SecAuditEngine On SecAuditLog logs/audit_log #SecAuditLogParts ABCEFHZ SecFilterEngine On SecFilterCheckUnicodeEncoding Off SecAuditLog /usr/local/apache/logs/audit_log SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckCookieFormat On SecFilterNormalizeCookies On # enable version 1 (RFC 2965) cookies SecFilterCookieFormat 1 SecServerResponseToken Off SecFilterDefaultAction "deny,log,status:403" #SecFilterForceByteRange 1 255 SecFilterSelective ARG_authorised "!^$" SecFilterSelective COOKIE_authorised "!^$" #SecUploadDir /tmp/webfiles #SecUploadApproveScript /usr/local/apache/htdocs/script.pl #SecUploadKeepFiles On #LogFormat "%h %l %u %t \"%r\" %>s %{mod_security-body}n #SecFilterSelective ARGS "bin/" #SecFilter "delete[[:space:]]+from" #SecFilter "insert[[:space:]]+into" #SecFilter "select.+from" #FrontPage SecFilter "_vti_bin" allow SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" pass SecFilterSelective THE_REQUEST "/fpremadm\.exe" pass SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" pass SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" pass SecFilterSelective THE_REQUEST "/_private/orders\.txt" pass SecFilterSelective THE_REQUEST "/_private/form_results\.txt" pass SecFilterSelective THE_REQUEST "/_private/registrations\.htm" pass SecFilterSelective THE_REQUEST "/cfgwiz\.exe" pass SecFilterSelective THE_REQUEST "/authors\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" pass SecFilterSelective THE_REQUEST "/administrators\.pwd" pass SecFilterSelective THE_REQUEST "/_private/form_results\.htm" pass SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" pass SecFilterSelective THE_REQUEST "/_private/register\.txt" pass SecFilterSelective THE_REQUEST "/_private/registrations\.txt" pass SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" pass SecFilterSelective THE_REQUEST "/service\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" pass SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" pass SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" pass SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" pass SecFilterSelective THE_REQUEST "/users\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" pass SecFilterSelective THE_REQUEST "/dvwssr\.dll" pass SecFilterSelective THE_REQUEST "/_private/register\.htm" pass SecFilterSelective THE_REQUEST "/_vti_bin/" pass SecFilterSelective THE_REQUEST "/admin/index.php" pass,nolog SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog # NO THANK YOU #SecFilterSelective POST_PAYLOAD "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|]" pass,nolog # SecFilterSelective POST_PAYLOAD "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|]" pass,nolog SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|" pass,nolog SecFilterInheritance Off #Cubecart Aug30,2006 SecFilter "PKG_PATH_INCL" SecFilterSelective REQUEST_URI "/index\.php\?&PHPSESSID=\'" SecFilterSelective REQUEST_URI "/tellafriend\.php\?&product=\'" SecFilterSelective REQUEST_URI "/view_cart\.php\?add=\'" SecFilterSelective REQUEST_URI "/view_product\.php\?product=\'" #e-mail collectors and spammers SecFilterSelective HTTP_USER_AGENT "WebBandit" SecFilterSelective HTTP_USER_AGENT "WEBMOLE" SecFilterSelective HTTP_USER_AGENT "Telesoft*" SecFilterSelective HTTP_USER_AGENT "WebEMailExtractor" SecFilterSelective HTTP_USER_AGENT "CherryPicker*" SecFilterSelective HTTP_USER_AGENT NICErsPRO SecFilterSelective HTTP_USER_AGENT "Advanced Email Extractor*" SecFilterSelective HTTP_USER_AGENT EmailSiphon SecFilterSelective HTTP_USER_AGENT Extractorpro SecFilterSelective HTTP_USER_AGENT webbandit SecFilterSelective HTTP_USER_AGENT EmailCollector SecFilterSelective HTTP_USER_AGENT "WebEMailExtrac*" SecFilterSelective HTTP_USER_AGENT EmailWolf #Spiders that eat up bandwidth for their customers #Not a spammer, just a spider, comment out if you like SecFilterSelective HTTP_USER_AGENT "CopyRightCheck" SecFilterSelective HTTP_USER_AGENT "CopyGuard" SecFilterSelective HTTP_USER_AGENT "Digimarc WebReader" #MArketing spiders SecFilterSelective HTTP_USER_AGENT "Zeus .*Webster Pro*" #Poker spam SecFilterSelective HTTP_USER_AGENT "8484 Boston Project" #collectors SecFilterSelective HTTP_USER_AGENT "autoemailspider" SecFilterSelective HTTP_USER_AGENT "ecollector" SecFilterSelective HTTP_USER_AGENT "grub crawler" #referrer spam, not the real weblogs SecFilterSelective HTTP_USER_AGENT "^www\.weblogs\.com" #spam bots SecFilterSelective HTTP_USER_AGENT "DTS Agent" SecFilterSelective HTTP_USER_AGENT "POE-Component-Client" SecFilterSelective HTTP_USER_AGENT "WISEbot" SecFilterSelective HTTP_USER_AGENT "^Shockwave Flash" SecFilterSelective HTTP_USER_AGENT "Missigua" #comment spam sign SecFilterSelective HTTP_USER_AGENT "compatible \; MSIE" #Some regexps to catch silly bots SecFilterSelective REQUEST_URI "!/ps(zones\|comp).txt1" chain SecFilterSelective HTTP_USER_AGENT "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$" #SecFilterSelective HTTP_USER_AGENT "^(Mozilla( [0-9.]+)?[ ]?$(Windows|Linux|(IE )?Compatible)$)$" #SecFilterSelective HTTP_USER_AGENT "^Mozilla/5\.0 $X11; U; Linux i686; en-US; rv\:0\.9\.6\+$ Gecko/2001112$" #SecFilterSelective HTTP_USER_AGENT "^Mozilla/[0-9.]+ $compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*$?$" #SecFilterSelective HTTP_USER_AGENT "^Mozilla/.+[. ]+$" #spammer SecFilterSelective HTTP_USER_AGENT "Butch__2\.1\.1" SecFilterSelective HTTP_USER_AGENT "agdm79@mail\.ru" #Fake Gameboy UA SecFilterSelective HTTP_USER_AGENT "GameBoy\, Powered by Nintendo" #bogus amiga UA SecFilterSelective HTTP_USER_AGENT "Amiga-AWeb/3\.4" #exploit UA SecFilterSelective HTTP_USER_AGENT "Internet Ninja x\.0" #bogus googlebot UA SecFilterSelective HTTP_USER_AGENT "Nokia-WAPToolkit.* googlebot.*googlebot" #recently caught sending spam referrals, from their actual crawler IP SecFilterSelective HTTP_USER_AGENT "BecomeBot" #Suverybot #SecFilterSelective HTTP_USER_AGENT "SurveyBot" #exploit SecFilterSelective HTTP_USER_AGENT "S\.T\.A\.L\.K\.E\.R\." SecFilterSelective HTTP_USER_AGENT "NeuralBot/0\.2" SecFilterSelective HTTP_USER_AGENT "Kenjin Spider" #WebvulnScan SecFilterSelective HTTP_USER_AGENT "WebVulnScan" #broken spam tool #SecFilterSelective HTTP_USER_AGENT "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$" #PHPBB worm UA SecFilterSelective HTTP_USER_AGENT "INTERNET EXPLOITER SUX" #fake UA SecFilterSelective HTTP_USER_AGENT "Windows-Update-Agent" #exploit SecFilterSelective HTTP_USER_AGENT "Internet-exprorer" # Bad Spider SecFilterSelective HTTP_USER_AGENT "hl_ftien_spider" SecFilterSelective THE_REQUEST "\.frauenfinanzzentrum\.at" SecFilterSelective THE_REQUEST "von-der-igelhoehe\.de" SecFilterSelective THE_REQUEST "danger-soft\.com" SecFilterSelective THE_REQUEST "\.altunerhost\.com" SecFilterSelective THE_REQUEST "\.netfast\.org" SecFilterSelective THE_REQUEST "\.redcrew\.de" SecFilterSelective THE_REQUEST "uarg\.unpa\.edu\.ar" SecFilterSelective THE_REQUEST "(\.|/)wileyc\.edu/" SecFilterSelective THE_REQUEST "\.albacrew\.us/" SecFilterSelective THE_REQUEST "\.tebel-gmbh\.de/" SecFilterSelective THE_REQUEST "(/|\.)defensacivil\.gov\.ec/" SecFilterSelective THE_REQUEST "\.kalin\.ru/" SecFilterSelective THE_REQUEST "tckct\.co\.uk" SecFilterSelective THE_REQUEST "\.extremus\.info/" SecFilterSelective THE_REQUEST "\.parit\.org/" SecFilterSelective THE_REQUEST "\.awardspace\.com" SecFilterSelective THE_REQUEST "\.albados\.com" SecFilterSelective THE_REQUEST "\.cside21\.com/" SecFilterSelective THE_REQUEST "200\.24\.117\.125" SecFilterSelective THE_REQUEST "elitemorgan\.com/" SecFilterSelective THE_REQUEST "\acesso\.t35\.com" SecFilterSelective THE_REQUEST "(\.|/)geocities\.com/jefferyladun/" SecFilterSelective THE_REQUEST "(\.|/)geocities\.com/xpl_gibson/" SecFilterSelective THE_REQUEST "(\.|/)geocities\.com/kelvinkappa1/" SecFilterSelective THE_REQUEST "(\.|/)geocities\.com/damon_shaft/" SecFilterSelective THE_REQUEST "(\.|/)geocities\.com/gettoprince4u/" SecFilterSelective THE_REQUEST "(\.|/)geocities\.com/brennanventures/" SecFilterSelective THE_REQUEST "(\.|/)geocities\.com/solohackerlinks/" SecFilterSelective THE_REQUEST "(\.|/)albahost\.host\.sk/" SecFilterSelective THE_REQUEST "uarg\.unpa\.edu\.ar/" SecFilterSelective THE_REQUEST "\.manhattanservice\.com" SecFilterSelective THE_REQUEST "\.kurddomain\.net" SecFilterSelective THE_REQUEST "elmorgan\.com\.ar" SecFilterSelective THE_REQUEST "61\.1\.197\.244" SecFilterSelective THE_REQUEST "home\.arcor\.de" SecFilterSelective THE_REQUEST "\.turx\.nl" SecFilterSelective THE_REQUEST "\.members\.lycos\.co\.uk/albacr3w/" SecFilterSelective THE_REQUEST "\.ifrance\.com" SecFilterSelective THE_REQUEST "pivadesign\.com\.br" SecFilterSelective THE_REQUEST "\.pc-phasechange\.it" SecFilterSelective THE_REQUEST "ciberia\.ya\.com" SecFilterSelective THE_REQUEST "\.starhack\.org" SecFilterSelective THE_REQUEST "sweet-serenity\.org" SecFilterSelective THE_REQUEST "\.uol\.com\.br" SecFilterSelective THE_REQUEST "aviozone\.com" SecFilterSelective THE_REQUEST "mptechno\.cz" SecFilterSelective THE_REQUEST "\.piranho\.de" SecFilterSelective THE_REQUEST "\.lilspage\.de" SecFilterSelective THE_REQUEST "209\.136\.48\.69" SecFilterSelective THE_REQUEST "216\.12\.103\.29" SecFilterSelective THE_REQUEST "209\.232\.227\.224" SecFilterSelective THE_REQUEST "200\.72\.130\.29" SecFilterSelective THE_REQUEST "209\.123\.16\.34" SecFilterSelective THE_REQUEST "\.mitchellwhite\.com" SecFilterSelective THE_REQUEST "full-comandos\.com" SecFilterSelective THE_REQUEST "members\.lycos\.co\.uk/tiara" SecFilterSelective THE_REQUEST "sharonfamilyandtravel\.com" SecFilterSelective THE_REQUEST "72\.18\.195\.161" SecFilterSelective THE_REQUEST "geocities\.com/hitam_putih_dalnet/" SecFilterSelective THE_REQUEST "cyberspiderwebdesign\.com" SecFilterSelective THE_REQUEST "\.softcarein\.com" SecFilterSelective THE_REQUEST "\.netmisphere2\.com" SecFilterSelective THE_REQUEST "juniorenkammer\.be" SecFilterSelective THE_REQUEST "\.itunisie\.com" SecFilterSelective THE_REQUEST "mitchellgeo\.com" SecFilterSelective THE_REQUEST "hackexpert\.net" SecFilterSelective THE_REQUEST "agi-zagi\.co\.kr" SecFilterSelective THE_REQUEST "\.f1-kingpin\.de" SecFilterSelective THE_REQUEST "(http|https|ftp)\:/.*\.free\.fr" SecFilterSelective THE_REQUEST "www\.designerwear\.co\.uk" SecFilterSelective THE_REQUEST "(http|https|ftp)\:/.*\.i8\.com" SecFilterSelective THE_REQUEST "danzarte\.cl" SecFilterSelective THE_REQUEST "\.ripway\.com" SecFilterSelective THE_REQUEST "81\.174\.26\.111" SecFilterSelective THE_REQUEST "128\.173\.40\.113" SecFilterSelective THE_REQUEST "\.lycos\.co\.uk/metlak/" SecFilterSelective THE_REQUEST "\.xcop\.biz/" SecFilterSelective THE_REQUEST "sca\.postech\.ac\.kr" SecFilterSelective THE_REQUEST "www\.aauto\.no" SecFilterSelective THE_REQUEST "dsoulzin\.net" SecFilterSelective THE_REQUEST "\.altervista\.org" SecFilterSelective THE_REQUEST "\.yatas\.com" SecFilterSelective THE_REQUEST "bocor-team\.org" SecFilterSelective THE_REQUEST "s0l4r1sr0x\.com" SecFilterSelective THE_REQUEST "209\.16\.85\.15" SecFilterSelective THE_REQUEST "217\.160\.242\.90" SecFilterSelective THE_REQUEST "81\.174\.26\.111" SecFilterSelective THE_REQUEST "216\.15\.209\.12" SecFilterSelective THE_REQUEST "216\.103\.82\.214" SecFilterSelective THE_REQUEST "usuarios\.lycos\.es/angienuka" SecFilterSelective THE_REQUEST "usuarios\.lycos\.es/saxalt/" SecFilterSelective THE_REQUEST "\.members\.lycos\.co\.uk/hackersclup" SecFilterSelective THE_REQUEST "spykids\.info" SecFilterSelective THE_REQUEST "smellthecoffee\.com" SecFilterSelective THE_REQUEST "\.nana\.co\.il" SecFilterSelective THE_REQUEST "yavnek12\.co\.il" SecFilterSelective THE_REQUEST "billing\.veloxinternet\.com/" SecFilterSelective THE_REQUEST "usuarios\.lycos\.es" SecFilterSelective THE_REQUEST "217\.114\.109\.11" SecFilterSelective THE_REQUEST "217\.160\.255\.44" SecFilterSelective THE_REQUEST "217\.160\.242\.90" SecFilterSelective THE_REQUEST "148\.81\.141\.12" SecFilterSelective THE_REQUEST "131\.155\.98\.128" SecFilterSelective THE_REQUEST "212\.114\.84\.18" SecFilterSelective THE_REQUEST "81\.174\.26\.111" SecFilterSelective THE_REQUEST "192\.112\.220\.37" SecFilterSelective THE_REQUEST "pc-clinic\.fr" SecFilterSelective THE_REQUEST "clientes\.netvisao\.pt" SecFilterSelective THE_REQUEST "\.sanicentrum\.be" SecFilterSelective THE_REQUEST "www\.brain\.net\.pk" SecFilterSelective THE_REQUEST "web\.un1xtech\.com" SecFilterSelective THE_REQUEST "\.schost\.com\.br/" SecFilterSelective THE_REQUEST "neto5a\.iitalia\.com" SecFilterSelective THE_REQUEST "mesahigh\.com" SecFilterSelective THE_REQUEST "216\.111\.31\.2" SecFilterSelective THE_REQUEST "24\.224\.174\.18" SecFilterSelective THE_REQUEST "\.mcarthur.