[mod-security-users] SubscribMe Pro
Brought to you by:
victorhora,
zimmerletw
From: Kevin S. <Jed...@ec...> - 2009-12-30 18:08:53
|
I am having some issues with mod_security and SubscribeMe Pro and need some help getting around it....I have never used or tried to write custom rules so I really don't know where to begin...here is what my log files say... [29/Dec/2009:15:05:33 --0500] [www.zzz.com/sid#a078470][rid#b0e4b08][/cgi-bin/rsubee/s.pl][2] Warning. Pattern match "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at ARGS:message. [file "/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf"] [line "102"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data "<meta"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [29/Dec/2009:15:05:33 --0500] [www.zzz.com/sid#a078470][rid#b0e4b08][/cgi-bin/rsubee/s.pl][1] Access denied with code 400 (phase 2). Pattern match "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" at ARGS:message. [file "/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf"] [line "213"] [id "950911"] [msg "HTTP Response Splitting Attack"] [data "<html"] [severity "ALERT"] --77c2ac00-A-- [29/Dec/2009:15:11:26 --0500] oG0lPkAiqk0AAHTkAkAAAAAm 174.106.36.226 2837 64.34.170.77 80 --77c2ac00-B-- POST /cgi-bin/rsubee/s.pl HTTP/1.1 Host: www.zzz.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.zzz.com/cgi-bin/rsubee/s.pl?form2=1&session_id=uAZyUYaBWCw2ZhA Content-Type: application/x-www-form-urlencoded Content-Length: 10105 --77c2ac00-C-- session_id=uAZyUYaBWCw2ZhA&mail_subject=Test&to_lists=6&bnumber=200&every=1800&invitation_text=Join+our+list%21%0D%0AClick+the+link+below+to+be+added+to+our+mailing+list.+If+you+choose+not+to+be+added+to+our+list%2C+you+will+not+receive+any+additional+mailings.%0D%0ANo+unsubscription+is+necessary%2C+as+you+are+not+presently+subscribed+to+our+list.%0D%0A&invitation=&throttle=1&password=&message=%3Chtml%3E%0D%0A%3Chead%3E%0D%0A%3Ctitle%3ERulmeca+Motorized+Pulley+News+January+2010%3C%2Ftitle%3E%0D%0A%3Cmeta+http-equiv%3D%22Content-Type%22+content%3D%22text%2Fhtml%3B+charset%3Diso-8859-1%22%3E%0D%0A%3Cstyle+type%3D%22text%2Fcss%22%3E%0D%0A%3C%21--%0D%0A.style1+%7Bfont-family%3A+Arial%2C+Helvetica%2C+sans-serif%7D%0D%0A.style2+%7Bfont-size%3A+12px%7D%0D%0A.style3+%7Bfont-family%3A+Arial%2C+Helvetica%2C+sans-serif%3B+font-size%3A+12px%3B+%7D%0D%0A.style7+%7B%0D%0A%09font-family%3A+Arial%2C+Helvetica%2C+sans-serif%3B%0D%0A%09font-size%3A+12px%3B%0D%0A%09font-weight%3A+bold%3B%0D%0A%09color%3A+%23000099%3B%0D%0A%7D%0D%0A.style12+%7Bfont-family%3A+Arial%2C+Helvetica%2C+sans-serif%3B+font-weight%3A+bold%3B+color%3A+%23000099%3B+%7D%0D%0A.style17+%7Bfont-family%3A+Arial%2C+Helvetica%2C+sans-serif%3B+font-weight%3A+bold%3B+color%3A+%23333333%3B+font-style%3A+italic%3B+%7D%0D%0A.style18+%7Bfont-family%3A+Arial%2C+Helvetica%2C+sans-serif%3B+font-size%3A+12px%3B+color%3A+%23000099%3B+%7D%0D%0A.style19+%7B%0D%0A%09font-family%3A+Arial%2C+Helvetica%2C+sans-serif%3B%0D%0A%09font-size%3A+16px%3B%0D%0A%09font-weight%3A+bold%3B%0D%0A%09color%3A+%23000