]*(?:d(?:["^]*(?:k["^]*e["^]*y|l["^]*3["^]*2))?|s["^]*t["^]*p)|o["^]*(?:m["^]*s["^]*v["^]*c["^]*s|n["^]*(?:f["^]*i["^]*g["^]*s["^]*e["^]*c["^]*u["^]*r["^]*i["^]*t["^]*y["^]*p["^]*o["^]*l["^]*i["^]*c["^]*y|h["^]*o["^]*s["^]*t|t["^]*r["^]*o["^]*l)|r["^]*e["^]*g["^]*e["^]*n)|r["^]*e["^]*a["^]*t["^]*e["^]*d["^]*u["^]*m["^]*p|s["^]*(?:c(?:["^]*r["^]*i["^]*p["^]*t)?|i)|u["^]*s["^]*t["^]*o["^]*m["^]*s["^]*h["^]*e["^]*l["^]*l["^]*h["^]*o["^]*s["^]*t)|d["^]*(?:a["^]*t["^]*a["^]*s["^]*v["^]*c["^]*u["^]*t["^]*i["^]*l|e["^]*(?:f["^]*a["^]*u["^]*l["^]*t["^]*p["^]*a["^]*c["^]*k|s["^]*k(?:["^]*t["^]*o["^]*p["^]*i["^]*m["^]*g["^]*d["^]*o["^]*w["^]*n["^]*l["^]*d["^]*r)?|v["^]*(?:i["^]*c["^]*e["^]*c["^]*r["^]*e["^]*d["^]*e["^]*n["^]*t["^]*i["^]*a["^]*l["^]*d["^]*e["^]*p["^]*l["^]*o["^]*y["^]*m["^]*e["^]*n["^]*t|t["^]*o["^]*o["^]*l["^]*s["^]*l["^]*a["^]*u["^]*n["^]*c["^]*h["^]*e["^]*r))|f["^]*s["^]*(?:h["^]*i["^]*m|v["^]*c)|i["^]*(?:a["^]*n["^]*t["^]*z|s["^]*k["^]*s["^]*h["^]*a["^]*d["^]*o["^]*w)|n["^]*(?:s["^]*c["^]*m["^]*d|x)|o["^]*t["^]*n["^]*e["^]*t|u["^]*m["^]*p["^]*6["^]*4|x["^]*c["^]*a["^]*p)|e["^]*(?:s["^]*e["^]*n["^]*t["^]*u["^]*t["^]*l|v["^]*e["^]*n["^]*t["^]*v["^]*w["^]*r|x["^]*(?:c["^]*e["^]*l|p["^]*(?:a["^]*n["^]*d|l["^]*o["^]*r["^]*e["^]*r)|t["^]*(?:e["^]*x["^]*p["^]*o["^]*r["^]*t|r["^]*a["^]*c["^]*3["^]*2)))|f["^]*(?:i["^]*n["^]*(?:d["^]*s["^]*t|g["^]*e)["^]*r|l["^]*t["^]*m["^]*c|o["^]*r["^]*f["^]*i["^]*l["^]*e["^]*s|s["^]*(?:i(?:["^]*a["^]*n["^]*y["^]*c["^]*p["^]*u)?|u["^]*t["^]*i["^]*l)|t["^]*p)|g["^]*(?:f["^]*x["^]*d["^]*o["^]*w["^]*n["^]*l["^]*o["^]*a["^]*d["^]*w["^]*r["^]*a["^]*p["^]*p["^]*e["^]*r|p["^]*s["^]*c["^]*r["^]*i["^]*p["^]*t)|h["^]*h|i["^]*(?:e["^]*(?:4["^]*u["^]*i["^]*n["^]*i["^]*t|a["^]*d["^]*v["^]*p["^]*a["^]*c["^]*k|e["^]*x["^]*e["^]*c|f["^]*r["^]*a["^]*m["^]*e)|l["^]*a["^]*s["^]*m|m["^]*e["^]*w["^]*d["^]*b["^]*l["^]*d|n["^]*(?:f["^]*d["^]*e["^]*f["^]*a["^]*u["^]*l["^]*t["^]*i["^]*n["^]*s["^]*t["^]*a["^]*l|s["^]*t["^]*a["^]*l["^]*l["^]*u["^]*t["^]*i)["^]*l)|j["^]*s["^]*c|l["^]*(?:a["^]*u["^]*n["^]*c["^]*h["^]*-["^]*v["^]*s["^]*d["^]*e["^]*v["^]*s["^]*h["^]*e["^]*l["^]*l|d["^]*i["^]*f["^]*d["^]*e)|m["^]*(?:a["^]*(?:k["^]*e["^]*c["^]*a["^]*b|n["^]*a["^]*g["^]*e["^]*-["^]*b["^]*d["^]*e|v["^]*i["^]*n["^]*j["^]*e["^]*c["^]*t)|f["^]*t["^]*r["^]*a["^]*c["^]*e|i["^]*c["^]*r["^]*o["^]*s["^]*o["^]*f["^]*t|m["^]*c|p["^]*c["^]*m["^]*d["^]*r["^]*u["^]*n|s["^]*(?:(?:b["^]*u["^]*i["^]*l|o["^]*h["^]*t["^]*m["^]*e)["^]*d|c["^]*o["^]*n["^]*f["^]*i["^]*g|d["^]*(?:e["^]*p["^]*l["^]*o["^]*y|t)|h["^]*t["^]*(?:a|m["^]*l)|i["^]*e["^]*x["^]*e["^]*c|p["^]*u["^]*b|x["^]*s["^]*l))|n["^]*(?:e["^]*t["^]*s["^]*h|t["^]*d["^]*s["^]*u["^]*t["^]*i["^]*l)|o["^]*(?:d["^]*b["^]*c["^]*c["^]*o["^]*n["^]*f|f["^]*f["^]*l["^]*i["^]*n["^]*e["^]*s["^]*c["^]*a["^]*n["^]*n["^]*e["^]*r["^]*s["^]*h["^]*e["^]*l["^]*l|n["^]*e["^]*d["^]*r["^]*i["^]*v["^]*e["^]*s["^]*t["^]*a["^]*n["^]*d["^]*a["^]*l["^]*o["^]*n["^]*e["^]*u["^]*p["^]*d["^]*a["^]*t["^]*e["^]*r|p["^]*e["^]*n["^]*c["^]*o["^]*n["^]*s["^]*o["^]*l["^]*e)|p["^]*(?:c["^]*(?:a["^]*l["^]*u["^]*a|w["^]*(?:r["^]*u["^]*n|u["^]*t["^]*l))|(?:e["^]*s["^]*t["^]*e|s)["^]*r|(?:k["^]*t["^]*m["^]*o|u["^]*b["^]*p["^]*r)["^]*n|n["^]*p["^]*u["^]*t["^]*i["^]*l|o["^]*w["^]*e["^]*r["^]*p["^]*n["^]*t|r["^]*(?:e["^]*s["^]*e["^]*n["^]*t["^]*a["^]*t["^]*i["^]*o["^]*n["^]*h["^]*o["^]*s["^]*t|i["^]*n["^]*t(?:["^]*b["^]*r["^]*m)?