\org" SecFilterSelective THE_REQUEST "\.v10\.com\.br/" SecFilterSelective THE_REQUEST "agaman\.net" SecFilterSelective THE_REQUEST "\.what-a-pair\.com" SecFilterSelective THE_REQUEST "62\.101\.193\.244" SecFilterSelective THE_REQUEST "\.tutoworld\.org" SecFilterSelective THE_REQUEST "jupiterhost\.net/" SecFilterSelective THE_REQUEST "\.iyscrew\.com" SecFilterSelective THE_REQUEST "\.server4free\.de" SecFilterSelective THE_REQUEST "\.tikla\.org" SecFilterSelective THE_REQUEST "\.dps-ct\.com/" SecFilterSelective THE_REQUEST "66\.235\.216\.137" SecFilterSelective THE_REQUEST "labserver\.veter\.ucv\.ve" SecFilterSelective THE_REQUEST "\.eformidler\.dk" SecFilterSelective THE_REQUEST "febronio\.org" SecFilterSelective THE_REQUEST "zavisnici\.com" SecFilterSelective THE_REQUEST "\.2x4\.ru" SecFilterSelective THE_REQUEST "\.k4boom\.biz" SecFilterSelective THE_REQUEST "theperfecttitle\.com" SecFilterSelective THE_REQUEST "\.yhrhosting\.com" SecFilterSelective THE_REQUEST "\.nitrofx\.com" SecFilterSelective THE_REQUEST "(/|\.)ownsalldomains\.org" SecFilterSelective THE_REQUEST "(/|\.)ocktober\.com" SecFilterSelective THE_REQUEST "\.s5\.com" SecFilterSelective THE_REQUEST "\.systemcrew\.net" SecFilterSelective THE_REQUEST "www\.tutoworld\.org" SecFilterSelective THE_REQUEST "\.supereva\.it/" SecFilterSelective THE_REQUEST "\.frsirt\.com" SecFilterSelective THE_REQUEST "(www\.|/)geocities\.com/anangkd" SecFilterSelective THE_REQUEST "geocities\.com/anugerahnet" SecFilterSelective THE_REQUEST "(www\.|/)geocities\.com/bacardi_marv" SecFilterSelective THE_REQUEST "\.geocities\.com/" SecFilterSelective THE_REQUEST "/geocities\.com/" SecFilterSelective THE_REQUEST "\.freshmaker\.us" SecFilterSelective THE_REQUEST "packetx\.org" SecFilterSelective THE_REQUEST "\.de-soc-mac\.de" SecFilterSelective THE_REQUEST "\.leohissa\.oi\.com\.br" SecFilterSelective THE_REQUEST "\.fig0\.com" SecFilterSelective THE_REQUEST "\.brasilhoster\.net" SecFilterSelective THE_REQUEST "\.riteweld\.com" SecFilterSelective THE_REQUEST "216\.111\.31\.2" SecFilterSelective THE_REQUEST "\.fineca\.net" SecFilterSelective THE_REQUEST "r00nin\.vila\.bol\.com\.br" SecFilterSelective THE_REQUEST "\.bol\.com\.br" SecFilterSelective THE_REQUEST "freewebbe\.supereva\.it" SecFilterSelective THE_REQUEST "asianfiles\.deluxepass\.com" SecFilterSelective THE_REQUEST "sei26\.tripod\.com" SecFilterSelective THE_REQUEST "gigachat\.net" SecFilterSelective THE_REQUEST "www\.sos-deces\.be" SecFilterSelective THE_REQUEST "\.sosha\.it/" SecFilterSelective THE_REQUEST "\.pbholland\.com" SecFilterSelective THE_REQUEST "\.newtontidy\.com" SecFilterSelective THE_REQUEST "\.barretttree\.com" SecFilterSelective THE_REQUEST "agaman\.net" SecFilterSelective THE_REQUEST "anti-clones\.com" SecFilterSelective THE_REQUEST "www\.members\.lycos\.nl/sesli" SecFilterSelective THE_REQUEST "geocities\.yahoo\.com\.br/toolsandcmd/" SecFilterSelective THE_REQUEST "geocities\.yahoo\.com\.br/" SecFilterSelective THE_REQUEST "chancom\.webpal\.info" SecFilterSelective THE_REQUEST "geocities\.yahoo\.com\.br/h4x0r_club/" SecFilterSelective THE_REQUEST "\.argaio\.net" SecFilterSelective THE_REQUEST "baixinhoo\.hpgvip\.com\.br" SecFilterSelective THE_REQUEST "\.zeldalegacies\.com" SecFilterSelective THE_REQUEST "simbafriends\.com/" SecFilterSelective THE_REQUEST "webshells\.org" SecFilterSelective THE_REQUEST "groupiys\.net" SecFilterSelective THE_REQUEST "megahostbr\.com" SecFilterSelective THE_REQUEST "geocities\.yahoo\.com\.br/slash_slink" SecFilterSelective THE_REQUEST "\.357is\.com" SecFilterSelective THE_REQUEST "northfox\.uw\.hu" SecFilterSelective THE_REQUEST "\.dynalith\.com" SecFilterSelective THE_REQUEST "\.xplmanager\.com" SecFilterSelective THE_REQUEST "\.members\.lycos\.co\.uk/thoronnn/" SecFilterSelective THE_REQUEST "\.terra\.com\.br/" SecFilterSelective THE_REQUEST "f58\.aaacafe\.ne.\jp/" SecFilterSelective THE_REQUEST "www\.derf\.hpgvip\.ig\.com\.br/" SecFilterSelective THE_REQUEST "rodrigo\.hcerto\.com/" SecFilterSelective THE_REQUEST "\.terror\.as\.ro/" SecFilterSelective THE_REQUEST "\.tntt\.org/meu/" SecFilterSelective THE_REQUEST "\.syscore\.hpgvip\.com\.br/" SecFilterSelective THE_REQUEST "\.hpgvip\.com\.br/" SecFilterSelective THE_REQUEST "ijoo\.homelinux\.com/" SecFilterSelective THE_REQUEST "\.derf\.hpgvip\.ig\.com\.br/" SecFilterSelective THE_REQUEST "\.100free\.com/" SecFilterSelective THE_REQUEST "\.lorenzo4ever\.de/" SecFilterSelective THE_REQUEST "visualcoders\.net/" SecFilterSelective THE_REQUEST "\.fendora\.net" SecFilterSelective THE_REQUEST "gigashell\.org/" SecFilterSelective THE_REQUEST "\.prir0x\.com/" SecFilterSelective THE_REQUEST "geocities\.com/madb0ss/" SecFilterSelective THE_REQUEST "geocities\.com/sapulinux/" SecFilterSelective THE_REQUEST "geocities\.yahoo\.com\.br/dh4x0r/" SecFilterSelective THE_REQUEST ".*\.verizon\.net\.do/carlos.*" SecFilterSelective THE_REQUEST "mi\.verizon\.net\.do/carlos.*" SecFilterSelective THE_REQUEST "\.stanlley\.ubbi\.com\.br/" SecFilterSelective THE_REQUEST "xthost\.info/" SecFilterSelective THE_REQUEST "yaoibr\.vila\.bol\.com\.br/" SecFilterSelective THE_REQUEST "geocities\.com/catalin1713/" SecFilterSelective THE_REQUEST "visualcoders\.net/spy\." SecFilterSelective THE_REQUEST "\.digitalmedia\.org\.mk" SecFilterSelective THE_REQUEST "pharoeste\.net" SecFilterSelective THE_REQUEST "userbr\.info" SecFilterSelective THE_REQUEST "\.foxcf\.hpgvip\.ig\.com\.br" SecFilterSelective THE_REQUEST "medicine\.bjmu\.edu\.cn" SecFilterSelective THE_REQUEST "\.blueconnection\.com\.br" SecFilterSelective THE_REQUEST "\.ph4nt4sm4\.hpgvip\.ig\.com\.br" SecFilterSelective THE_REQUEST "\.mvhosted\.com" SecFilterSelective THE_REQUEST "\.0catch\.com" SecFilterSelective THE_REQUEST "newton\.100free\.com" SecFilterSelective THE_REQUEST "\.forplay\.com\.br" SecFilterSelective THE_REQUEST "\.geocities\.com/my_lusy" SecFilterSelective THE_REQUEST "lol\.freecoolsite\.com" SecFilterSelective THE_REQUEST "winscp\.net" SecFilterSelective THE_REQUEST "\.karpit\.net" SecFilterSelective THE_REQUEST "www\.partyradio\.ca" SecFilterSelective THE_REQUEST "\.triple-hhh\.de" SecFilterSelective THE_REQUEST "\.gottablaze\.com" SecFilterSelective THE_REQUEST "xanutz\.3x\.ro" SecFilterSelective THE_REQUEST "geocities\.com/anak_indekost" SecFilterSelective THE_REQUEST "themis\.geocities\.yahoo\.com" SecFilterSelective THE_REQUEST "\.geocities\.com/my_sweet_cute/" SecFilterSelective THE_REQUEST "\.angelfire\.com/zine2/" SecFilterSelective THE_REQUEST "72\.20\.34\.[0-9]+" SecFilterSelective THE_REQUEST "animehost\.de" SecFilterSelective THE_REQUEST "home\.online\.no/~p-shahr" SecFilterSelective THE_REQUEST "indragostit\.net" SecFilterSelective THE_REQUEST "hdr\.atspace\.com" SecFilterSelective THE_REQUEST "\.thecurse\.pop\.com\.br" SecFilterSelective THE_REQUEST "www\.w3zone\.com" SecFilterSelective THE_REQUEST "freecoolsite\.com" SecFilterSelective THE_REQUEST "freewebs\.com" SecFilterSelective THE_REQUEST "\.geocities\.com/chnsekip" SecFilterSelective THE_REQUEST "webcindario\.com" SecFilterSelective THE_REQUEST "ripdisk\.ma\.cx" SecFilterSelective THE_REQUEST "sinanreklam\.net" SecFilterSelective THE_REQUEST "members\.cox\.net/xjasonx" SecFilterSelective THE_REQUEST "\.bh-net\.dk" SecFilterSelective THE_REQUEST "\.mediaserve\.net" SecFilterSelective THE_REQUEST "\.inchon\.ne\.kr" SecFilterSelective THE_REQUEST "\.noti-auto.\com\.ar" SecFilterSelective THE_REQUEST "go0gler\.com" SecFilterSelective THE_REQUEST "hackbox\.t35\.com" SecFilterSelective THE_REQUEST ".*\.hpgvip\.ig\.com\.br" SecFilterSelective THE_REQUEST "honestgame\.net" SecFilterSelective THE_REQUEST "\.ecobook\.or\.kr" SecFilterSelective THE_REQUEST "\.fasecolda\.com" SecFilterSelective THE_REQUEST "212\.50\.30\.60" SecFilterSelective THE_REQUEST "\.nbail\.com" SecFilterSelective THE_REQUEST "\.kit\.net/" SecFilterSelective THE_REQUEST "\.ubbi\.com\.br" SecFilterSelective THE_REQUEST "\.k4boom\.biz/" SecFilterSelective THE_REQUEST "00freehost\.com" #Sites that host remote shells, etc. SecFilterSelective THE_REQUEST "security-protocols\.com" #Known sources that leak thru proxies SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.26\.46\.168" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 69\.50\.182\.154 SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 202\.81\.60\.58 SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "66\.246\.252\.91" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 211\.185\.59\.124 SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "209\.165\.131\.23" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "66\.246\.246\.22" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "202\.89\.50\.28" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.38\.208\.48" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "159\.148\.29\.158" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.59\.188\.73" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "200\.168\.0\.246" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "193\.95\.90\.52" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "193\.95\.27\.2" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "195\.55\.222\.19" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "196\.203\.32\.81" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.150\.163\.82" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.237\.226\.70" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.96\.125\.38" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.97\.97\.168" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.98\.122\.111" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "217\.8\.64\.21" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.191\.119\.122" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.33\.104\.158" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.38\.171\.131" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "81\.109\.180\.3" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "81\.37\.184\.196" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "83\.57\.132\.206" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "84\.94\.13\.249" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "85\.129\.229\.111" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "86\.60\.16\.81" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "172\.168\.0\.1" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "196\.203\.4\.62" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "202\.123\.250\.184" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "212\.116\.209\.234" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "217\.127\.56\.24" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.26\.46\.168" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.36\.245\.100" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "84\.94\.78\.98" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.59\.91\.33" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "unsecure-services" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "205\.177\.122\.162" #bad proxies SecFilterSelective HTTP_FORWARDED "mangostino\.ut\.edu\.co" SecFilterSelective HTTP_FORWARDED ".*\.cnh\.com" SecFilterSelective HTTP_FORWARDED "phenix-prog-phr" SecFilterSelective HTTP_FORWARDED "alfred\.nssi\.telus\.com" SecFilterSelective HTTP_FORWARDED "wadsworth\.nssi\.telus\.com" SecFilterSelective HTTP_VIA "\.ownsalldomains\.org" SecFilterSelective HTTP_VIA "cache\.topflash\.co\.kr" SecFilterSelective HTTP_VIA "\.quasar\.net\.id:8080" SecFilterSelective HTTP_VIA "\.serverpronto\.com" SecFilterSelective HTTP_VIA "\.fetish-expert\.org" SecFilterSelective HTTP_VIA "proxy\.hwai\.edu\.tw" SecFilterSelective HTTP_VIA "interno-1-1\.edn\.org\.br" SecFilterSelective HTTP_VIA "\.pt-server1\.bt\.com" SecFilterSelective HTTP_VIA "1\.1 cache-test-dtv-kno" SecFilterSelective HTTP_VIA "kdnproxy\.kdn\.gov\.my" SecFilterSelective HTTP_VIA "\.wisdomchina\.com" SecFilterSelective HTTP_VIA "1\.1 PALACIOISA" SecFilterSelective HTTP_VIA "1\.1 cache7\:80 \(squid" SecFilterSelective HTTP_VIA "1\.1 www\.pt-server1\.bt\.com" SecFilterSelective HTTP_VIA "revProxy\.foredu\.com\.cn" SecFilterSelective HTTP_VIA "\.salmanetwork\.com" SecFilterSelective HTTP_VIA "\.warnet\.com" SecFilterSelective HTTP_VIA "moses\.frc\.org" SecFilterSelective HTTP_VIA "1\.0 SQCNT3" SecFilterSelective HTTP_VIA "phenix-prog-phr" SecFilterSelective HTTP_VIA "1\.0 TIETONG" SecFilterSelective HTTP_VIA "webshield\.beitberl\.ac\.il" SecFilterSelective HTTP_VIA "1\.1 www\.any\.com" SecFilterSelective HTTP_VIA "intra\.ckus\.rmutp\.ac\.th" SecFilterSelective HTTP_VIA "poczta\.prochowa12\.waw\.pl" SecFilterSelective HTTP_VIA "1\.1 ICACHE1" SecFilterSelective HTTP_VIA "1\.1 New-Proxy2" SecFilterSelective HTTP_VIA "1\.1 SERVEUR2000" SecFilterSelective HTTP_VIA "intra\.ckus\.rmutp\.ac\.th" SecFilterSelective HTTP_VIA "1\.1 PROXY, 1\.0 NC2100" SecFilterSelective HTTP_VIA "1\.1 www\.rolnas\.com\.pl" SecFilterSelective HTTP_VIA "1\.1 revproxy2" SecFilterSelective HTTP_VIA "1\.1 webmail\.siamcom\.co\.th" SecFilterSelective HTTP_VIA "1\.1 SMS2000\.tutsys\.com" SecFilterSelective HTTP_VIA "1\.1 CAE-SERVER" SecFilterSelective HTTP_VIA "1\.1 WORKGROU-OYOU4X" SecFilterSelective HTTP_VIA "1\.1 INKABANPINPROXY" SecFilterSelective HTTP_VIA "1\.1 DNS4" SecFilterSelective HTTP_VIA "1\.1 www\.rolnas\.com\.pl" SecFilterSelective HTTP_VIA "1\.1 DBSV1008" SecFilterSelective HTTP_VIA "1\.1 NEWISA" SecFilterSelective HTTP_VIA "1\.1 CPGATEWAY02" SecFilterSelective HTTP_VIA "1\.1 router\:3128 $KEN\!$" SecFilterSelective HTTP_VIA "1\.1 PROXYSRV\, 1\.0 supercache5" SecFilterSelective HTTP_VIA "1\.1 ATIPLS1" SecFilterSelective HTTP_VIA "1\.0 SMART\, 1\.0 LOIER2800\:" SecFilterSelective HTTP_VIA "1\.1 62\.93\.34\.160" SecFilterSelective HTTP_VIA "1\.1 fwall\.belcomct\.net" SecFilterSelective HTTP_VIA "1\.1 ZERT-EWDGNMVXUF" SecFilterSelective HTTP_VIA "1\.1 su\.tkp\.edu\.hk" #SecFilterSelective HTTP_VIA "HTTP/1\.1 proxy\[AC1.