099%3B%0D%0A%09font-style%3A+italic%3B%0D%0A%7D%0D%0A.style21+%7Bfont-family%3A+Arial%2C+Helvetica%2C+sans-serif%3B+font-size%3A+12px%3B+font-weight%3A+bold%3B+color%3A+%23000099%3B+font-style%3A+italic%3B+%7D%0D%0A--%3E%0D%0A%3C%2Fstyle%3E%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody+bgcolor%3D%22%23FFFFFF%22+text%3D%22%23000000%22+link%3D%22%23336699%22+%0D%0A+vlink%3D%22%23336699%22+alink%3D%22%23336699%22%3E%0D%0A%3Cdiv+align%3D%22center%22%3E%0D%0A+++%3C%2Ftd%3E%0D%0A+++%3C%2Ftr%3E%0D%0A+++%3C%2Ftable%3E%0D%0A%3Ctable+width%3D%22589%22+height%3D%221356%22+border%3D%220%22+cellpadding%3D%220%22+cellspacing%3D%220%22%3E%0D%0A+%3Ctr%3E%0D%0A+++%3Ctd+width%3D%22589%22%3E%3Cspan+class%3D%22style3%22%3E%3Ca+href%3D%22http%3A%2F%2Fwww.zzz.com%2FSeptember_Distributor_Schools.html%22%3E%3C%2Fa%3E%3C%2Fspan%3E%0D%0A+++++%3Ctable+width%3D%22518%22+border%3D%220%22+cellpadding%3D%220%22+cellspacing%3D%220%22%3E%0D%0A+++++++%3Ctr%3E%0D%0A+++++++++%3Ctd+height%3D%22142%22+colspan%3D%224%22+align%3D%22center%22%3E%3Cp+align%3D%22left%22%3E%3Ca+href%3D%22http%3A%2F%2Fwww.zzz.com%2Findex.htm%22%3E%3Cimg+src%3D%22http%3A%2F%2Fwww.zzz.com%2Fnewsletter%2FEnewsletter_masthead2.jpg%22+alt%3D%22Masthead%22+width%3D%22500%22+height%3D%22136%22+border%3D%220%22%3E%3C%2Fa%3E%3C%2Fp%3E+++++++++%3C%2Ftd%3E%0D%0A+++++++++%3C%2Ftr%3E%0D%0A+++++++%0D%0A+++++++%3Ctr%3E%0D%0A+++++++++%3Ctd+width%3D%22166%22+height%3D%2222%22+align%3D%22center%22+valign%3D%22middle%22%3E%3Cdiv+align%3D%22center%22%3E%3Cspan+class%3D%22style17%22%3EJanuary+2010+%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Ftd%3E%0D%0A+++++++++%3Ctd+width%3D%229%22+rowspan%3D%222%22%3E%26nbsp%3B%3C%2Ftd%3E%0D%0A+++++++++%3Ctd+width%3D%22332%22+rowspan%3D%222%22%3E%3Cp+class%3D%22style12%22%3ECargill+Deicing+Solves+Salty+Problems+with+Rulmeca+Motorized+Pulleys+%3C%2Fp%3E%0D%0A+++++++++++%3Cp+class%3D%22style12%22%3E%3Ca+href%3D%22..%2FCargill_Deicing_2009.html%22%3E%3Cimg+src%3D%22http%3A%2F%2Fwww.zzz.com%2Fnewsletter%2FRulmeca+Motorized+Pulley+Newsletter+200911%2FCargill_barge_loader.jpg%22+alt%3D%22Cargill+Deicing+Barge+Loader+with+Rulmeca+Motorized+Pulley%22+width%3D%22330%22+height%3D%22248%22+border%3D%220%22%3E%3C%2Fa%3E%3C%2Fp%3E%0D%0A+++++++++++%3Cp+class%3D%22style3%22%3ECargill+Deicing+has+begun+converting+their+exposed+conveyor+drive+systems+to+internally-powered+Rulmeca+Motorized+Pulleys+after+a+successful+trial+in+2004+by+Everett+McBride.+The+company%27s+Avery+Island+facility+has+battled+the+effects+of+abrasion+and+corrosion+since+the+mine+shaft+was+sunk+into+the+huge+salt+dome+in+1862.+Standardizing+on+models+500M+%26amp%3B+630H%2C+Cargill+is+limiting+the+number+of+spares+protecting+their+system.+For+details+and+photgraphs%2C+including+special+Carboline+paint+system+used%2C+go+to+%26quot%3B%3Ca+href%3D%22..%2FCargill_Deicing_2009.html%22%3ECargill+Project%3C%2Fa%3E%26quot%3B.+%3C%2Fp%3E%0D%0A+++++++++++%3Cp+class%3D%22style12%22%3ERulmeca+Corporation+Services+First+100+HP+Rulmeca+Motorized+Pulley%3C%2Fp%3E%0D%0A+++++++++++%3Cp+class%3D%22style12%22%3E%3Ca+href%3D%22..