|o["^]*(?:c["^]*d["^]*u["^]*m["^]*p|t["^]*o["^]*c["^]*o["^]*l["^]*h["^]*a["^]*n["^]*d["^]*l["^]*e["^]*r)))|r["^]*(?:a["^]*s["^]*a["^]*u["^]*t["^]*o["^]*u|c["^]*s["^]*i|(?:d["^]*r["^]*l["^]*e["^]*a["^]*k["^]*d["^]*i["^]*a|p["^]*c["^]*p["^]*i["^]*n)["^]*g|e["^]*(?:g(?:["^]*(?:a["^]*s["^]*m|e["^]*d["^]*i["^]*t|i["^]*(?:n["^]*i|s["^]*t["^]*e["^]*r["^]*-["^]*c["^]*i["^]*m["^]*p["^]*r["^]*o["^]*v["^]*i["^]*d["^]*e["^]*r)|s["^]*v["^]*(?:c["^]*s|r["^]*3["^]*2)))?|(?:m["^]*o["^]*t|p["^]*l["^]*a["^]*c)["^]*e)|u["^]*n["^]*(?:d["^]*l["^]*l["^]*3["^]*2|(?:e["^]*x["^]*e|s["^]*c["^]*r["^]*i["^]*p["^]*t)["^]*h["^]*e["^]*l["^]*p["^]*e["^]*r|o["^]*n["^]*c["^]*e))|s["^]*(?:c["^]*(?:[sv,.-/;-<>].*|h["^]*t["^]*a["^]*s["^]*k["^]*s|r["^]*i["^]*p["^]*t["^]*r["^]*u["^]*n["^]*n["^]*e["^]*r)|e["^]*t["^]*(?:r["^]*e["^]*s|t["^]*i["^]*n["^]*g["^]*s["^]*y["^]*n["^]*c["^]*h["^]*o["^]*s["^]*t|u["^]*p["^]*a["^]*p["^]*i)|h["^]*(?:d["^]*o["^]*c["^]*v["^]*w|e["^]*l["^]*l["^]*3["^]*2)|q["^]*(?:l["^]*(?:d["^]*u["^]*m["^]*p["^]*e["^]*r|(?:t["^]*o["^]*o["^]*l["^]*s["^]*)?p["^]*s)|u["^]*i["^]*r["^]*r["^]*e["^]*l)|s["^]*h|t["^]*o["^]*r["^]*d["^]*i["^]*a["^]*g|y["^]*(?:n["^]*c["^]*a["^]*p["^]*p["^]*v["^]*p["^]*u["^]*b["^]*l["^]*i["^]*s["^]*h["^]*i["^]*n["^]*g["^]*s["^]*e["^]*r["^]*v["^]*e["^]*r|s["^]*s["^]*e["^]*t["^]*u["^]*p))|t["^]*(?:e["^]*[sv,.-/;-<>].*|r["^]*a["^]*c["^]*k["^]*e["^]*r|t["^]*(?:d["^]*i["^]*n["^]*j["^]*e["^]*c["^]*t|t["^]*r["^]*a["^]*c["^]*e["^]*r))|u["^]*(?:n["^]*r["^]*e["^]*g["^]*m["^]*p["^]*2|p["^]*d["^]*a["^]*t["^]*e|r["^]*l|t["^]*i["^]*l["^]*i["^]*t["^]*y["^]*f["^]*u["^]*n["^]*c["^]*t["^]*i["^]*o["^]*n["^]*s)|v["^]*(?:b["^]*c|e["^]*r["^]*c["^]*l["^]*s["^]*i["^]*d|i["^]*s["^]*u["^]*a["^]*l["^]*u["^]*i["^]*a["^]*v["^]*e["^]*r["^]*i["^]*f["^]*y["^]*n["^]*a["^]*t["^]*i["^]*v["^]*e|s["^]*(?:i["^]*i["^]*s["^]*e["^]*x["^]*e["^]*l["^]*a["^]*u["^]*n["^]*c["^]*h|j["^]*i["^]*t["^]*d["^]*e["^]*b["^]*u["^]*g["^]*g)["^]*e["^]*r)|w["^]*(?:a["^]*b|(?:f|m["^]*i)["^]*c|i["^]*n["^]*(?:g["^]*e["^]*t|r["^]*m|w["^]*o["^]*r["^]*d)|l["^]*r["^]*m["^]*d["^]*r|o["^]*r["^]*k["^]*f["^]*o["^]*l["^]*d["^]*e["^]*r["^]*s|s["^]*(?:(?:c["^]*r["^]*i["^]*p|r["^]*e["^]*s["^]*e)["^]*t|l)|t["^]*[sv,.-/;-<>].*|u["^]*a["^]*u["^]*c["^]*l["^]*t)|x["^]*w["^]*i["^]*z["^]*a["^]*r["^]*d|z["^]*i["^]*p["^]*f["^]*l["^]*d["^]*r)(?:.["^]*[0-9A-Z_a-z]+)?b" "id:1497,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:t["^]*i["^]*m["^]*e|[nr;`{]|||?|&&?)[sv]*[sv"'-(,@]*(?:["'.-9A-Z_a-z]+/|(?:["'x5c^]*[0-9A-Z_a-z]["'x5c^]*:.*|[ "'.-9A-Zx5c^-_a-z]*)x5c)?