*" SecFilterSelective HTTP_VIA "HTTP/1\.1 proxy\[AC1E0247" SecFilterSelective HTTP_VIA "1\.1 compujuan\.com\.es" SecFilterSelective HTTP_VIA "1\.1 FEDERATION" #SecFilterSelective HTTP_VIA "1\.1 SERVER-ISA" SecFilterSelective HTTP_VIA "1\.1 EXACTWAPPROXY" SecFilterSelective HTTP_VIA "1\.1 GRNSERVER" SecFilterSelective HTTP_VIA "1\.1 www\.satem\.gob\.ve" SecFilterSelective HTTP_VIA "1\.1 nilcombi\.nilcom\.fr" SecFilterSelective HTTP_VIA "1\.1 cellulant\.lifeismobile\.com" SecFilterSelective HTTP_VIA "1\.1 SR2300-SE7501-H" SecFilterSelective HTTP_VIA "1\.1 www\.dmi\.es" #SecFilterSelective HTTP_VIA "1\.0 cache2\.jed" SecFilterSelective HTTP_VIA "1\.1 BRHCYBER" SecFilterSelective HTTP_VIA "1\.1 132\.110\.2\.12" SecFilterSelective HTTP_VIA "1\.1 .*\.pivotoffice\.com" SecFilterSelective HTTP_VIA "1\.1 .*\.mundo-r\.com" SecFilterSelective HTTP_VIA "1\.1 FAMILYCAREREHAB" SecFilterSelective HTTP_VIA "1\.1 INFORMASERVER" SecFilterSelective HTTP_VIA "1\.1 ITISA" #SecFilterSelective HTTP_VIA "1\.1 NetCache-CLNS-STACK-1" SecFilterSelective HTTP_VIA "1\.1 .*\.as5587\.net" SecFilterSelective HTTP_VIA "1\.1 Maua" SecFilterSelective HTTP_VIA "1\.1 JUNIOR" SecFilterSelective HTTP_VIA "1\.1 offsetinternet" SecFilterSelective HTTP_VIA ".*codevasf\.gov\.br" SecFilterSelective HTTP_VIA "1\.1 www\.aha\.at" SecFilterSelective HTTP_VIA "1\.1 ucavilapruebas\.es" SecFilterSelective HTTP_VIA "1\.1 .*\.insightfirst\.com" SecFilterSelective HTTP_VIA "1\.1 if3\.insightfirst\.com" SecFilterSelective HTTP_VIA "1\.1 SERV132" SecFilterSelective HTTP_VIA "1\.1 CacheFORCE" SecFilterSelective HTTP_VIA "1\.1 dgc-squid" #SecFilterSelective HTTP_VIA "1\.1 CS6200C" SecFilterSelective HTTP_VIA "1\.1 NTS-SERVER" SecFilterSelective HTTP_VIA "1\.1 AJF-JTC-ISA01" SecFilterSelective HTTP_VIA "1\.1 neptun\.ci\.uw\.edu\.pl" SecFilterSelective HTTP_VIA "1\.1 2-net\.ro" SecFilterSelective HTTP_VIA "1\.1 .*\.usscript\.com" SecFilterSelective HTTP_VIA "1\.1 SSIP_SERVER3" SecFilterSelective HTTP_VIA "1\.1 SYVKOV422GX" SecFilterSelective HTTP_VIA "1\.1 .*\.arbuzowa\.net" SecFilterSelective HTTP_VIA "1\.1 www\.kevsclub\.com" SecFilterSelective HTTP_VIA "1\.0 KALIMBA" SecFilterSelective HTTP_VIA "1\.0 NETOUT-SERVER" SecFilterSelective HTTP_VIA "1\.0 NTMARVWALL01" SecFilterSelective HTTP_VIA "1\.0 PROXYSES2" SecFilterSelective HTTP_VIA "1\.0 ptcdb\.edu\.ps" SecFilterSelective HTTP_VIA "1\.0 px1nr $NetCache NetApp/5\.6\.1D25$" SecFilterSelective HTTP_VIA "1\.0 px8so $NetCache NetApp/5\.6\.1D25$" SecFilterSelective HTTP_VIA "1\.0 SERV132, 1\.0 netcache1 $NetCache NetApp/6\.0\.1$" SecFilterSelective HTTP_VIA "1\.0 TEKIYA02 $NetCache NetApp/5\.6\.2$, TEKIYA03, 1\.0 TEKIYA02 $NetCache NetApp/5\.6\.2$" #SecFilterSelective HTTP_VIA "1\.1 10\.0\.1\.20" #SecFilterSelective HTTP_VIA "1\.1 127\.0\.0\.1" SecFilterSelective HTTP_VIA "1\.1 146\.83\.216\.207" SecFilterSelective HTTP_VIA "1\.1 202\.88\.250\.211" SecFilterSelective HTTP_VIA "1\.1 213\.155\.209\.204" SecFilterSelective HTTP_VIA "1\.1 accel10\.click21\.com\.br" SecFilterSelective HTTP_VIA "1\.1 alcyonix\.dyndns\.ws" SecFilterSelective HTTP_VIA "1\.1 athos\.chem\.demokritos\.gr" SecFilterSelective HTTP_VIA "1\.1 ATIPLS1" SecFilterSelective HTTP_VIA "1\.1 BBSM52" #SecFilterSelective HTTP_VIA "1\.1 bnb-cache1 $NetCache NetApp.*$, 1\.1 rba-cache1" SecFilterSelective HTTP_VIA "1\.1 cacheB\.ipko\.net" SecFilterSelective HTTP_VIA "1\.1 CAE-SERVER" SecFilterSelective HTTP_VIA "1\.1 CATHODE" SecFilterSelective HTTP_VIA "1\.1 cha-cache1 \(NetCache NetApp.*" SecFilterSelective HTTP_VIA "1\.1 CSB-NC2 \(NetCache NetApp.*" SecFilterSelective HTTP_VIA "1\.1 cuchimilco\.huaral\.org" SecFilterSelective HTTP_VIA "1\.1 DBSV1008" SecFilterSelective HTTP_VIA "1\.1 dns2\.araxa\.com\.br" SecFilterSelective HTTP_VIA "1\.1 EMERSON, 1\.0 C6100 \(NetCache NetApp.*" SecFilterSelective HTTP_VIA "1\.1 EPPD_SERVER" SecFilterSelective HTTP_VIA "1\.1 fox-server1\.foxschool\.lan" SecFilterSelective HTTP_VIA "1\.1 http-istcf1" SecFilterSelective HTTP_VIA "1\.1 JUNIOR" #SecFilterSelective HTTP_VIA "1\.1 lnac2 \(NetCache NetApp.*" SecFilterSelective HTTP_VIA "1\.1 LTSP03\.glenwood\.k12\.mo\.us" #SecFilterSelective HTTP_VIA "1\.1 MAILSERVER" SecFilterSelective HTTP_VIA "1\.1 natty\.intranet" #SecFilterSelective HTTP_VIA "1\.1 netcache1-ctn \(NetCache NetApp.*" #SecFilterSelective HTTP_VIA "1\.1 netcache1 \(NetCache NetApp.*" #SecFilterSelective HTTP_VIA "1\.1 NetCache3 \(NetCache NetApp.*" SecFilterSelective HTTP_VIA "1\.1 NetCache-CLNS-STACK-1 \(NetCache NetApp.*" #SecFilterSelective HTTP_VIA "1\.1 nme-nxg-pr1\.tpg\.com\.au" SecFilterSelective HTTP_VIA "1\.1 no-dns\.as5587\.net" SecFilterSelective HTTP_VIA "1\.1 ns07\.contentex\.net" SecFilterSelective HTTP_VIA "1\.1 NYNETSRV01" SecFilterSelective HTTP_VIA "1\.1 OTXXSERV" SecFilterSelective HTTP_VIA "1\.1 proxy\.marshall\.k12\.wi\.us" SecFilterSelective HTTP_VIA "1\.1 SERV132, 1\.0 netcache1 \(NetCache NetApp.*" SecFilterSelective HTTP_VIA "1\.1 SERVER-ISA" SecFilterSelective HTTP_VIA "1\.1 SERVEUR-CYBER" SecFilterSelective HTTP_VIA "1\.1 slave02\.terrarica\.net" SecFilterSelective HTTP_VIA "1\.1 SMS2000\.tutsys\.com" SecFilterSelective HTTP_VIA "1\.1 spacebears" SecFilterSelective HTTP_VIA "1\.1 squid2-sydny\.eftel\.com" SecFilterSelective HTTP_VIA "1\.1 SSIP_SERVER3" SecFilterSelective HTTP_VIA "1\.1 SYVKOV422GX" SecFilterSelective HTTP_VIA "1\.1 trixie" SecFilterSelective HTTP_VIA "1\.1 wc-02 \(NetCache NetApp.*" SecFilterSelective HTTP_VIA "1\.1 webmail\.siamcom\.co\.th" SecFilterSelective HTTP_VIA "1\.1 www\.arbuzowa\.net" SecFilterSelective HTTP_VIA "1\.1 www\.gkcabunoc\.com" SecFilterSelective HTTP_VIA "1\.1 addyon\.webair\.com" SecFilterSelective HTTP_VIA "1\.1 alcyonix\.dyndns\.ws" SecFilterSelective HTTP_VIA "1\.1 proxy\.pcdl\.gov\.br" SecFilterSelective HTTP_VIA "1\.1 ichigo\.icsmail\.net" SecFilterSelective HTTP_VIA "1\.1 80\.177\.18\.74" SecFilterSelective HTTP_VIA "1\.1 raptor[0-9][a-z]\.watchdog\.net\.nz" SecFilterSelective HTTP_VIA "1\.0 proxy[0-9]\..*\.maxnet\.net\.nz" SecFilterSelective HTTP_VIA "1\.0 proxy[0-9]\.akl[0-9]\.maxnet\.net\.nz" SecFilterSelective HTTP_VIA "1\.1 POMGFIREWALL" SecFilterSelective HTTP_VIA "1\.1 alfred\.nssi\.telus\.com" SecFilterSelective HTTP_VIA "1\.1 .*\.acdi-cida\.gc\.ca" SecFilterSelective HTTP_VIA "CIDA13\.acdi-cida\.gc\.ca" #generic sig for a bad site SecFilterSelective REQUEST_URI "(http|https|ftp).*\.exs\.cx/.*/nc4hk\.swf" #XSS insertion into Content-Type SecFilterSelective THE_REQUEST "Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" id:300002 SecFilterSelective HTTP_Transfer-Encoding "chunked" SecFilter "name=PNphpBB2" #SecFilter "file=http" SecFilter "file=ftp" SecFilter "PNphpBB2" #SecFilter "action=http" SecFilter "cmd\.txt" SecFilter "tool25\.txt" SecFilter "tool.\txt" SecFilter "\/var\/tmp\/cx" SecFilter "\/tmp\/cx" #SecFilter "lwp-download" SecFilter "tool25\.png" SecFilter "freewebtown\.com" SecFilter "freewebtown" SecFilter "PKG_PATH_INCL" SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" chain SecFilterSelective REQUEST_URI "=(www|ftp)\:/(.+)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|asp)\?" SecFilterSelective REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?" SecFilterSelective THE_REQUEST "/(cse|cmd)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp) " SecFilterSelective REQUEST_URI "/terminatorX-exp.*\.(gif|jpg|txt|bmp|php|png)\?" SecFilterSelective REQUEST_URI "/\.it/viewde" SecFilterSelective REQUEST_URI "/cmd\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)=" SecFilterSelective REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?" SecFilterSelective REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/(gif|jpg|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?" SecFilterSelective REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?" #Known rootkits SecFilterSelective THE_REQUEST "perl (xpl\.pl|kut|viewde|httpd\.txt)" SecFilterSelective THE_REQUEST "\./xkernel\;" SecFilterSelective THE_REQUEST "/kaiten\.c" SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)" #Generic remote perl execution with .pl extension SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;" SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl" #Known rootkit Defacing Tool 2.0 SecFilterSelective REQUEST_URI "/tool(12)[0-9]\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&(cmd|command)=" SecFilterSelective REQUEST_URI "/tool\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&(cmd|command)=" SecFilterSelective REQUEST_URI "/tool25\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&(cmd|command)=" SecFilterSelective REQUEST_URI "/tool(12)\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&(cmd|command)=" SecFilterSelective REQUEST_URI "/therules25\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?(cmd|command)=" SecFilterSelective REQUEST_URI "/tool25\.(jpg|dat|asp)\?" #other known tools SecFilterSelective REQUEST_URI "/xpl\.php\?&(cmd|command)=" SecFilterSelective REQUEST_URI "/(ssh2?|sfdg2)\.php" #New kit SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)" SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpg|dat|bmp|png)(\;|\w)" #new kir SecFilterSelective REQUEST_URI "/dblib\.php\?&(cmd|command)=" #suntzu SecFilterSelective THE_REQUEST|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd=" #proxysx.gif? SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpg|bmp|txt|asp|png)\?" #phpbackdoor SecFilterSelective THE_REQUEST "/(phpbackdoor|phpbackdoor.*)\.php\?cmd=" #new unknown kit SecFilterSelective REQUEST_URI "/oops?&" # known PHP attack shells #value of these sigs, pretty low, but here to catch # any lose threads, honeypoting, etc. SecFilterSelective THE_REQUEST "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)" SecFilterSelective THE_REQUEST "(wiki_up|temp)/(gif|ion|jpg|lala)\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)" SecFilterSelective REQUEST_URI "/phpterm" SecFilter "jpage=\.\./" # Prevent OS specific keywords #if they typo SecFilter /etc/password #or else SecFilter /etc/passwd # Prevent path traversal (..) attacks #SecFilter "\.\./\.\." # Weaker XSS protection #SecFilter ".*.*.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>" #generic remote file inclusion vulns SecFilterSelective THE_REQUEST "/index\.php\?do=.*&page=(http|https|ftp)\:/" SecFilterSelective THE_REQUEST "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/" SecFilterSelective THE_REQUEST "/index\.php\?libDir=http://xxxxxxxx" SecFilterSelective THE_REQUEST "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/" #Virus HTTP Challenge/Reponse Auth SecFilterSelective THE_REQUEST "^Authorization\: Negotiate" chain SecFilter "YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB" #catch smuggling attacks SecFilter "^(GET|POST).*Host:.*^(GET|POST)" #Drupal remote command execution vulnerability exploit signature #This is already covered in another generic signature, but just in case you leave it out, here it is #again with a slightly tigher regexp SecFilter "\<.*php .*$.*$\;system$.*$.*php*\>" #Slightly stronger version of the above SecFilter "\<.*php .*$.*$\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)$.*$.*php*\>" #Generic PHP attack sig SecFilterSelective THE_REQUEST "system$getenv\(HTTP_PHP$\)" #Generic Nessus request filter SecFilterSelective THE_REQUEST "NessusTest*\.html" #HTTP header PHP code injection attacks SecFilterSelective HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)" #wormsign SecFilter "XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+" SecFilterSelective THE_REQUEST "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC" #phpbb wormsign SecFilterSelective THE_REQUEST "echo _GHC/RST_" #bogus graphics file SecFilterSelective HTTP_Content-Disposition "\.php" chain SecFilterSelective HTTP_Content-Type "(image/gif|image/jpg|image/png|image/bmp)" #wormsign SecFilterSelective REQUEST_URI "Hacked.*by.*member.*of.*SCC" #Special account protection SecFilterSelective THE_REQUEST "/~(root|ftp|bin|nobody|named|guest|logs|sshd)(/\S*)? HTTP/(0\.9|1\.[01])$" SecFilterSelective REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/" #XML-RPC generic attack sigs SecFilterSelective POST_PAYLOAD "^Content-Type\: application/xml" chain SecFilter "(\" SecFilter "echo\x20YYY" SecFilter "cmd\.gif?" SecFilter "prepsybnc" SecFilter "prepsybnc\.tar\.gz" SecFilter "cmd\.txt" SecFilter "\x20bash;" SecFilter "200\.72\.130\.29" SecFilter "200\.207\.91\.25" SecFilter "62\.23\.221\.67" SecFilter "147\.142\.142\.24" SecFilter "62\.23\.221\.67 " SeCFilter "202\.143\.140\.151" SecFilterSelective THE_REQUEST "killop" SecFilterSelective THE_REQUEST "\/bash;chmod" SecFilter "ok0ok\.com" SecFilter "reds4arab" SecFilter "1397\.c" SecFilter "gicuji" SecFilter "test.\method" #SecFilter "methodName\>" #Rsgallery suspicious activity from bots SecFilter "rsgallery.html.php?" #Mcgallerypro (path_to_folder) Remote File Inclusion SecFilter "random2.php?" #Mambo XSS SecFilterSelective REQUEST_URI "/emailfriend/(emailarticle|emailfaq|emailnews)\.php\?id=\"(\.