%2FRulmeca_Services_100HP_Pulley.html%22%3E%3Cimg+src%3D%22http%3A%2F%2Fwww.zzz.com%2Fnewsletter%2FRulmeca+Motorized+Pulley+Newsletter+200911%2F800H_repaired_2009.jpg%22+alt%3D%22Rulmeca+100+HP+MOtorized+Pulley+repaired+2009%22+width%3D%22330%22+height%3D%22229%22+border%3D%220%22%3E%3C%2Fa%3E%3C%2Fp%3E%0D%0A+++++++++++%3Cp+class%3D%22style3%22%3ERulmeca+Corporation+reached+another+milestone+in+June+2009+when+the+%3Ca+href%3D%22..%2FRulmeca_Services_100HP_Pulley.html%22%3Ecompany+provided+repair+services%3C%2Fa%3E+on+a+huge+model+800H+Motorized+Pulley.+Weighing+over+5%2C000+lbs%2C+this+is+one+of+the+largest+units+in+service+in+North+America.%3C%2Fp%3E%3C%2Ftd%3E%0D%0A+++++++++%3Ctd+width%3D%2211%22+rowspan%3D%222%22+class%3D%22style12%22%3E%26nbsp%3B%3C%2Ftd%3E%0D%0A+++++++%3C%2Ftr%3E%0D%0A+++++++%0D%0A+++++++%3Ctr%3E%0D%0A+++++++++%3Ctd+width%3D%22166%22+height%3D%22617%22+valign%3D%22top%22%3E%3Cp+align%3D%22left%22%3E%3Ca+href%3D%22http%3A%2F%2Fwww.zzz.com%2FRulmeca_Grease_Canister_Program.html%22%3E%3Cimg+src%3D%22http%3A%2F%2Fwww.zzz.com%2Fnewsletter%2FRulmeca+Motorized+Pulley+Newsletter+200911%2FRulmeca_Grease_Canister.jpg%22+alt%3D%22Rulmeca+Grease+Canister%22+width%3D%22163%22+height%3D%22141%22+border%3D%220%22%3E%3C%2Fa%3E%3C%2Fp%3E%0D%0A++++++++++++++%3Cp+align%3D%22left%22%3E%3Cspan+class%3D%22style21%22%3ERulmeca+launches+Grease+Canister+Program+October+1+providing+automatic+greasing+%26amp%3B+purging+for+optional+labyrinth+seal+system.+For+information+on+available+kits%2C+go+to+%26quot%3B%3Ca+href%3D%22..%2FRulmeca_Grease_Canister_Program.html%22%3EGrease+Canister%3C%2Fa%3E%26quot%3B.+%3C%2Fspan%3E%3C%2Fp%3E%0D%0A++++++++++++++%3Cp+align%3D%22left%22%3E%3Ca+href%3D%22..%2FRulmeca_Bluefield_Coal_Show_2009.html%22%3E%3Cimg+src%3D%22http%3A%2F%2Fwww.zzz.com%2Fnewsletter%2FRulmeca+Motorized+Pulley+Newsletter+200911%2FBluefield_Coal_Show.jpg%22+alt%3D%22Rulmeca+%26amp%3B+Kerco+Exhibit+at+Bluefield+Coal+Show+2009%22+width%3D%22163%22+height%3D%22122%22+border%3D%220%22%3E%3C%2Fa%3E%3C%2Fp%3E%0D%0A++++++++++++%3Cp+align%3D%22left%22%3E+%3Cspan+class%3D%22style21%22%3ERulmeca+Corp.+and+Kerco+Inc.+display+skid-mounted+Dual+Motorized+Pulleys+at+%3Ca+href%3D%22..%2FRulmeca_Bluefield_Coal_Show_2009.html%22%3EBluefield+Coal+Show%3C%2Fa%3E+in+September.+%26quot%3BEZMP%26quot%3B+dual+drive+is+configured+with+model+630H+75+HP+Motorized+Pulleys.+%3C%2Fspan%3E%3C%2Fp%3E%0D%0A++++++++++++%3Cp+align%3D%22left%22%3E%3Ca+href%3D%22..%2FSME_Show_2010.html%22%3E%3Cimg+src%3D%22http%3A%2F%2Fwww.zzz.com%2Fnewsletter%2FRulmeca+Motorized+Pulley+Newsletter+200911%2FMINExpo_2008.jpg%22+alt%3D%22Rulmeca+%26amp%3B+Precismeca+Exhibit+SME+Show+2010%22+width%3D%22163%22+height%3D%22122%22+border%3D%220%22%3E%3C%2Fa%3E%3C%2Fp%3E%0D%0A++++++++++++%3Cp+align%3D%22left%22%3E%3Cspan+class%3D%22style7%22%3ERulmeca+will+show+Motorized+Pulley+technology+at+the+%3Ca+href%3D%22..%2FSME_Show_2010.html%22%3ESME+Annual+Meeting%3C%2Fa%3E+in+Phoenix+March+1+-+3%2C+2010+in+Booth+%23761.