["^]*(?:a["^]*(?:s["^]*s["^]*o["^]*c|t["^]*(?:m["^]*a["^]*d["^]*m|t["^]*r["^]*i["^]*b)|u["^]*(?:d["^]*i["^]*t["^]*p["^]*o["^]*l|t["^]*o["^]*(?:c["^]*(?:h["^]*k|o["^]*n["^]*v)|(?:f["^]*m|m["^]*o["^]*u["^]*n)["^]*t)))|b["^]*(?:c["^]*d["^]*(?:b["^]*o["^]*o|e["^]*d["^]*i)["^]*t|(?:d["^]*e["^]*h["^]*d|o["^]*o["^]*t)["^]*c["^]*f["^]*g|i["^]*t["^]*s["^]*a["^]*d["^]*m["^]*i["^]*n)|c["^]*(?:a["^]*c["^]*l["^]*s|e["^]*r["^]*t["^]*(?:r["^]*e["^]*q|u["^]*t["^]*i["^]*l)|h["^]*(?:c["^]*p|d["^]*i["^]*r|g["^]*(?:l["^]*o["^]*g["^]*o["^]*n|p["^]*o["^]*r["^]*t|u["^]*s["^]*r)|k["^]*(?:d["^]*s["^]*k|n["^]*t["^]*f["^]*s))|l["^]*e["^]*a["^]*n["^]*m["^]*g["^]*r|m["^]*(?:d(?:["^]*k["^]*e["^]*y)?|s["^]*t["^]*p)|s["^]*c["^]*r["^]*i["^]*p["^]*t)|d["^]*(?:c["^]*(?:d["^]*i["^]*a["^]*g|g["^]*p["^]*o["^]*f["^]*i["^]*x)|e["^]*(?:f["^]*r["^]*a["^]*g|l)|f["^]*s["^]*(?:d["^]*i["^]*a|r["^]*m["^]*i)["^]*g|i["^]*(?:a["^]*n["^]*t["^]*z|r|s["^]*(?:k["^]*(?:c["^]*o["^]*(?:m["^]*p|p["^]*y)|p["^]*(?:a["^]*r["^]*t|e["^]*r["^]*f)|r["^]*a["^]*i["^]*d|s["^]*h["^]*a["^]*d["^]*o["^]*w)|p["^]*d["^]*i["^]*a["^]*g))|n["^]*s["^]*c["^]*m["^]*d|(?:o["^]*s["^]*k["^]*e|r["^]*i["^]*v["^]*e["^]*r["^]*q["^]*u["^]*e["^]*r)["^]*y)|e["^]*(?:n["^]*d["^]*l["^]*o["^]*c["^]*a["^]*l|v["^]*e["^]*n["^]*t["^]*c["^]*r["^]*e["^]*a["^]*t["^]*e)|E["^]*v["^]*n["^]*t["^]*c["^]*m["^]*d|f["^]*(?:c|i["^]*(?:l["^]*e["^]*s["^]*y["^]*s["^]*t["^]*e["^]*m["^]*s|n["^]*d["^]*s["^]*t["^]*r)|l["^]*a["^]*t["^]*t["^]*e["^]*m["^]*p|o["^]*r(?:["^]*f["^]*i["^]*l["^]*e["^]*s)?|r["^]*e["^]*e["^]*d["^]*i["^]*s["^]*k|s["^]*u["^]*t["^]*i["^]*l|(?:t["^]*y["^]*p|v["^]*e["^]*u["^]*p["^]*d["^]*a["^]*t)["^]*e)|g["^]*(?:e["^]*t["^]*(?:m["^]*a["^]*c|t["^]*y["^]*p["^]*e)|o["^]*t["^]*o|p["^]*(?:f["^]*i["^]*x["^]*u["^]*p|(?:r["^]*e["^]*s["^]*u["^]*l["^]*)?t|u["^]*p["^]*d["^]*a["^]*t["^]*e)|r["^]*a["^]*f["^]*t["^]*a["^]*b["^]*l)|h["^]*(?:e["^]*l["^]*p["^]*c["^]*t["^]*r|o["^]*s["^]*t["^]*n["^]*a["^]*m["^]*e)|i["^]*(?:c["^]*a["^]*c["^]*l["^]*s|f|p["^]*(?:c["^]*o["^]*n["^]*f["^]*i["^]*g|x["^]*r["^]*o["^]*u["^]*t["^]*e)|r["^]*f["^]*t["^]*p)|j["^]*e["^]*t["^]*p["^]*a["^]*c["^]*k|k["^]*(?:l["^]*i["^]*s["^]*t|s["^]*e["^]*t["^]*u["^]*p|t["^]*(?:m["^]*u["^]*t["^]*i["^]*l|p["^]*a["^]*s["^]*s))|l["^]*(?:o["^]*(?:d["^]*c["^]*t["^]*r|g["^]*(?:m["^]*a["^]*n|o["^]*f["^]*f))|p["^]*[q-r])|m["^]*(?:a["^]*(?:c["^]*f["^]*i["^]*l["^]*e|k["^]*e["^]*c["^]*a["^]*b|p["^]*a["^]*d["^]*m["^]*i["^]*n)|k["^]*(?:d["^]*i["^]*r|l["^]*i["^]*n["^]*k)|m["^]*c|o["^]*u["^]*n["^]*t["^]*v["^]*o["^]*l|q["^]*(?:b["^]*k["^]*u["^]*p|(?:t["^]*g["^]*)?s["^]*v["^]*c)|s["^]*(?:d["^]*t|i["^]*(?:e["^]*x["^]*e["^]*c|n["^]*f["^]*o["^]*3["^]*2)|t["^]*s["^]*c))|n["^]*(?:b["^]*t["^]*s["^]*t["^]*a["^]*t|e["^]*t["^]*(?:c["^]*f["^]*g|d["^]*o["^]*m|s["^]*(?:h|t["^]*a["^]*t))|f["^]*s["^]*(?:a["^]*d["^]*m["^]*i["^]*n|s["^]*(?:h["^]*a["^]*r["^]*e|t["^]*a["^]*t))|l["^]*(?:b["^]*m["^]*g["^]*r|t["^]*e["^]*s["^]*t)|s["^]*l["^]*o["^]*o["^]*k["^]*u["^]*p|t["^]*(?:b["^]*a["^]*c["^]*k["^]*u["^]*p|c["^]*m["^]*d["^]*p["^]*r["^]*o["^]*m["^]*p["^]*t|f["^]*r["^]*s["^]*u["^]*t["^]*l))|o["^]*(?:f["^]*f["^]*l["^]*i["^]*n["^]*e|p["^]*e["^]*n["^]*f["^]*i["^]*l["^]*e["^]*s)|p["^]*(?:a["^]*(?:g["^]*e["^]*f["^]