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" id:300002 SecFilterSelective THE_REQUEST "^CONNECT " SecFilterSelective REQUEST_URI "\.php\?" chain SecFilter "(javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)|onmouseover=\'javascript)" SecFilterSelective COOKIE_VALUES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" SecFilterSelective HTTP_USER_AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" SecFilterSelective THE_REQUEST "\|*id\;echo*\|" SecFilterSelective ARGS "\|*id\;echo*\|" SecFilterSelective REQUEST_URI "profile\.php\?GLOBALS\[signature_bbcode_uid\]=$\.\x2B$/e\x00" SecFilterSelective REQUEST_URI|POST_PAYLOAD "r57phpBB2017xpl" SecFilterSelective POST_PAYLOAD "_bill_gates@microsoft\.com" SecFilterSelective REQUEST_URI "btn_lists\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "dsoul/tool\?" SecFilterSelective THE_REQUEST "HiMaster\!\<\?php system$" SecFilterSelective THE_REQUEST "error_reporting\(.*$\;if$isset\(.*$\)\{system" SecFilterSelective REQUEST_URI "help_text_vars\.php\?suntzu=" SecFilterSelective REQUEST_URI "anggands\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "newfile[0-9]\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/vsf\.vsf\?&" SecFilterSelective REQUEST_URI "/scan1\.0/scan/" SecFilterSelective REQUEST_URI "test\.txt\?&" SecFilterSelective REQUEST_URI "\.k4ka\.txt\?" SecFilterSelective REQUEST_URI "/php\.txt\?" SecFilterSelective REQUEST_URI "/sql\.txt\?" SecFilterSelective REQUEST_URI "bind\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/modules\.php\?name=Search&type=comments&query=.*&instory=.*UNION.*SELECT.*pwd.*FROM.*nuke_authors" SecFilter "^GET (http|https|ftp)\:/" SecFilter "^HEAD (http|https|ftp)\:/" SecFilter "^POST (http|https|ftp)\:/" SecFilterSelective THE_REQUEST "^CONNECT " SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$" SecFilterSelective THE_REQUEST "bcc:|Bcc:|BCc:|BCC:|bCc:|bCC:|bcC:|BcC:" SecFilterSelective THE_REQUEST "/quick-reply\.php" chain SecFilter "phpbb_root_path=" SecFilter "rajayaseer" #SecFilter "\.images" SecFilter "THEME_DIR=http" SecFilter "cmd=cd\x20" SecFilter "chmod\x20744\x20cbac" SecFilter "&m=http" SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)" SecFilter "awstats\.pl?configdir=" #Proxy not wanted here SecFilterSelective THE_REQUEST "iframe\x20" SecFilter "iframe\x20" SecFilter "GET\x20http://" SecFilter "includedir=http" SecFilterSelective THE_REQUEST "GET http://" SecFilter "profile.php?mode=" SecFilter ".cgi/010" SecFilter ".cgi/110" SecFilter ".pl/110" SecFilter "0A/http" SecFilter "1A/http" SecFilter "viewtopic\.php\?" chain SecFilter "chr$([0-9]{1,3})$" "deny,log" SecFilter "write.php?skin=" SecFilter "bergkoch8" SecFilter "cgitelnet" SecFilter "nstview\.php" SecFilter "shell\.pl" SecFilter "shell\.php" SecFilter "nph-proxy" SecFilter "proxy\.cgi" SecFilter "proxy\.pl" SecFilter "000100A" SecFilter "http/www\." SecFilter "adxmlrpc.php" SecFilter "lupii" SecFilter "/cgi-bin/awstats/" SecFilter "/scgi-bin/awstats/" SecFilter "/cgi/awstats/" SecFilter "/scgi/awstats/" #More custom coding to avoid AWStats exploits, XMLRpc Exploits #and a little bit of this and that SecFilter "perl\x20kut" #SecFilter "/scripts/" SecFilter "/cgi-bin/stats/" SecFilter "/scgi-bin/stats/" #SecFilter "/stats/" #SecFilter "xmlrpc.php" SecFilter "xmlrpc" SecFilter "xml_rpc" SecFilter "xml-rpc" SecFilter "/cgi-bin/includer.cgi" SecFilter "/sgi-cgi/includer.cgi" SecFilter "/includer/cgi" SecFilter "/cgi-bin/include/includer\.cgi" SecFilter "/scgi-bin/include/includer\.cgi" SecFilter "/cgi-bin/inc/includer\.cgi" SecFilter "/scgi-bin/inc/includer\.cgi" SecFilter "/cgi-local/includer\.cgi" SecFilter "/scgi-local/includer\.cgi" SecFilter "/cgi/includer\.cgi" SecFilter "/scgi/includer\.cgi" SecFilter "/hints\.pl" SecFilter "/cgi/hints\.pl" SecFilter "/scgi/hints\.pl" SecFilter "/cgi-bin/hints\.pl" SecFilter "/scgi-bin/hints\.pl" SecFilter "/hints/hints\.pl" SecFilter "/cgi-bin/webhints/hints\.pl" SecFilter "/scgi-bin/webhints/hints\.pl" SecFilter "hints\.cgi" SecFilterSelective THE_REQUEST "wget " SecFilterSelective THE_REQUEST "lynx " SecFilterSelective THE_REQUEST "scp " SecFilterSelective THE_REQUEST "ftp " SecFilterSelective THE_REQUEST "cvs " SecFilterSelective THE_REQUEST "rcp " SecFilterSelective THE_REQUEST "perl " SecFilterSelective THE_REQUEST "curl " SecFilterSelective THE_REQUEST "telnet " SecFilterSelective THE_REQUEST "echo " SecFilterSelective THE_REQUEST "links -dump " SecFilterSelective THE_REQUEST "links -dump-charset " SecFilterSelective THE_REQUEST "links -dump-width " SecFilterSelective THE_REQUEST "links http:// " SecFilterSelective THE_REQUEST "links ftp:// " SecFilterSelective THE_REQUEST "links -source " SecFilterSelective THE_REQUEST "mkdir " SecFilterSelective THE_REQUEST "cd /tmp " SecFilterSelective THE_REQUEST "cd /var/spool " SecFilterSelective THE_REQUEST "&highlight=%2527%252E " SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php " SecFilterSelective THE_REQUEST "cd /dev/shm " SecFilterSelective THE_REQUEST "cd /dev " SecFilterSelective THE_REQUEST "cd shm " SecFilter "/dev/shm" SecFilterSelective THE_REQUEST "cd /var/tmp " SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy " SecFilterSelective THE_REQUEST "awstats\.pl?configdir" SecFilter "awstats\.pl" SecFilterSelective THE_REQUEST "/config\.php?v=1&DIR " SecFilterSelective THE_REQUEST "&highlight=%2527%252E " SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F\.php " #Formmail Spam Traps SecFilterSelective POST_PAYLOAD "Bcc:" SecFilterSelective POST_PAYLOAD "Bcc:\x20" SecFilterSelective POST_PAYLOAD "cc:" SecFilterSelective POST_PAYLOAD "cc:\x20" SecFilterSelective POST_PAYLOAD "bcc:" SecFilterSelective POST_PAYLOAD "bcc:\x20" SecFilterSelective POST_PAYLOAD "bcc: " SecFilterSelective THE_REQUEST "/\.history HTTP\/(0\.9|1\.0|1\.1)$" SecFilterSelective THE_REQUEST "/\.bash_history HTTP\/(0\.9|1\.0|1\.1)$" #Generic attack rules pcre format #cross site scripting attempt IMG onerror or onload SecFilterSelective THE_REQUEST "\]expression[\s]*$" #cross site scripting attempt STYLE + EXPRESSION SecFilterSelective THE_REQUEST "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>" # cross site scripting attempt using XML SecFilterSelective THE_REQUEST "SCRIPT" #cross site scripting attempt executing hidden Javascript SecFilterSelective THE_REQUEST "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*$" #cross site scripting attempt executing hidden Javascript SecFilterSelective THE_REQUEST "window\.execScript[\s]*$" #cross site scripting HTML Image tag set to javascript attempt SecFilterSelective THE_REQUEST "img src=javascript" #General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links) SecFilterSelective THE_REQUEST "\.php\?" chain SecFilter "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]" #Experimental XML-RPC generic attack sigs #SecFilter "\'\,\'\'$\)\;" SecFilter "\\.*\'\)\;" #XML-RPC generic attack sigs SecFilterSelective POST_PAYLOAD "^Content-Type\: application/xml" chain SecFilter "(\" #catch smuggling attacks SecFilter "^(GET|POST).*Host:.*^(GET|POST)" #Generic PHP attack sig SecFilterSelective THE_REQUEST "system$getenv\(HTTP_PHP$\)" #Generic Nessus request filter SecFilterSelective THE_REQUEST "NessusTest*\.html" #Generic PHP payload command injection and upload vulnerabilities SecFilterSelective POST_PAYLOAD "<\?php" chain SecFilter "((fputs|fread)$.*\,.*$\;|fsockopen$gethostbyname|chr\(.*$\.chr$.*$\.chr$|(fclose|fgets)\(.*$\;|(system|exec)$.*$\;)" chain SecFilter "\<\?php" #Generic XML RPC attack sig SecFilterSelective POST_PAYLOAD "\'(______BEGIN______|_____FIM_____)\'\;" #HTTP header PHP code injection attacks SecFilterSelective HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)" #wormsign SecFilter "XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+" SecFilterSelective THE_REQUEST "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC" #phpbb wormsign SecFilterSelective THE_REQUEST "echo _GHC/RST_" #Generic PHP avatar upload exploits SecFilterSelective REQUEST_URI "\.php" chain SecFilterSelective POST_PAYLOAD "Content-Disposition\: form-data\; name=\"avatar\"\;" chain SecFilter "\<\?php" chain SecFilter "\?>" #Fake image file shell attacvk SecFilterSelective HTTP_Content-Type "image/.*" SecFilterSelective POST_PAYLOAD "chr\(" #bogus graphics file SecFilterSelective HTTP_Content-Disposition "\.php" chain SecFilterSelective HTTP_Content-Type "(image/gif|image/jpg|image/png|image/bmp)" #wormsign SecFilterSelective REQUEST_URI "Hacked.*by.*member.*of.*SCC" SecFilterSelective THE_REQUEST "Bcc:" SecFilterSelective THE_REQUEST "Bcc:\x20" SecFilterSelective THE_REQUEST "cc:" SecFilterSelective THE_REQUEST "cc:\x20" SecFilterSelective THE_REQUEST "bcc:" SecFilterSelective THE_REQUEST "bcc:\x20" SecFilterSelective THE_REQUEST "bcc: " # RootKits SecFilterSelective REQUEST_URI "=(http|www|ftp)(.+)\.(c|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp)\?" SecFilterSelective THE_REQUEST "/cse\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/terminatorX-exp.*\.(gif|jpg|txt|bmp|php|png)\?" SecFilterSelective THE_REQUEST "/\.it/viewde" SecFilterSelective THE_REQUEST "/cmd\?&(command|cmd)=" SecFilterSelective THE_REQUEST "/cmd\.php\.ns\?&(command|cmd)=" SecFilterSelective THE_REQUEST "/cmd\.php\?&(command|cmd)=" SecFilterSelective THE_REQUEST "/cmd\.dat\?&(command|cmd)=" SecFilterSelective THE_REQUEST "/sep\.txt\?&(command|cmd)=" SecFilterSelective THE_REQUEST "/s\.txt\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/pro18\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/shell\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/bash\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/(o|0|p)wn(e|3)d\.(gif|jpg|txt|bmp|png)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/get\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/root\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/spy\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/nmap\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/asc\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/lila\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/sh\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/new(cmd|command)\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/(cmd|command)\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/(cmd|command)[0-9]\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/[a-z](cmd|command)\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/[a-z](cmd|command)[0-9]\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/ijoo\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/oinc\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/a\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/gif\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/jpg\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/ion\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/lala\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/shell\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/phpshell\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/tool[12][05]\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/tool[12]\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/tool[12][0-9]\.js" SecFilterSelective THE_REQUEST "/tool25\.js" #Known rootkits SecFilterSelective THE_REQUEST "perl xpl\.pl" SecFilterSelective THE_REQUEST "perl kut" SecFilterSelective THE_REQUEST "perl viewde" SecFilterSelective THE_REQUEST "perl httpd\.txt" SecFilterSelective THE_REQUEST "\./xkernel\;" SecFilterSelective THE_REQUEST "/kaiten\.c" SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)" #Generic remote perl execution with .pl extension SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;" SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl" #Known rootkit Defacing Tool 2.0 SecFilterSelective THE_REQUEST "/tool(12)[0-9]\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/tool\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/tool25\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/tool(12)\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/therules25\.(d(ao)t|gif|jpg|bmp|txt|png)\?(cmd|command)=" SecFilterSelective THE_REQUEST "/tool25\.jpg\?" SecFilterSelective THE_REQUEST "/tool25\.dat\?" #other known tools SecFilterSelective THE_REQUEST "/xpl\.php\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/ssh\.php" SecFilterSelective THE_REQUEST "/ssh2\.php" SecFilterSelective THE_REQUEST "/sfdg2\.php" #New kit SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)" SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpg|dat|bmp|png)(\;|\w)" #new kir SecFilterSelective THE_REQUEST "/dblib\.php\?&(cmd|command)=" #suntzu SecFilterSelective THE_REQUEST "/suntzu\.php\?cmd=" SecFilterSelective THE_REQUEST "/suntzu.*\.php\?cmd=" SecFilterSelective HTTP_Content-Disposition "suntzu\.php" #proxysx.gif? SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpg|bmp|txt)\?" #phpbackdoor SecFilterSelective THE_REQUEST "/phpbackdoor\.php\?cmd=" SecFilterSelective THE_REQUEST "/phpbackdoor.*\.php\?cmd=" #new unknown kit SecFilterSelective REQUEST_URI "/oops?&" # known PHP attack shells #value of these sigs, pretty low, but here to catch # any lose threads, honeypoting, etc. SecFilterSelective THE_REQUEST "/img/wiki_up/.*\.(php(3|4)?