+The+company+will+feature+dual-drives%2C+VFD-drives+and+grease+canisters+for+Motorized+Pulleys.+%3C%2Fspan%3E%3C%2Fp%3E++++++++++++%3C%2Ftd%3E%0D%0A+++++++%3C%2Ftr%3E%0D%0A+++++++%0D%0A+++++++%3Ctr%3E%0D%0A+++++++++%3Ctd+colspan%3D%223%22%3E%26nbsp%3B%3C%2Ftd%3E%0D%0A+++++++++%3C%2Ftr%3E%0D%0A+++++++%0D%0A+++++++%0D%0A+++++++%3Ctr%3E%0D%0A+++++++++%3Ctd+width%3D%22166%22+valign%3D%22middle%22%3E%3Cspan+class%3D%22style3%22%3E%3Cimg+src%3D%22..%2FUnnamed+Site+1%2Fpublic_html%2Fnewsletter%2Fline.JPG%22+width%3D%22165%22+height%3D%227%22+vspace%3D%224%22%3E%3C%2Fspan%3E%3C%2Ftd%3E%0D%0A+++++++++%3Ctd%3E%26nbsp%3B%3C%2Ftd%3E%0D%0A+++++++++%3Ctd%3E%3Cimg+src%3D%22..%2FUnnamed+Site+1%2Fpublic_html%2Fnewsletter%2Fline.JPG%22+width%3D%2212%22+height%3D%227%22%3E%3Cimg+src%3D%22http%3A%2F%2Fwww.zzz.com%2Fnewsletter%2Fline.JPG%22+alt%3D%22Rulmeca+Corporation%22+width%3D%22300%22+height%3D%227%22+vspace%3D%224%22%3E%3C%2Ftd%3E%0D%0A+++++++++%3Ctd%3E%3Cp%3E%26nbsp%3B%3C%2Fp%3E+++++++++%3C%2Ftd%3E%0D%0A+++++++%3C%2Ftr%3E%0D%0A+++++%3C%2Ftable%3E%3C%2Ftd%3E%3C%2Ftr%3E%0D%0A+%3Ctr%3E%0D%0A+%3Ctd+height%3D%22286%22%3E%3Ca+href%3D%22http%3A%2F%2Fwww.zzz.com%2Findex.htm%22%3E%3Cimg+src%3D%22http%3A%2F%2Fwww.zzz.com%2Fnewsletter%2FOctober%2Fimages%2F20_million.jpg%22+border%3D%220%22%3E%3C%2Fa%3E%3C%2Ftd%3E%0D%0A+%3C%2Ftr%3E%0D%0A+%3Ctr%3E%0D%0A+%3Ctd+height%3D%221%25%22%3E%3C%2Ftd%3E%0D%0A+%3C%2Ftr%3E%0D%0A+%3Ctr%3E%0D%0A+%3Ctd%3E%0D%0A+%3Ctable+cellspacing%3D%221%22+cellpadding%3D%2210%22+width%3D%2286%25%22+border%3D%220%22+bgcolor%3D%22%23483898%22%3E%0D%0A+%3Ctr%3E%0D%0A+%3Ctd+height%3D%2265%22+bgcolor%3D%22%23FFFFFF%22%3E%0D%0A+%3Ctable+width%3D%22100%25%22++border%3D%220%22+cellspacing%3D%220%22+cellpadding%3D%220%22%3E%0D%0A+%3Ctr%3E%0D%0A+%3Ctd+class%3D%22body+style1+style2%22%3E%26copy%3B+2010+%3Cstrong%3ERulmeca+Corporation%3C%2Fstrong%3E%3Cbr%3E%0D%0A6508+Windmill+Way%2C+Suite+B%2C+Wilmington%2C+North+Carolina+28405%3Cbr%3E%0D%0APhone+910-794-9294%2C+910-794-9295%3B+Fax+910-794-9296%3C%2Ftd%3E%0D%0A+%3Ctd+class%3D%22body%22%3E%3Ca+href%3D%22http%3A%2F%2Fwww.zzz.com%22+class%3D%22style18%22%3Ewww.zzz.com%3C%2Fa%3E%3C%2Ftd%3E%0D%0A+%3C%2Ftr%3E%0D%0A%3C%2Ftable%3E%3C%2Ftd%3E%0D%0A+%3C%2Ftr%3E%0D%0A+%3C%2Ftable%3E+%3C%2Ftd%3E%0D%0A+%3C%2Ftr%3E%0D%0A+%3C%2Ftable%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3C%2Fbody%3E%3C%2Fhtml%3E&message_textonly=&mailing=Send+to+Subscribers --77c2ac00-F-- HTTP/1.1 400 Bad Request Content-Length: 226 Connection: close Content-Type: text/html; charset=iso-8859-1 --77c2ac00-H-- Message: Warning. Pattern match "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at ARGS:message. [file "/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf"] [line "102"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data "<meta"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] Message: Access denied with code 400 (phase 2). Pattern match "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" at ARGS:message. [file "/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf"] [line "213"] [id "950911"] [msg "HTTP Response Splitting Attack"] [data "<html"] [severity "ALERT"] Action: Intercepted (phase 2) Apache-Handler: cgi-script Stopwatch: 1262117486142782 177647 (163912* 177430 -) Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/); core ruleset/1.6.1. Server: Apache/2.2.3 (CentOS) --77c2ac00-K-- SecRule "REQUEST_METHOD" "@rx ^POST$" "phase:2,chain,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:960012,tag:PROTOCOL_VIOLATION/EVASION,severity:4" SecRule "REQUEST_METHOD" "!@rx ^(?:get|head|propfind|options)$" "phase:2,chain,t:none,t:lowercase,deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',id:960010,tag:POLICY/ENCODING_NOT_ALLOWED,severity:4" SecAction "phase:2,auditlog,nolog,skipAfter:959009" SecAction "phase:2,auditlog,nolog,skipAfter:959007" SecAction "phase:2,auditlog,nolog,skipAfter:959904" SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,nolog,skip:1" SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,nolog,skip:1" SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,nolog,skip:1" SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,nolog,skip:1" SecAction "phase:2,auditlog,nolog,skipAfter:959906" SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,skip:1" SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,skip:1" SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,skip:1" SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,skip:1" SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES" "@rx (?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\\b\\W*?=|abort\\b)|(?:l(?:owsrc\\b\\W*?\\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\\b\\W*?\\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\\b\\W*=.*\\bexpression\\b\\W*|ettimeout\\b\\W*?)\\(|rc\\b\\W*?\\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\\b|lert\\b\\W*?\\(|sfunction:))|<(?:(?:body\\b.*?\\b(?:backgroun|onloa)d|input\\b.*?\\btype\\b\\W*?\\bimage)\\b| ?(?:(?:script|meta)\\b|iframe)|!\\[cdata\\[)|(?:\\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\\@import)\\b)" "phase:2,pass,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:950004,tag:WEB_ATTACK/XSS,logdata:%{TX.0},severity:2" SecAction "phase:2,auditlog,nolog,skipAfter:959005" SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++" "phase:2,auditlog,t:none,t:htmlEntityDecode,t:lowercase,nolog,skip:1" SecRule "ARGS" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++" "phase:2,auditlog,t:none,t:htmlEntityDecode,t:lowercase,nolog,skip:1" SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++" "phase:2,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skip:1" SecAction "phase:2,auditlog,nolog,skipAfter:959013" SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|XML:/*" "@rx (?:\\bhttp\\/(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)" "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:950911,logdata:%{TX.0},severity:1" SecRule "RESPONSE_STATUS" "@rx ^400$" "phase:5,t:none,chain,log,auditlog,pass,msg:'Invalid request',id:960913,severity:2" --77c2ac00-Z-- |