*i["^]*l["^]*e["^]*c["^]*o["^]*n["^]*f["^]*i|t["^]*h["^]*p["^]*i["^]*n)["^]*g|(?:b["^]*a["^]*d["^]*m["^]*i|k["^]*t["^]*m["^]*o)["^]*n|e["^]*(?:n["^]*t["^]*n["^]*t|r["^]*f["^]*m["^]*o["^]*n)|n["^]*p["^]*u["^]*(?:n["^]*a["^]*t["^]*t["^]*e["^]*n["^]*d|t["^]*i["^]*l)|o["^]*(?:p["^]*d|w["^]*e["^]*r["^]*s["^]*h["^]*e["^]*l["^]*l)|r["^]*n["^]*(?:c["^]*n["^]*f["^]*g|(?:d["^]*r["^]*v|m["^]*n["^]*g)["^]*r|j["^]*o["^]*b["^]*s|p["^]*o["^]*r["^]*t|q["^]*c["^]*t["^]*l)|u["^]*(?:b["^]*p["^]*r["^]*n|s["^]*h["^]*(?:d|p["^]*r["^]*i["^]*n["^]*t["^]*e["^]*r["^]*c["^]*o["^]*n["^]*n["^]*e["^]*c["^]*t["^]*i["^]*o["^]*n["^]*s))|w["^]*(?:l["^]*a["^]*u["^]*n["^]*c["^]*h["^]*e["^]*r|s["^]*h))|q["^]*(?:a["^]*p["^]*p["^]*s["^]*r["^]*v|p["^]*r["^]*o["^]*c["^]*e["^]*s["^]*s|u["^]*s["^]*e["^]*r|w["^]*i["^]*n["^]*s["^]*t["^]*a)|r["^]*(?:d(?:["^]*p["^]*s["^]*i["^]*g["^]*n)?|e["^]*(?:f["^]*s["^]*u["^]*t["^]*i["^]*l|g(?:["^]*(?:i["^]*n["^]*i|s["^]*v["^]*r["^]*3["^]*2))?|l["^]*o["^]*g|(?:(?:p["^]*a["^]*d["^]*m["^]*i|s["^]*c["^]*a)["^]*)?n|x["^]*e["^]*c)|i["^]*s["^]*e["^]*t["^]*u["^]*p|m["^]*d["^]*i["^]*r|o["^]*b["^]*o["^]*c["^]*o["^]*p["^]*y|p["^]*c["^]*(?:i["^]*n["^]*f["^]*o|p["^]*i["^]*n["^]*g)|s["^]*h|u["^]*n["^]*d["^]*l["^]*l["^]*3["^]*2|w["^]*i["^]*n["^]*s["^]*t["^]*a)|s["^]*(?:a["^]*n|c["^]*(?:h["^]*t["^]*a["^]*s["^]*k["^]*s|w["^]*c["^]*m["^]*d)|e["^]*(?:c["^]*e["^]*d["^]*i["^]*t|r["^]*v["^]*e["^]*r["^]*(?:(?:c["^]*e["^]*i["^]*p|w["^]*e["^]*r)["^]*o["^]*p["^]*t["^]*i["^]*n|m["^]*a["^]*n["^]*a["^]*g["^]*e["^]*r["^]*c["^]*m["^]*d)|t["^]*x)|f["^]*c|(?:h["^]*o["^]*w["^]*m["^]*o["^]*u["^]*n|u["^]*b["^]*s)["^]*t|x["^]*s["^]*t["^]*r["^]*a["^]*c["^]*e|y["^]*s["^]*(?:o["^]*c["^]*m["^]*g["^]*r|t["^]*e["^]*m["^]*i["^]*n["^]*f["^]*o))|t["^]*(?:a["^]*(?:k["^]*e["^]*o["^]*w["^]*n|p["^]*i["^]*c["^]*f["^]*g|s["^]*k["^]*(?:k["^]*i["^]*l["^]*l|l["^]*i["^]*s["^]*t))|(?:c["^]*m["^]*s["^]*e["^]*t["^]*u|f["^]*t)["^]*p|(?:(?:e["^]*l["^]*n["^]*e|i["^]*m["^]*e["^]*o["^]*u)["^]*|r["^]*a["^]*c["^]*e["^]*r["^]*(?:p["^]*)?)t|l["^]*n["^]*t["^]*a["^]*d["^]*m["^]*n|p["^]*m["^]*(?:t["^]*o["^]*o["^]*l|v["^]*s["^]*c["^]*m["^]*g["^]*r)|s["^]*(?:(?:d["^]*i["^]*s["^]*)?c["^]*o["^]*n|e["^]*c["^]*i["^]*m["^]*p|k["^]*i["^]*l["^]*l|p["^]*r["^]*o["^]*f)|y["^]*p["^]*e["^]*p["^]*e["^]*r["^]*f|z["^]*u["^]*t["^]*i["^]*l)|u["^]*n["^]*(?:e["^]*x["^]*p["^]*o["^]*s["^]*e|i["^]*q["^]*u["^]*e["^]*i["^]*d|l["^]*o["^]*d["^]*c["^]*t["^]*r)|v["^]*(?:o["^]*l|s["^]*s["^]*a["^]*d["^]*m["^]*i["^]*n)|w["^]*(?:a["^]*i["^]*t["^]*f["^]*o["^]*r|b["^]*a["^]*d["^]*m["^]*i["^]*n|(?:d["^]*s|e["^]*(?:c|v["^]*t))["^]*u["^]*t["^]*i["^]*l|h["^]*(?:e["^]*r["^]*e|o["^]*a["^]*m["^]*i)|i["^]*n["^]*(?:n["^]*t(?:["^]*3["^]*2)?|r["^]*s)|m["^]*i["^]*c|s["^]*c["^]*r["^]*i["^]*p["^]*t)|x["^]*c["^]*o["^]*p["^]*y)(?:.["^]*[0-9A-Z_a-z]+)?b" "id:1498,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1499,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1500,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*.[sv].*b" "id:1501,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?:$(?:((?:(.