|tml|cgi|sh)" SecFilterSelective THE_REQUEST "wiki_up/gif\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/ion\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/jpg\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/lala\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/.*\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/phpshell\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/shell\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/tool20\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/tool20\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/temp/gif\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/temp/lala\.ph(p(3|4)?|tml)" SecFilterSelective REQUEST_URI "/phpterm" #Frantastico worm SecFilterSelective THE_REQUEST "netenberg " SecFilterSelective THE_REQUEST "psybnc " SecFilterSelective THE_REQUEST "fantastico_de_luxe " SecFilterSelective THE_REQUEST "arta\.zip " #new unknown kits SecFilterSelective THE_REQUEST "/iblis\.htm\?" SecFilterSelective THE_REQUEST "/gif\.gif\?" SecFilterSelective THE_REQUEST "/go\.php\.txt\?" SecFilterSelective THE_REQUEST "/sh[0-9]\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/iys\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/shell[0-9]\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/zehir\.asp" SecFilterSelective THE_REQUEST "/aflast\.txt\?" SecFilterSelective THE_REQUEST "/sikat\.txt\?&cmd" SecFilterSelective THE_REQUEST "/t\.gif\?" SecFilterSelective THE_REQUEST "/phpbb_patch\?&" SecFilterSelective THE_REQUEST "/phpbb2_patch\?&" SecFilterSelective THE_REQUEST "/lukka\?&" #new kit SecFilterSelective THE_REQUEST "/c99shell\.txt" #remote bash shell SecFilterSelective REQUEST_URI "/shell\.php\&cmd=" SecFilterSelective ARGS "/shell\.php\&cmd=" #zencart exploit SecFilterSelective REQUEST_URI "/ipn\.php\?cmd=" #new pattern SecFilterSelective REQUEST_URI "btn_lists\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "dsoul/tool\?" #generic suntzu payload SecFilterSelective THE_REQUEST "HiMaster\!\<\?php system$" SecFilterSelective THE_REQUEST "error_reporting\(.*$\;if$isset\(.*$\)\{system" SecFilterSelective REQUEST_URI "help_text_vars\.php\?suntzu=" #25dec new one SecFilterSelective REQUEST_URI "anggands\.(gif|jpg|txt|bmp|png)\?" #26dec new kit SecFilterSelective REQUEST_URI "newfile[0-9]\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/vsf\.vsf\?&" #27dec SecFilterSelective REQUEST_URI "/scan1\.0/scan/" SecFilterSelective REQUEST_URI "test\.txt\?&" #30dec SecFilterSelective REQUEST_URI "\.k4ka\.txt\?" #31dec SecFilterSelective REQUEST_URI "/php\.txt\?" #1 jan SecFilterSelective REQUEST_URI "/sql\.txt\?" SecFilterSelective REQUEST_URI "bind\.(gif|jpg|txt|bmp|png)\?" #22feb SecFilterSelective REQUEST_URI "/juax\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/linuxdaybot/\.(gif|jpg|txt|bmp|png)\?" #phpbb wormsign SecFilterSelective THE_REQUEST "echo _GHC/RST_" #Generic PHP avatar upload exploits SecFilterSelective REQUEST_URI "\.php" chain SecFilterSelective POST_PAYLOAD "Content-Disposition\: form-data\; name=\"avatar\"\;" chain SecFilter "\<\?php" chain SecFilter "\?>" #Fake image file shell attacvk SecFilterSelective HTTP_Content-Type "image/.*" SecFilterSelective POST_PAYLOAD "chr\(" #bogus graphics file SecFilterSelective HTTP_Content-Disposition "\.php" chain SecFilterSelective HTTP_Content-Type "(image/gif|image/jpg|image/png|image/bmp)" SecFilterSelective THE_REQUEST "psybnc " SecFilterSelective THE_REQUEST "fantastico_de_luxe " SecFilterSelective THE_REQUEST "arta\.zip " SecFilterSelective THE_REQUEST "phpbb_root_path=http" SecFilterSelective THE_REQUEST "/iblis\.htm\?" SecFilterSelective THE_REQUEST "/gif\.gif\?" SecFilterSelective THE_REQUEST "/go\.php\.txt\?" SecFilterSelective THE_REQUEST "/sh[0-9]\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/iys\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/shell[0-9]\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/zehir\.asp" SecFilterSelective THE_REQUEST "/aflast\.txt\?" SecFilterSelective THE_REQUEST "/sikat\.txt\?&cmd" SecFilterSelective THE_REQUEST "/t\.gif\?" SecFilterSelective THE_REQUEST "/phpbb_patch\?&" SecFilterSelective THE_REQUEST "/phpbb2_patch\?&" SecFilterSelective THE_REQUEST "/lukka\?&" SecFilterSelective THE_REQUEST "/c99shell\.txt" SecFilterSelective REQUEST_URI "/shell\.php\&cmd=" SecFilterSelective ARGS "/shell\.php\&cmd=" SecFilterSelective REQUEST_URI "/ipn\.php\?cmd=" SecFilterSelective REQUEST_URI "btn_lists\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "dsoul/tool\?" SecFilterSelective THE_REQUEST "HiMaster\!\<\?php system$" SecFilterSelective THE_REQUEST "error_reporting\(.*$\;if$isset\(.*$\)\{system" SecFilterSelective REQUEST_URI "help_text_vars\.php\?suntzu=" SecFilterSelective REQUEST_URI "anggands\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "newfile[0-9]\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/vsf\.vsf\?&" SecFilterSelective REQUEST_URI "/scan1\.0/scan/" SecFilterSelective REQUEST_URI "test\.txt\?&" SecFilterSelective REQUEST_URI "\.k4ka\.txt\?" SecFilterSelective REQUEST_URI "/php\.txt\?" SecFilterSelective REQUEST_URI "/sql\.txt\?" SecFilterSelective REQUEST_URI "bind\.(gif|jpg|txt|bmp|png)\?" # Full Grouping of my Fantastico Exploit Fixes # Developed to fix Fantastico and Netenberg Kit SecFilter "arta\.zip" SecFilter "cmd=cd\x20/var" SecFilter "master_files" SecFilter "HCL_path" SecFilter "root\.txt" SecFilter "clamav-partial" SecFilter "vi\.recover" SecFilter "netenberg" SecFilter "pipe\.php" SecFilter "cse\.gif" SecFilter "psybnc" SecFilter "fantastico_de_luxe" SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)" SecFilterSelective THE_REQUEST "/dblib\.php\?&(cmd|command)=" SecFilter "highlight=%25" SecFilter "&m=http" SecFilter "configdir=" SecFilterSelective THE_REQUEST "&command=" SecFilterSelective THE_REQUEST "/dev/shm" #SecFilterSelective THE_REQUEST "\x20/tmp" SecFilterSelective THE_REQUEST "lynx\x20" SecFilter "wiki_up/gif\.ph(p(3|4)?|tml)$" SecFilter "wiki_up/ion\.ph(p(3|4)?|tml)$" SecFilter "wiki_up/jpg\.ph(p(3|4)?|tml)$" SecFilter "wiki_up/lala\.ph(p(3|4)?|tml)$" SecFilter "/phpshell\.ph(p(3|4)?|tml)$" SecFilter "/cmd\.txt" SecFilter "/shell\.ph(p(3|4)?|tml)$" SecFilter "cd_10th\.jpg" SecFilter "/tool20\.ph(p(3|4)?|tml)$" SecFilter "/tool20\.ph(p(3|4)?|tml)$" SecFilter "/temp/gif\.ph(p(3|4)?|tml)$" SecFilter "/temp/lala\.ph(p(3|4)?|tml)$" SecFilter "/phpterm" SecFilter "submit_btn" SecFilter "work_dir" # Various Form Mail Spammers - Their phishing # accounts are probably dead by now anyway... SecFilterSelective "POST_PAYLOAD" "jrubin3546@aol\.com" SecFilterSelective "POST_PAYLOAD" "killerhamster@punkass\.com" SecFilterSelective "POST_PAYLOAD" "wnacyiplay@aol\.com" SecFilterSelective "POST_PAYLOAD" "Homeiragtime@aol\.com" SecFilterSelective "POST_PAYLOAD" "kshmng@aol\.com" SecFilterSelective "POST_PAYLOAD" "bergkoch8@aol\.com" SecFilterSelective "POST_PAYLOAD" "mhkoch321@aol\.com" SecFilter "\./httpd" SecFilterSelective THE_REQUEST "\.php\?" chain SecFilter "(http|https|ftp)\:/" chain #SecFilter "(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|unam#e|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall #|rm \-[a-z|A-Z])" SecFilterSelective THE_REQUEST "\.php\?" chain SecFilter "(http|https|ftp)\:/" chain #SecFilter "(cmd|command)=.*(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|un#ame|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killal#l |rm \-[a-z|A-Z])" SecFilter "&rows=2" SecFilter "&m=http" SecFilter "poster=include" SecFilter "root\.txt" SecFilter "damn.tar.gz" SecFilterSelective THE_REQUEST "perl\x20myworm" SecFilterSelective THE_REQUEST "chmod\x20" SecFilterSelective THE_REQUEST "wget\x20" SecFilterSelective THE_REQUEST "uname\x20-a" SecFilterSelective THE_REQUEST "g\+\+\x20" SecFilterSelective THE_REQUEST "gcc\x20-o" SecFilterSelective THE_REQUEST "nmap\x20" SecFilter "/etc/shadow" SecFilter "/etc/passwd" SecFilterSelective THE_REQUEST "/etc/passwd" SecFilterSelective THE_REQUEST "/etc/shadow" SecFilterSelective THE_REQUEST "flood\.tar" SecFilter "udp\.pl" SecFilter "udp\.txt" SecFilter "tftp\x20" SecFilterSelective THE_REQUEST "(\;|\&)highlight=\'\.system$" SecFilterSelective THE_REQUEST "&highlight=\'\.mysql_query\(" SecFilterSelective THE_REQUEST "&highlight=\'\.fwrite\(fopen\(" SecFilterSelective THE_REQUEST "&highlight=\x2527\x252Esystem\(" SecFilterSelective THE_REQUEST "/*\x0a\.pl" SecFilterSelective THE_REQUEST "/shoutbox\.php" chain SecFilter "\.\./" SecFilterSelective THE_REQUEST "/viewtopic\.php\?" chain SecFilterSelective ARGS "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(([0-9a-fA-Fx]{1,3})$" SecFilterSelective THE_REQUEST "links -dump " SecFilterSelective THE_REQUEST "links -dump-(charset|width) " SecFilterSelective THE_REQUEST "links (http|https|ftp)\:/" SecFilterSelective THE_REQUEST "links -source " SecFilterSelective THE_REQUEST "mkdir\x20" SecFilterSelective THE_REQUEST "cd\x20/(tmp|/var/tmp)" SecFilterSelective THE_REQUEST "fwrite" chain SecFilterSelective THE_REQUEST "fopen" SecFilterSelective THE_REQUEST ".*\.php\?(do=.*&template=\{\$\{|inc=(http|https|ftp)\:/)" SecFilterSelective THE_REQUEST "/index\.php\?page=(http|https|ftp)\:/" SecFilterSelective THE_REQUEST "/server-info" SecFilter "^(GET|POST).*Host:.*^(GET|POST)" SecFilterSelective THE_REQUEST "/modules\.php" chain SecFilter "name=.*\'.*UNION.*SELECT.*FROM.*users.*WHERE.*user_id=.*AND" SecFilter "&highlight=\'\.mysql_query\(" SecFilter "&highlight=\'\.fwrite\(fopen\(" SecFilter "&highlight=\x2527\x252Esystem\(" SecFilterSelective THE_REQUEST "/usr/bin/id" SecFilterSelective THE_REQUEST "/bin/kill" SecFilterSelective THE_REQUEST "/usr/bin/gcc" SecFilterSelective THE_REQUEST "/usr/bin/cc" SecFilterSelective THE_REQUEST "/usr/bin/g\+\+" SecFilterSelective THE_REQUEST "/bin/ping" SecFilterSelective THE_REQUEST "/bin/mail" SecFilterSelective THE_REQUEST "/bin/ls" SecFilterSelective THE_REQUEST "/usr/sbin/httpd" SecFilterSelective THE_REQUEST "perl xpl\.pl" SecFilterSelective THE_REQUEST "perl kut" SecFilterSelective THE_REQUEST "perl viewde" SecFilterSelective THE_REQUEST "perl httpd\.txt" SecFilterSelective THE_REQUEST "\./xkernel\;" SecFilterSelective THE_REQUEST "/kaiten\.c" SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)" SecFilterSelective THE_REQUEST "/tool(12)[0-9]\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/tool\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/tool25\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/tool(12)\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/therules25\.(d(ao)t|gif|jpg|bmp|txt)\?(cmd|command)=" SecFilterSelective THE_REQUEST "/tool25\.jpg\?" SecFilterSelective THE_REQUEST "/tool25\.dat\?" SecFilterSelective THE_REQUEST "/xpl\.php\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/ssh\.php" SecFilterSelective THE_REQUEST "/ssh2\.php" SecFilterSelective THE_REQUEST "/sfdg2\.php" SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)" SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpg|dat|bmp|png)(\;|\w)" #new kir SecFilterSelective THE_REQUEST "/dblib\.php\?&(cmd|command)=" #suntzu SecFilterSelective THE_REQUEST "/suntzu\.php\?cmd=" #proxysx.gif? SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpg|bmp|txt)\?" #phpbackdoor SecFilterSelective THE_REQUEST "/phpbackdoor\.php\?cmd=" SecFilterSelective THE_REQUEST "/phpbackdoor.*\.php\?cmd=" #new unknown kit SecFilterSelective REQUEST_URI "/oops?&" SecFilterSelective THE_REQUEST "/img/wiki_up/.*\.(php(3|4)?|tml|cgi|sh)" SecFilterSelective THE_REQUEST "wiki_up/gif\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/ion\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/jpg\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/lala\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/.*\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/phpshell\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/shell\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/tool20\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/tool20\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/temp/gif\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/temp/lala\.ph(p(3|4)?|tml)" SecFilterSelective REQUEST_URI "/phpterm" #new unknown kits SecFilterSelective THE_REQUEST "/iblis\.htm\?" SecFilterSelective THE_REQUEST "/gif\.gif\?" SecFilterSelective THE_REQUEST "/go\.php\.txt\?" SecFilterSelective THE_REQUEST "/sh[0-9]\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/iys\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/shell[0-9]\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/zehir\.asp" SecFilterSelective THE_REQUEST "/aflast\.txt\?" SecFilterSelective THE_REQUEST "/sikat\.txt\?&cmd" SecFilterSelective THE_REQUEST "/t\.gif\?" SecFilterSelective THE_REQUEST "/phpbb_patch\?&" SecFilterSelective THE_REQUEST "/phpbb2_patch\?&" SecFilterSelective THE_REQUEST "/lukka\?&" #Generic PHP exploit signatures SecFilter "\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec)$.*$\;" #generic XSS PHP attack types SecFilterSelective THE_REQUEST "\.php\?" chain SecFilter "javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)" #PHP remote path attach generic signature SecFilterSelective THE_REQUEST "\.ph(p(3|4)?)*/path=(http|https|ftp)" #phpAdsNew path disclosure SecFilterSelective REQUEST_URI "/libraries/lib-xmlrpcs.inc\.php" SecFilterSelective REQUEST_URI "/maintenance/maintenance-activation\.php" SecFilterSelective REQUEST_URI "/maintenance/maintenance-cleantables\.php" SecFilterSelective REQUEST_URI "/maintenance/maintenance-autotargeting\.php" SecFilterSelective REQUEST_URI "/maintenance/maintenance-reports\.php" SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/phpads\.php" SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/remotehtmlview\.php" SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/click\.php" SecFilterSelective REQUEST_URI "/adframe\.php\?refresh=securityreason\.com\'\>" #phpbb XSS SecFilterSelective REQUEST_URI "/posting\.php\?mode=reply&t=.*userid.*phpbb2mysql_t=(\<(script|javascript|about|applet|activex|chrome)|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/posting\.php\\?.*(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective THE_REQUEST "/privmsg\.php" chain SecFilter "\|(http|https|ftp)\:/)" #vBulletin Remote Command Execution Attempt SecFilterSelective THE_REQUEST "/forumdisplay\.php?[^\r\n]*comma=[^\r\n\x26]*system\x28.*\x29/Ui" SecFilterSelective THE_REQUEST "/forumdisplay\.php\?" chain SecFilter "\.system$.+$\." SecFilterSelective THE_REQUEST "/forumdisplay\.php\?*comma=" #PHPNuke general XSS attempt #/modules.php?name=News&file=article&sid=1&optionbox= SecFilterSelective THE_REQUEST "/modules\.php\?*name=*\<*(script|about|applet|activex|chrome)*\>" SecFilterSelective THE_REQUEST "/modules\.php\?op=modload&name=News&file=article&sid=*\<*(script|about|applet|activex|chrome)*\>" # PHPNuke SQL injection attempt SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory=" SecFilterSelective THE_REQUEST "/modules\.php\?*name=(Search|Web_Links).*\'" #EasyDynamicPages exploit SecFilterSelective THE_REQUEST "edp_relative_path=" #Readfile.tcl Access SecFilterSelective THE_REQUEST "/readfile\.tcl\?file=" #phpnuke sql insertion SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/" #WAnewsletter newsletter.php file include attempt SecFilterSelective THE_REQUEST "newsletter\.php*waroot*start\.php" # Typo3 translations.php file include SecFilterSelective THE_REQUEST "/translations\.php*ONLY" #PHP-Nuke remote file include attempt SecFilterSelective THE_REQUEST "/index\.php*file=*(http|https|ftp)" #PHPOpenChat SecFilterSelective THE_REQUEST "/poc_loginform\.php\?phpbb_root_path=(http|https|ftp)\:/" SecFilterSelective THE_REQUEST "/poc\.php\?phpbb_root_path=(http|https|ftp)\:/" SecFilterSelective THE_REQUEST "/poc\.php\?poc_root_path=(http|https|ftp)\:/" SecFilterSelective THE_REQUEST "/ENGLISH_poc\.php\?poc_root_path=(http|https|ftp)\:/" SecFilterSelective THE_REQUEST "/poc\.php\?sourcedir=(http|https|ftp)\:/" #OSCommerce XSS SecFilterSelective THE_REQUEST "/default\.php\?(error_message|info_message)=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" #Typo3 remote file retrieval SecFilterSelective THE_REQUEST "/dev/translations\.php\?ONLY=\x2e\x2e/\x2e\x2e/\x2e\x2e/\x2e\x2e/\x2e\x2e/.*\x00" #PHPNuke general SQL injection SecFilterSelective THE_REQUEST "/modules\.php\?.*name=.*UNION.*SELECT" #SecFilter "phpmyadmin" ##phpBB Calendar Pro catergory Parameter SQL Injection SecFilterSelective THE_REQUEST "/cal_view_month\.php\?month=.*&year=.*&category=.*(UNION|SELECT|DELETE|INSERT)" #cubecart SQL injection SecFilterSelective THE_REQUEST "/index\.php\?&PHPSESSID=\'" SecFilterSelective THE_REQUEST "/tellafriend\.php\?&product=\'" SecFilterSelective THE_REQUEST "/view_cart\.php\?add=\'" SecFilterSelective THE_REQUEST "/view_product\.php\?product=\'" #PHPBB LinksLinks Pro Module SQL Injection Vulnerability SecFilterSelective THE_REQUEST "/links\.php\?func=show&id=\'" #Invision Power Board SQL injection SecFilterSelective THE_REQUEST "/forums/index\.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELETE|INSERT)" #SQL injection in jPortal version 2.3.1 SecFilterSelective THE_REQUEST "/jportal/banner\.php*(UNION|SELECT|DELETE|INSERT)" SecFilter "act=cmd" #SecFilter "page=http" SecFilter "geocities\.com" #SecFilter "[rootDir]=http" SecFilterSelective THE_REQUEST "rootDir" SecFilter "cart_order_id=1" SecFilterSelective THE_REQUEST "/index\.php\?&PHPSESSID=\'" SecFilterSelective THE_REQUEST "/tellafriend\.php\?&product=\'" SecFilterSelective THE_REQUEST "/view_cart\.php\?add=\'" SecFilterSelective THE_REQUEST "/view_product\.php\?product=\'" #TikiWiki Multiple Cross-Site Scripting Vulnerabilities SecFilterSelective REQUEST_URI "tiki-lastchanges\.php" "chain,id:390058,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" SecFilterSelective ARG_days|ARG_offset "(javascript|script|about|applet|activex|chrome)+.?\>" SecFilterSelective REQUEST_URI "tiki-orphan_pages\.php" "chain,id:390059,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" SecFilterSelective ARG_find "(javascript|script|about|applet|activex|chrome)+.?\>" SecFilterSelective REQUEST_URI "tiki-listpages\.php" "chain,id:390060,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" SecFilterSelective ARG_offset|ARG_initial "(javascript|script|about|applet|activex|chrome)+.?\>" SecFilterSelective REQUEST_URI "tiki-remind_password\.php" "chain,id:390061,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" SecFilterSelective ARG_username "(javascript|script|about|applet|activex|chrome)+.?\>" SecFilterSelective REQUEST_URI "tiki-(admin_(rssmodules|notifications|content_templates|chat)|syslog)\.php" "chain,id:390062,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" SecFilterSelective ARG_offset "(javascript|script|about|applet|activex|chrome)+.?\>" SecFilterSelective REQUEST_URI "tiki-adminusers\.php" "chain,id:390063,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" SecFilterSelective ARG_numrows "(javascript|script|about|applet|activex|chrome)+.?\>" SecFilterSelective REQUEST_URI "tiki-searchindex\.php" "chain,id:390095,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" SecFilterSelective ARG_highlist "(javascript|script|about|applet|activex|chrome)+.?\>" #Wordpress shell injection Vulnerability SecFilterSelective REQUEST_URI "/cache/user.*/.*\.php\?cmd=" "id:390064,rev:1,severity:2,msg:'JITP: Wordpress shell injection Vulnerability'" #Nucleus <= 3.22 arbitrary remote inclusion exploit SecFilterSelective REQUEST_URI "PLUGINADMIN\.php\?GLOBALS\[DIR_LIBS\]=((ht|f)tps?\:/|/tmp|/opt|/etc|/export|/var|/home|/usr|\.\.)" "id:390065,rev:1,severity:2,msg:'JITP: Nucleus arbitrary remote inclusion exploit'" #Horde passthru protection SecFilterSelective REQUEST_URI "/services/help(/)?\?(.*)?\&module=.*passthru$.*$" "id:390066,rev:1,severity:2,msg:'JITP: Horde passthru exploit'" #CMS-Bandits "spaw_root" File Inclusion Vulnerabilities SecFilterSelective REQUEST_URI "dialogs/(img|td|table)\.php" "chain,id:390067,rev:2,severity:2,msg:'JITP: CMS-Bandits spaw_root File Inclusion Vulnerability'" SecFilterSelective ARG_spaw_root "(ht|f)tps?\:/" #phpBB Blend Portal System Module "phpbb_root_path" File Inclusion SecFilterSelective REQUEST_URI "dialogs/(img|td)\.php" "chain,id:390068,rev:1,severity:2,msg:'JITP: phpBB Blend Portal System Module phpbb_root_path File Inclusion'" SecFilterSelective ARG_phpbb_root_path "(ht|f)tps?\:/" #Admanager Pro exploit SecFilterSelective REQUEST_URI "common\.php" "chain,id:390069,rev:1,severity:2,msg:'JITP: Admanager Pro exploit'" SecFilterSelective ARG_ipath "((ht|f)tps?\:/|\.\./)" #General phpbb_root_path vulnerabilities SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?\:/|\.\./)" "id:390070,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path exploit'" #Bible Portal Project destination File Inclusion Vulnerability' SecFilterSelective REQUEST_URI "Admin/rtf_parser\.php" "chain,id:390071,rev:1,severity:2,msg:'JITP: Bible Portal Project destination File Inclusion Vulnerability'" SecFilterSelective ARG_destination "((ht|f)tps?\:/|\.\./)" #Flipper Poll "root_path" File Inclusion Vulnerability SecFilterSelective REQUEST_URI "poll\.php" "chain,id:390072,rev:1,severity:2,msg:'JITP: Flipper Poll root_path File Inclusion Vulnerability'" SecFilterSelective ARG_root_path "((ht|f)tps?\:/|\.\./)" #PictureDis Products "lang" Parameter File Inclusion Vulnerability SecFilterSelective REQUEST_URI "(thumstbl|wpfiles|wallpapr)\.php" "chain,id:390073,rev:1,severity:2,msg:'JITP: PictureDis Products lang Parameter File Inclusion Vulnerability'" SecFilterSelective ARG_lang "((ht|f)tps?\:/|\.\./)" #Joomla and Mambo 'Weblinks' blind SQL injection / admin credentials EXPLOIT SecFilterSelective REQUEST_URI "index\.php" "chain,id:390074,rev:1,severity:2,msg:'JITP: Joomla/Mambo Weblinks blind SQL injection'" SecFilterSelective ARG_title "(users[[:space:]]+WHERE[[:space:]]+usertype|UNION[[:space:]]+SELECT[[:space:]]+IF|insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" chain SecFilterSelective ARG_task "save" #new pattern SecFilterSelective REQUEST_URI "index\.php\?mod=files&action=view&where=-1+UNION+SELECT+users_nick,0,users_pwd" #phpBB Mail2Forum Module "m2f_root_path" File Inclusion SecFilterSelective ARG_m2f_root_path "((ht|f)tps?\:/|\.\./)" "id:390076,rev:1,severity:2,msg:'JITP: Generic m2f_root_path File Inclusion Vulnerability'" # SecFilterSelective REQUEST_URI "downloads\.php" "chain,id:390077,rev:1,severity:2,msg:'JITP: Generic PHP download incddir File Inclusion Vulnerability'" SecFilterSelective ARG_incdir "((ht|f)tps?\:/|\.\./)" #SiteDepth CMS "SD_DIR" Parameter Handling Remote File Inclusion Vulnerability SecFilterSelective REQUEST_URI "constants\.php" "chain,id:390078,rev:1,severity:2,msg:'JITP: SiteDepth CMS SD_DIR Parameter Handling Remote File Inclusion Vulnerability'" SecFilterSelective ARG_SD_DIR "((ht|f)tps?\:/|\.\./)" #Comment spam header line SecFilter "x-aaaaaa.*" SecFilterSelective POST_PAYLOAD "X-AAAAAA.*" #check for bad meta characters in User-Agent field #SecFilterSelective HTTP_USER_AGENT ".*\'" #XSS in the UA field SecFilterSelective HTTP_USER_AGENT "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)" #PHP code injection attack SecFilterSelective HTTP_USER_AGENT "(<\?php|<[[:space:]]*\?[[:space:]]*php)" SecFilterSelective HTTP_USER_AGENT ".*HTTP_GET_VARS" #recursion attack in UA field SecFilterSelective HTTP_USER_AGENT "\.\./\.\." #May cause false positives with some software, comment out if it does #SecFilterSelective REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Suspicious Automated or Manual Request'" #SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST|HTTP_Accept" "^$" #Exploit agent SecFilterSelective HTTP_USER_AGENT "Mosiac 1\.*" #Bad agent SecFilterSelective HTTP_USER_AGENT "Brutus/AET" #CGI vuln scan tool SecFilterSelective HTTP_USER_AGENT cgichk SecFilterSelective HTTP_USER_AGENT "DataCha0s/2\.0" #Damn fine UA SecFilterSelective HTTP_USER_AGENT ".*THIS IS AN EXPLOIT*" SecFilterSelective HTTP_USER_AGENT "Morzilla" #CIRT.DK Webroot auditing tool SecFilterSelective HTTP_USER_AGENT ".*WebRoot " #Exploit UA SecFilterSelective HTTP_USER_AGENT ".*T H A T \' S G O T T A H U R T*" #XML RPC exploit tool SecFilterSelective HTTP_USER_AGENT "xmlrpc exploit*" #A friendly little exploit banner for a WP vuln SecFilterSelective HTTP_USER_AGENT "Wordpress Hash Grabber" #Blocks scripts #SecFilterSelective HTTP_USER_AGENT lwp #Web leaches SecFilterSelective HTTP_USER_AGENT "Web Downloader" SecFilterSelective HTTP_USER_AGENT WebZIP SecFilterSelective HTTP_USER_AGENT WebCopier SecFilterSelective HTTP_USER_AGENT Webster SecFilterSelective HTTP_USER_AGENT WebZIP SecFilterSelective HTTP_USER_AGENT WebStripper SecFilterSelective HTTP_USER_AGENT "teleport pro" SecFilterSelective HTTP_USER_AGENT combine SecFilterSelective HTTP_USER_AGENT "Black Hole" SecFilterSelective HTTP_USER_AGENT "SiteSnagger" SecFilterSelective HTTP_USER_AGENT "ProWebWalker" SecFilterSelective HTTP_USER_AGENT "CheeseBot" #Bogus Mozilla UA lines #Keep this out - breaks something ea..p #SecFilterSelective HTTP_USER_AGENT "Mozilla/(4|5)\.0$" SecFilterSelective HTTP_USER_AGENT "Mozilla/3\.Mozilla/2\.01$" #Bogus IE UA line SecFilterSelective HTTP_USER_AGENT "Microsoft Internet Explorer/5\.0$" #Bogus UA SecFilterSelective HTTP_USER_AGENT "FooBar/42" #Nessus Vuln scanner UA SecFilterSelective HTTP_USER_AGENT ".*Nessus" #Nikto vuln scanner UA SecFilterSelective HTTP_USER_AGENT ".*Nikto" #BAd/Bogus UAs SecFilterSelective HTTP_USER_AGENT "Indy Library" SecFilterSelective HTTP_USER_AGENT "Faxobot" SecFilterSelective HTTP_USER_AGENT ".*SAFEXPLORER TL" #Spam spinder UAs SecFilterSelective HTTP_USER_AGENT ".*fantomBrowser" SecFilterSelective HTTP_USER_AGENT ".*fantomCrew Browser" #VB development library used by many spammers, might block legite VBscripts #comment out if you have problems SecFilterSelective HTTP_USER_AGENT "Crescent Internet ToolPak" #Borland Delphi signature, as above, comment out if it gives you problems #spammers sometimes use these UAs SecFilterSelective HTTP_USER_AGENT "NEWT ActiveX\; Win32" SecFilterSelective HTTP_USER_AGENT "Mozilla.