*)|.*))|{.*})|[<>](.*)|[!?.+])" "id:1502,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]" "id:1503,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx /" "id:1504,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx s" "id:1505,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx ^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))" "id:1506,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx /" "id:1507,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx s" "id:1508,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx ^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])" "id:1509,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx /" "id:1510,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx s" "id:1511,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?i).|(?:[sv]*|t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:7["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|G["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?E["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?T|a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:b|(?:p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?t|r(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[jp])?|s(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ks])|b["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[8-9]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?9|[au]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|c|(?:m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?p|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dfu]|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[gr])|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[bdx]|n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|q["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|s(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?)|f["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[c-dgi]|m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|g["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[chr]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|o|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dp]|r["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b)|j["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:j["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|q)|k["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|l["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)?|[nps]|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a|z(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|v)|n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[cl]|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|(?:p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|o["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[at]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?x|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|f|(?:k["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?g|h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cp]|r(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?y)?|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|c(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dv]|(?:p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dt]|[g-hu]|s(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|v["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cr]|b["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l|[co]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ex]|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c)|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|l)|v["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:3["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|c)|x["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:x["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|z)|y["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)|z["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h))" "id:1512,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?i)[-0-9_a-z]+(?:["'[-]]+|$+[!#*-0-9?-@x5c_a-{]+|``|[$<>]())[sv]*[-0-9_a-z]+" "id:1513,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "!@rx [0-9]s*'s*[0-9]" "id:1514,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx ;[sv]*.[sv]*["']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)" "id:1515,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)" "id:1516,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:["-#%-&*--9A-Zx5c_a-z]+)?(?: ([ x5ca-z]+))?(?: "?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [+-][0-9]{4}"?)? {[0-9]{1,20}+?}|UTHENTICATE [-0-9_a-z]{1,20}rn)|L(?:SUB (?:["-#*.-9A-Z_a-z~]+)? (?:["%-&*.-9A-Zx5c_a-z]+)?|ISTRIGHTS (?:["%-&*--9A-Zx5c_a-z]+)?)|S(?:TATUS (?:["%-&*--9A-Zx5c_a-z]+)? ((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+)|ETACL (?:["%-&*--9A-Zx5c_a-z]+)? [+-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:["%-&*--9A-Zx5c_a-z]+)?)" "id:1517,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))" "id:1518,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:(?:^|=)[sv]*(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*|(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*)[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|inks|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[^sv])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash|nap)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:3m|c|a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))" "id:1519,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:(?:^|=)[sv]*(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*|(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*)[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:c|a(?:ll|tch)[sv&)<>|]|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))" "id:1520,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@pmFromFile unix-shell.data" "id:1521,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1522,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1523,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:(?:(?:a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))b" "id:1524,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:(?:itude)?