*NEWT" #Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if #it causes problems, comment out. If you are a member of the Microsoft Site #Builder Network, you probably do NOT want to block this ID. #SecFilterSelective HTTP_USER_AGENT "Microsoft URL Control" #SecFilterSelective HTTP_USER_AGENT "^Microsoft URL" #PHP-Nuke Web_Links Multiple Variable SQL Injection SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_ratenum "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_min "(dselect|grant|elete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_show "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_orderby "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_url "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" #Generic PHP payload command injection and upload vulnerabilities #SecFilterSelective POST_PAYLOAD "<\?php" chain SecFilter "((fputs|fread)$.*\,.*$\;|fsockopen$gethostbyname|chr\(.*$\.chr$.*$\.chr$|(fclose|fgets)\(.*$\;|(system|exec)$.*$\;)" chain SecFilter "\<\?php" #honeypot SecFilterSelective THE_REQUEST "/lib\.php\?root=(http|https|ftp)\:/" #XML RPC exploit tool SecFilterSelective HTTP_USER_AGENT "xmlrpc exploit*" SecFilterSelective HTTP_USER_AGENT "Zeus .*Webster Pro*" #Cacti no_http_headers security vuln SecFilterSelective THE_REQUEST "/config\.php\?" chain SecFilterSelective ARG_no_http_headers ".*" #Quick & Dirty PHPSource Printer Directory Traversal Vulnerability SecFilterSelective THE_REQUEST "/source\.php\?" chain SecFilterSelective ARG_file "\.\." #nabopoll "path" File Inclusion Vulnerability SecFilterSelective THE_REQUEST "/survey\.inc\.php\?" chain SecFilterSelective ARG_path "((\.\.|(http|https|ftp)\:/)|.*(\.\.|(http|https|ftp)\:/))" SecFilterSelective THE_REQUEST "/survey\.inc\.php\?path=(http|https|ftp)\:/" #Known rootkit Defacing Tool 2.0 SecFilterSelective THE_REQUEST "/tool25\.d(ao)t\?&cmd=" SecFilterSelective THE_REQUEST "/tool\.txt\?&cmd=" SecFilterSelective THE_REQUEST "/therules25\.d(ao)t" #other known tools SecFilterSelective THE_REQUEST "/xpl\.php\?&cmd=" SecFilterSelective THE_REQUEST "/ssh\.php" SecFilterSelective THE_REQUEST "/ssh2\.php" #phpBB remote code execution vuln SecFilterSelective THE_REQUEST "/viewtopic\.php\?.*highlight=\'\." #Virus HTTP Challenge/Reponse Auth SecFilter "^Authorization\: Negotiate" chain SecFilter "YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB" #Unknown Malware SecFilterSelective THE_REQUEST "/mcp/mcp\.cgi" #catch smuggling attacks SecFilter "^(GET|POST).*Host:.*^(GET|POST)" #Drupal remote command execution vulnerability exploit signature #This is already covered in another generic signature, but just in case you leave it out, here it is #again with a slightly tigher regexp SecFilter "\<*php .*$.*$\;system$.*$.*php*\>" #Slightly stronger version of the above SecFilter "\<*php .*$.*$\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec)$.*$.*php*\>" #DownloadProtect "file" Disclosure of Sensitive Information SecFilterSelective THE_REQUEST "/download\.php\?" chain SecFilterSelective ARG_file "\.\./" #phpWebSite SQL Injection and Disclosure of Sensitive Information SecFilterSelective THE_REQUEST "index\.php" chain SecFilterSelective ARG_mod "(\.\./|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view))" SecFilterSelective THE_REQUEST "index\.php" chain SecFilterSelective ARG_module "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/password\.txt" SecFilterSelective THE_REQUEST "/sh\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/newcmd\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/cmd\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/cmd[0-9]\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/ijoo\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/oinc\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/cmd\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/scmd\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/[a-z|A-Z]cmd\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/gif\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/jpg\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/ion\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/lala\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/shell\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/phpshell\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/tool20\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/tool2[0-9]\.d(ao)t\?&cmd=" SecFilterSelective THE_REQUEST "/tool\.(gif|jpg|bmp|txt)\?&cmd=" SecFilterSelective THE_REQUEST "/therules25\.d(ao)t" SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)" ########################################### #Generic SQL injection rule exclusions ########################################### #generic PHP forum posting exclusion SecFilterRemove 300013 #PhpMyadmin SecFilterRemove 300016 #PhpBB posting SecFilterRemove 300013 #Postnuke uploads SecFilterRemove 300013 #Tikiwiki forum SecFilterRemove 300013 #Squirrel mail and Horde postings SecFilterRemove 300013 SecFilterRemove 300015 #Phorum posting SecFilterRemove 300013 #Tikiwiki edit SecFilterRemove 300013 SecFilterRemove 300013 SecFilterRemove 300016 ########################################### #Double pipe exclusion rules ########################################### SecFilterRemove 300014 ########################################### #Front page exclusions ########################################### SecFilterInheritance Off SecFilterRemove 300016 SecFilterRemove 300016 ########################################### #Mambo/Joomla exclusions ########################################### SecFilterRemove 380000 SecFilterRemove 300013 SecFilterRemove 300013 SecFilterRemove 300016 SecFilterRemove 380000 SecFilterRemove 360001 #Added 27AUG2006 #Courtesy of Tom Donovan #ColdFusion RDS SecFilterRemove 360001 #generic PHP forum posting exclusion SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog #PhpBB posting SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog #Postnuke uploads SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog ########################################### #Double pipe exclusion rules ########################################### SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|" pass,nolog ########################################### #Front page exclusions ########################################### SecFilterInheritance Off SecFilterSelective HTTP_Referer "Powered by Gravity Board" "id:350000,rev:1,severity:2,msg:'Gravity Board Google Recon attempt'" SecFilterSelective HTTP_Referer "Powered by SilverNews" "id:350001,rev:1,severity:2,msg:'SilverNews Google Recon attempt'" SecFilterSelective HTTP_Referer "Powered.*PHPBB.*2\.0\.\ inurl\:" "id:350002,rev:1,severity:2,msg:'PHPBB 2.0 Google Recon attempt'" SecFilterSelective HTTP_Referer "PHPFreeNews inurl\:Admin\.php" "id:350003,rev:1,severity:2,msg:'PHPFreeNews Google Recon attempt'" SecFilterSelective HTTP_Referer "inurl.*/cgi-bin/query" "id:350004,rev:1,severity:2,msg:'/cgi-bin/guery Google Recon attempt'" SecFilterSelective HTTP_Referer "inurl.*tiki-edit_submission\.php" "id:350005,rev:1,severity:2,msg:'tiki-edit Google Recon attempt'" SecFilterSelective HTTP_Referer "inurl.*wps_shop\.cgi" "id:350006,rev:1,severity:2,msg:'wps_shop.cgi Google Recon attempt'" SecFilterSelective HTTP_Referer "inurl.*edit_blog\.php.*filetype\:php" "id:350007,rev:1,severity:2,msg:'edit_blog.php Google Recon attempt'" SecFilterSelective HTTP_Referer "inurl.*passwd.txt.*wwwboard.*webadmin" "id:350008,rev:1,severity:2,msg:'passwd.txt Google Recon attempt'" SecFilterSelective HTTP_Referer "inurl.*admin\.mdb" "id:350008,rev:1,severity:2,msg:'admin.mdb Google Recon attempt'" SecFilterSelective HTTP_Referer "filetype:sql \x28\x22passwd values.*password values.*pass values" SecFilterSelective HTTP_Referer "filetype.*blt.*buddylist" SecFilterSelective HTTP_Referer "File Upload Manager v1\.3.*rename to" SecFilterSelective HTTP_Referer "filetype\x3Aphp HAXPLORER .*Server Files Browser" SecFilterSelective HTTP_Referer "inurl.*passlist\.txt" SecFilterSelective HTTP_Referer "wwwboard WebAdmininurl\x3Apasswd\.txt wwwboard\x7Cwebadmin" SecFilterSelective HTTP_Referer "Enter ip.*inurl\x3A\x22php-ping\.php\x22" SecFilterSelective HTTP_Referer "intitle\.*PHP Shell.*Enable stderr.*filetype\.php" SecFilterSelective HTTP_Referer "inurl\.*install.*install\.php" SecFilterSelective HTTP_Referer "Powered by PHPFM.*filetype\.php -username" SecFilterSelective HTTP_Referer "inurl\.*phpSysInfo.*created by phpsysinfo" SecFilterSelective HTTP_Referer "SquirrelMail version 1\.4\.4.*inurl:src ext\.php" SecFilterSelective HTTP_Referer "inurl\.*webutil\.pl" SecFilterSelective THE_REQUEST "\.frauenfinanzzentrum\.at" SecFilterSelective THE_REQUEST "von-der-igelhoehe\.de" SecFilterSelective THE_REQUEST "danger-soft\.com" SecFilterSelective THE_REQUEST "\.altunerhost\.com" SecFilterSelective THE_REQUEST "\.netfast\.org" SecFilterSelective THE_REQUEST "\.redcrew\.de" SecFilterSelective THE_REQUEST "uarg\.unpa\.edu\.ar" SecFilterSelective THE_REQUEST "(\.|/)wileyc\.edu/" SecFilterSelective THE_REQUEST "(\.|/)eks-darmstadt\.de" SecFilterSelective THE_REQUEST "(\.|/)flinttalk\.com" SecFilterSelective THE_REQUEST "\.albacrew\.us/" SecFilterSelective THE_REQUEST "\.tebel-gmbh\.de/" SecFilterSelective THE_REQUEST "(/|\.)defensacivil\.gov\.ec/" SecFilterSelective THE_REQUEST "(/|\.)wwop\.org" SecFilterSelective THE_REQUEST "\.kalin\.ru/" SecFilterSelective THE_REQUEST "tckct\.co\.uk" SecFilterSelective THE_REQUEST "\.extremus\.info/" SecFilterSelective THE_REQUEST "\.parit\.org/" SecFilterSelective THE_REQUEST "\.awardspace\.com" SecFilterSelective THE_REQUEST "\.albados\.com" SecFilterSelective THE_REQUEST "\.perqafohu\.com" SecFilterSelective THE_REQUEST "\.cside21\.com/" SecFilterSelective THE_REQUEST "200\.24\.117\.125" SecFilterSelective THE_REQUEST "elitemorgan\.com/" SecFilterSelective THE_REQUEST "\acesso\.t35\.com" SecFilterSelective THE_REQUEST "(\.|/)geocities\.com/" SecFilterSelective THE_REQUEST "(\.|/)albahost\.host\.sk/" SecFilterSelective THE_REQUEST "uarg\.unpa\.edu\.ar/" SecFilterSelective THE_REQUEST "\.manhattanservice\.com" SecFilterSelective THE_REQUEST "\.kurddomain\.net" SecFilterSelective THE_REQUEST "elmorgan\.com\.ar" SecFilterSelective THE_REQUEST "61\.1\.197\.244" SecFilterSelective THE_REQUEST "home\.arcor\.de" SecFilterSelective THE_REQUEST "\.turx\.nl" SecFilterSelective THE_REQUEST "\.members\.lycos\.co\.uk/albacr3w/" SecFilterSelective THE_REQUEST "\.ifrance\.com" SecFilterSelective THE_REQUEST "pivadesign\.com\.br" SecFilterSelective THE_REQUEST "\.pc-phasechange\.it" SecFilterSelective THE_REQUEST "ciberia\.ya\.com" SecFilterSelective THE_REQUEST "\.starhack\.org" SecFilterSelective THE_REQUEST "sweet-serenity\.org" SecFilterSelective THE_REQUEST "\.uol\.com\.br" SecFilterSelective THE_REQUEST "aviozone\.com" SecFilterSelective THE_REQUEST "mptechno\.cz" SecFilterSelective THE_REQUEST "\.piranho\.de" SecFilterSelective THE_REQUEST "\.lilspage\.de" SecFilterSelective THE_REQUEST "209\.136\.48\.69" SecFilterSelective THE_REQUEST "216\.12\.103\.29" SecFilterSelective THE_REQUEST "209\.232\.227\.224" SecFilterSelective THE_REQUEST "200\.72\.130\.29" SecFilterSelective THE_REQUEST "209\.123\.16\.34" SecFilterSelective THE_REQUEST "\.mitchellwhite\.com" SecFilterSelective THE_REQUEST "full-comandos\.com" SecFilterSelective THE_REQUEST "members\.lycos\.co\.uk/tiara" SecFilterSelective THE_REQUEST "sharonfamilyandtravel\.com" SecFilterSelective THE_REQUEST "72\.18\.195\.161" SecFilterSelective THE_REQUEST "geocities\.com/hitam_putih_dalnet/" SecFilterSelective THE_REQUEST "cyberspiderwebdesign\.com" SecFilterSelective THE_REQUEST "\.softcarein\.com" SecFilterSelective THE_REQUEST "\.netmisphere2\.com" SecFilterSelective THE_REQUEST "juniorenkammer\.be" SecFilterSelective THE_REQUEST "\.itunisie\.com" SecFilterSelective THE_REQUEST "mitchellgeo\.com" SecFilterSelective THE_REQUEST "hackexpert\.net" SecFilterSelective THE_REQUEST "agi-zagi\.co\.kr" SecFilterSelective THE_REQUEST "\.f1-kingpin\.de" SecFilterSelective THE_REQUEST "(http|https|ftp)\:/.*\.free\.fr" SecFilterSelective THE_REQUEST "www\.designerwear\.co\.uk" SecFilterSelective THE_REQUEST "(http|https|ftp)\:/.*\.i8\.com" SecFilterSelective THE_REQUEST "danzarte\.cl" SecFilterSelective THE_REQUEST "\.ripway\.com" SecFilterSelective THE_REQUEST "81\.174\.26\.111" SecFilterSelective THE_REQUEST "128\.173\.40\.113" SecFilterSelective THE_REQUEST "\.lycos\.co\.uk/metlak/" SecFilterSelective THE_REQUEST "\.xcop\.biz/" SecFilterSelective THE_REQUEST "sca\.postech\.ac\.kr" SecFilterSelective THE_REQUEST "www\.aauto\.no" SecFilterSelective THE_REQUEST "dsoulzin\.net" SecFilterSelective THE_REQUEST "\.altervista\.org" SecFilterSelective THE_REQUEST "\.yatas\.com" SecFilterSelective THE_REQUEST "bocor-team\.org" SecFilterSelective THE_REQUEST "s0l4r1sr0x\.com" SecFilterSelective THE_REQUEST "209\.16\.85\.15" SecFilterSelective THE_REQUEST "217\.160\.242\.90" SecFilterSelective THE_REQUEST "81\.174\.26\.111" SecFilterSelective THE_REQUEST "216\.15\.209\.12" SecFilterSelective THE_REQUEST "216\.103\.82\.214" SecFilterSelective THE_REQUEST "usuarios\.lycos\.es/angienuka" SecFilterSelective THE_REQUEST "usuarios\.lycos\.es/saxalt/" SecFilterSelective THE_REQUEST "\.members\.lycos\.co\.uk/hackersclup" SecFilterSelective THE_REQUEST "spykids\.info" SecFilterSelective THE_REQUEST "smellthecoffee\.com" SecFilterSelective THE_REQUEST "\.nana\.co\.il" SecFilterSelective THE_REQUEST "yavnek12\.co\.il" SecFilterSelective THE_REQUEST "billing\.veloxinternet\.com/" SecFilterSelective THE_REQUEST "usuarios\.lycos\.es" SecFilterSelective THE_REQUEST "217\.114\.109\.11" SecFilterSelective THE_REQUEST "217\.160\.255\.44" SecFilterSelective THE_REQUEST "217\.160\.242\.90" SecFilterSelective THE_REQUEST "148\.81\.141\.12" SecFilterSelective THE_REQUEST "131\.155\.98\.128" SecFilterSelective THE_REQUEST "212\.114\.84\.18" SecFilterSelective THE_REQUEST "81\.174\.26\.111" SecFilterSelective THE_REQUEST "192\.112\.220\.37" SecFilterSelective THE_REQUEST "pc-clinic\.fr" SecFilterSelective THE_REQUEST "clientes\.netvisao\.pt" SecFilterSelective THE_REQUEST "\.sanicentrum\.be" SecFilterSelective THE_REQUEST "www\.brain\.net\.pk" SecFilterSelective THE_REQUEST "web\.un1xtech\.com" SecFilterSelective THE_REQUEST "\.schost\.com\.br/" SecFilterSelective THE_REQUEST "neto5a\.iitalia\.com" SecFilterSelective THE_REQUEST "mesahigh\.com" SecFilterSelective THE_REQUEST "216\.111\.31\.2" SecFilterSelective THE_REQUEST "24\.224\.174\.18" SecFilterSelective THE_REQUEST "\.mcarthur.