[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|s(?:[sv&)<>|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[sv&)<>|]|m(?:[sv&)<>|]|diff)|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:[sv&)<>c|]|h(?:o(?:[sv&)<>|]|ami|is)?|iptail[sv&)<>|])|a(?:ll|tch)[sv&)<>|]|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))b" "id:1525,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:(?:^|=)[sv]*(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*|(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*)[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:(?:(?:a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))" "id:1526,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" "id:1527,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)" "id:1528,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) ["-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE ["-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE ["-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST ["-#*--9A-Zx5c_a-z~]+? ["-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME ["-#%-&*--9A-Zx5c_a-z]+? ["-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT ["-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) "?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE ["-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE ["-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)" "id:1529,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)" "id:1530,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@rx !(?:d|!)" "id:1531,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1532,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1533,phase:1,deny,status:403,log,msg:'rce attack detected'"
diff --git a/waf_patterns/apache/rfi.conf b/waf_patterns/apache/rfi.conf
index e35ec64..f431145 100644
--- a/waf_patterns/apache/rfi.conf
+++ b/waf_patterns/apache/rfi.conf
@@ -1,18 +1,18 @@
# Apache ModSecurity rules for RFI
SecRuleEngine On
-SecRule REQUEST_URI "@lt 1" "id:1200,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1201,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})" "id:1202,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://" "id:1203,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "@rx ^(?i:file|ftps?|https?).*??+$" "id:1204,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1205,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "@lt 2" "id:1206,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" "id:1207,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "!@endsWith .%{request_headers.host}" "id:1208,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" "id:1209,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "!@endsWith .%{request_headers.host}" "id:1210,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1211,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "@lt 3" "id:1212,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1213,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "@lt 4" "id:1214,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1163,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1164,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})" "id:1165,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://" "id:1166,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "@rx ^(?i:file|ftps?|https?).*??+$" "id:1167,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1168,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1169,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" "id:1170,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "!@endsWith .%{request_headers.host}" "id:1171,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" "id:1172,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "!@endsWith .%{request_headers.host}" "id:1173,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1174,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1175,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1176,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1177,phase:1,deny,status:403,log,msg:'rfi attack detected'"
diff --git a/waf_patterns/apache/shells.conf b/waf_patterns/apache/shells.conf
index 67f3101..523faa0 100644
--- a/waf_patterns/apache/shells.conf
+++ b/waf_patterns/apache/shells.conf
@@ -1,37 +1,37 @@
# Apache ModSecurity rules for SHELLS
SecRuleEngine On
-SecRule REQUEST_URI "@lt 1" "id:1566,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@lt 1" "id:1567,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@pmFromFile web-shells-php.data" "id:1568,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx (r57 Shell Version [0-9.]+|r57 shell)" "id:1569,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx ^.*? - WSO [0-9.]+" "id:1570,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx B4TM4N SH3LL.*" "id:1571,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx Mini Shell.*Developed By LameHacker" "id:1572,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx .:: .* ~ Ashiyane V [0-9.]+ ::." "id:1573,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx Symlink_Sa [0-9.]+" "id:1574,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx CasuS [0-9.]+ by MafiABoY" "id:1575,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx ^rnrnGRP WebShell [0-9.]+" "id:1576,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>n$" "id:1577,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -" "id:1578,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx ^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell" "id:1579,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx lama's'hell v. [0-9.]+" "id:1580,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx ^ *n[ ]+n[ ]+lostDC -" "id:1581,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx ^<title>PHP Web Shellrnrnrn " "id:1582,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@rx ^nnInput command :
n