\org" SecFilterSelective THE_REQUEST "\.v10\.com\.br/" SecFilterSelective THE_REQUEST "agaman\.net" SecFilterSelective THE_REQUEST "\.what-a-pair\.com" SecFilterSelective THE_REQUEST "62\.101\.193\.244" SecFilterSelective THE_REQUEST "\.tutoworld\.org" SecFilterSelective THE_REQUEST "jupiterhost\.net/" SecFilterSelective THE_REQUEST "\.iyscrew\.com" SecFilterSelective THE_REQUEST "\.server4free\.de" SecFilterSelective THE_REQUEST "\.tikla\.org" SecFilterSelective THE_REQUEST "\.dps-ct\.com/" SecFilterSelective THE_REQUEST "66\.235\.216\.137" SecFilterSelective THE_REQUEST "labserver\.veter\.ucv\.ve" SecFilterSelective THE_REQUEST "\.eformidler\.dk" SecFilterSelective THE_REQUEST "febronio\.org" SecFilterSelective THE_REQUEST "zavisnici\.com" SecFilterSelective THE_REQUEST "\.2x4\.ru" SecFilterSelective THE_REQUEST "\.k4boom\.biz" SecFilterSelective THE_REQUEST "theperfecttitle\.com" SecFilterSelective THE_REQUEST "\.yhrhosting\.com" SecFilterSelective THE_REQUEST "\.nitrofx\.com" SecFilterSelective THE_REQUEST "(/|\.)ownsalldomains\.org" SecFilterSelective THE_REQUEST "(/|\.)ocktober\.com" SecFilterSelective THE_REQUEST "\.s5\.com" SecFilterSelective THE_REQUEST "\.systemcrew\.net" SecFilterSelective THE_REQUEST "www\.tutoworld\.org" SecFilterSelective THE_REQUEST "\.supereva\.it/" SecFilterSelective THE_REQUEST "\.frsirt\.com" SecFilterSelective THE_REQUEST "(www\.|/)geocities\.com/anangkd" SecFilterSelective THE_REQUEST "geocities\.com/anugerahnet" SecFilterSelective THE_REQUEST "(www\.|/)geocities\.com/bacardi_marv" SecFilterSelective THE_REQUEST "\.geocities\.com/" SecFilterSelective THE_REQUEST "/geocities\.com/" SecFilterSelective THE_REQUEST "\.freshmaker\.us" SecFilterSelective THE_REQUEST "packetx\.org" SecFilterSelective THE_REQUEST "\.de-soc-mac\.de" SecFilterSelective THE_REQUEST "\.leohissa\.oi\.com\.br" SecFilterSelective THE_REQUEST "\.fig0\.com" SecFilterSelective THE_REQUEST "\.brasilhoster\.net" SecFilterSelective THE_REQUEST "\.riteweld\.com" SecFilterSelective THE_REQUEST "216\.111\.31\.2" SecFilterSelective THE_REQUEST "\.fineca\.net" SecFilterSelective THE_REQUEST "r00nin\.vila\.bol\.com\.br" SecFilterSelective THE_REQUEST "\.bol\.com\.br" SecFilterSelective THE_REQUEST "freewebbe\.supereva\.it" SecFilterSelective THE_REQUEST "asianfiles\.deluxepass\.com" SecFilterSelective THE_REQUEST "sei26\.tripod\.com" SecFilterSelective THE_REQUEST "gigachat\.net" SecFilterSelective THE_REQUEST "www\.sos-deces\.be" SecFilterSelective THE_REQUEST "\.sosha\.it/" SecFilterSelective THE_REQUEST "\.pbholland\.com" SecFilterSelective THE_REQUEST "\.newtontidy\.com" SecFilterSelective THE_REQUEST "\.barretttree\.com" SecFilterSelective THE_REQUEST "agaman\.net" SecFilterSelective THE_REQUEST "anti-clones\.com" SecFilterSelective THE_REQUEST "www\.members\.lycos\.nl/sesli" SecFilterSelective THE_REQUEST "geocities\.yahoo\.com\.br/toolsandcmd/" SecFilterSelective THE_REQUEST "geocities\.yahoo\.com\.br/" SecFilterSelective THE_REQUEST "chancom\.webpal\.info" SecFilterSelective THE_REQUEST "geocities\.yahoo\.com\.br/h4x0r_club/" SecFilterSelective THE_REQUEST "\.argaio\.net" SecFilterSelective THE_REQUEST "baixinhoo\.hpgvip\.com\.br" SecFilterSelective THE_REQUEST "\.zeldalegacies\.com" SecFilterSelective THE_REQUEST "simbafriends\.com/" SecFilterSelective THE_REQUEST "webshells\.org" SecFilterSelective THE_REQUEST "groupiys\.net" SecFilterSelective THE_REQUEST "megahostbr\.com" SecFilterSelective THE_REQUEST "geocities\.yahoo\.com\.br/slash_slink" SecFilterSelective THE_REQUEST "\.357is\.com" SecFilterSelective THE_REQUEST "northfox\.uw\.hu" SecFilterSelective THE_REQUEST "\.dynalith\.com" SecFilterSelective THE_REQUEST "\.xplmanager\.com" SecFilterSelective THE_REQUEST "\.members\.lycos\.co\.uk/thoronnn/" SecFilterSelective THE_REQUEST "\.terra\.com\.br/" SecFilterSelective THE_REQUEST "f58\.aaacafe\.ne.\jp/" SecFilterSelective THE_REQUEST "www\.derf\.hpgvip\.ig\.com\.br/" SecFilterSelective THE_REQUEST "rodrigo\.hcerto\.com/" SecFilterSelective THE_REQUEST "\.terror\.as\.ro/" SecFilterSelective THE_REQUEST "\.tntt\.org/meu/" SecFilterSelective THE_REQUEST "\.syscore\.hpgvip\.com\.br/" SecFilterSelective THE_REQUEST "\.hpgvip\.com\.br/" SecFilterSelective THE_REQUEST "ijoo\.homelinux\.com/" SecFilterSelective THE_REQUEST "\.derf\.hpgvip\.ig\.com\.br/" SecFilterSelective THE_REQUEST "\.100free\.com/" SecFilterSelective THE_REQUEST "\.lorenzo4ever\.de/" SecFilterSelective THE_REQUEST "visualcoders\.net/" SecFilterSelective THE_REQUEST "\.fendora\.net" SecFilterSelective THE_REQUEST "gigashell\.org/" SecFilterSelective THE_REQUEST "\.prir0x\.com/" SecFilterSelective THE_REQUEST "geocities\.yahoo\.com\.br/dh4x0r/" SecFilterSelective THE_REQUEST ".*\.verizon\.net\.do/carlos.*" SecFilterSelective THE_REQUEST "mi\.verizon\.net\.do/carlos.*" SecFilterSelective THE_REQUEST "\.stanlley\.ubbi\.com\.br/" SecFilterSelective THE_REQUEST "xthost\.info/" SecFilterSelective THE_REQUEST "yaoibr\.vila\.bol\.com\.br/" SecFilterSelective THE_REQUEST "geocities\.com/catalin1713/" SecFilterSelective THE_REQUEST "visualcoders\.net/spy\." SecFilterSelective THE_REQUEST "\.digitalmedia\.org\.mk" SecFilterSelective THE_REQUEST "pharoeste\.net" SecFilterSelective THE_REQUEST "userbr\.info" SecFilterSelective THE_REQUEST "\.foxcf\.hpgvip\.ig\.com\.br" SecFilterSelective THE_REQUEST "medicine\.bjmu\.edu\.cn" SecFilterSelective THE_REQUEST "\.blueconnection\.com\.br" SecFilterSelective THE_REQUEST "\.ph4nt4sm4\.hpgvip\.ig\.com\.br" SecFilterSelective THE_REQUEST "\.mvhosted\.com" SecFilterSelective THE_REQUEST "\.0catch\.com" SecFilterSelective THE_REQUEST "newton\.100free\.com" SecFilterSelective THE_REQUEST "\.forplay\.com\.br" SecFilterSelective THE_REQUEST "\.geocities\.com/my_lusy" SecFilterSelective THE_REQUEST "lol\.freecoolsite\.com" SecFilterSelective THE_REQUEST "winscp\.net" SecFilterSelective THE_REQUEST "\.karpit\.net" SecFilterSelective THE_REQUEST "www\.partyradio\.ca" SecFilterSelective THE_REQUEST "\.triple-hhh\.de" SecFilterSelective THE_REQUEST "\.gottablaze\.com" SecFilterSelective THE_REQUEST "xanutz\.3x\.ro" SecFilterSelective THE_REQUEST "geocities\.com/anak_indekost" SecFilterSelective THE_REQUEST "themis\.geocities\.yahoo\.com" SecFilterSelective THE_REQUEST "\.geocities\.com/my_sweet_cute/" SecFilterSelective THE_REQUEST "\.angelfire\.com/zine2/" SecFilterSelective THE_REQUEST "72\.20\.34\.[0-9]+" SecFilterSelective THE_REQUEST "animehost\.de" SecFilterSelective THE_REQUEST "home\.online\.no/~p-shahr" SecFilterSelective THE_REQUEST "indragostit\.net" SecFilterSelective THE_REQUEST "hdr\.atspace\.com" SecFilterSelective THE_REQUEST "\.thecurse\.pop\.com\.br" SecFilterSelective THE_REQUEST "www\.w3zone\.com" SecFilterSelective THE_REQUEST "freecoolsite\.com" SecFilterSelective THE_REQUEST "freewebs\.com" SecFilterSelective THE_REQUEST "\.geocities\.com/chnsekip" SecFilterSelective THE_REQUEST "webcindario\.com" SecFilterSelective THE_REQUEST "ripdisk\.ma\.cx" SecFilterSelective THE_REQUEST "sinanreklam\.net" SecFilterSelective THE_REQUEST "members\.cox\.net/xjasonx" SecFilterSelective THE_REQUEST "\.bh-net\.dk" SecFilterSelective THE_REQUEST "\.mediaserve\.net" SecFilterSelective THE_REQUEST "\.inchon\.ne\.kr" SecFilterSelective THE_REQUEST "\.noti-auto.\com\.ar" SecFilterSelective THE_REQUEST "go0gler\.com" SecFilterSelective THE_REQUEST "hackbox\.t35\.com" SecFilterSelective THE_REQUEST ".*\.hpgvip\.ig\.com\.br" SecFilterSelective THE_REQUEST "honestgame\.net" SecFilterSelective THE_REQUEST "\.ecobook\.or\.kr" SecFilterSelective THE_REQUEST "\.fasecolda\.com" SecFilterSelective THE_REQUEST "212\.50\.30\.60" SecFilterSelective THE_REQUEST "\.nbail\.com" SecFilterSelective THE_REQUEST "\.kit\.net/" SecFilterSelective THE_REQUEST "\.ubbi\.com\.br" SecFilterSelective THE_REQUEST "\.k4boom\.biz/" SecFilterSelective THE_REQUEST "00freehost\.com" #Sites that host remote shells, etc. SecFilterSelective THE_REQUEST "security-protocols\.com" #Known sources that leak thru proxies SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.26\.46\.168" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 69\.50\.182\.154 SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 202\.81\.60\.58 SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "66\.246\.252\.91" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR 211\.185\.59\.124 SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "209\.165\.131\.23" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "66\.246\.246\.22" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "202\.89\.50\.28" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.38\.208\.48" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "159\.148\.29\.158" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.59\.188\.73" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "200\.168\.0\.246" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "193\.95\.90\.52" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "193\.95\.27\.2" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "195\.55\.222\.19" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "196\.203\.32\.81" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.150\.163\.82" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.237\.226\.70" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.96\.125\.38" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.97\.97\.168" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "213\.98\.122\.111" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "217\.8\.64\.21" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.191\.119\.122" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.33\.104\.158" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.38\.171\.131" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "81\.109\.180\.3" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "81\.37\.184\.196" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "83\.57\.132\.206" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "84\.94\.13\.249" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "85\.129\.229\.111" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "86\.60\.16\.81" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "172\.168\.0\.1" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "196\.203\.4\.62" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "202\.123\.250\.184" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "212\.116\.209\.234" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "217\.127\.56\.24" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.26\.46\.168" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.36\.245\.100" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "84\.94\.78\.98" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "80\.59\.91\.33" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "unsecure-services" SecFilterSelective HTTP_FORWARDED|HTTP_X_FORWARDED_FOR "205\.177\.122\.162" #bad proxies SecFilterSelective HTTP_FORWARDED "mangostino\.ut\.edu\.co" SecFilterSelective HTTP_FORWARDED ".*\.cnh\.com" SecFilterSelective HTTP_FORWARDED "phenix-prog-phr" SecFilterSelective HTTP_FORWARDED "alfred\.nssi\.telus\.com" SecFilterSelective HTTP_FORWARDED "wadsworth\.nssi\.telus\.com" SecFilterSelective HTTP_VIA "\.ownsalldomains\.org" SecFilterSelective HTTP_VIA "cache\.topflash\.co\.kr" SecFilterSelective HTTP_VIA "\.quasar\.net\.id:8080" SecFilterSelective HTTP_VIA "\.serverpronto\.com" SecFilterSelective HTTP_VIA "\.fetish-expert\.org" SecFilterSelective HTTP_VIA "proxy\.hwai\.edu\.tw" SecFilterSelective HTTP_VIA "interno-1-1\.edn\.org\.br" SecFilterSelective HTTP_VIA "\.pt-server1\.bt\.com" SecFilterSelective HTTP_VIA "1\.1 cache-test-dtv-kno" SecFilterSelective HTTP_VIA "kdnproxy\.kdn\.gov\.my" SecFilterSelective HTTP_VIA "\.wisdomchina\.com" SecFilterSelective HTTP_VIA "1\.1 PALACIOISA" SecFilterSelective HTTP_VIA "1\.1 cache7\:80 \(squid" SecFilterSelective HTTP_VIA "1\.1 www\.pt-server1\.bt\.com" SecFilterSelective HTTP_VIA "revProxy\.foredu\.com\.cn" SecFilterSelective HTTP_VIA "\.salmanetwork\.com" SecFilterSelective HTTP_VIA "\.warnet\.com" SecFilterSelective HTTP_VIA "moses\.frc\.org" SecFilterSelective HTTP_VIA "1\.0 SQCNT3" SecFilterSelective HTTP_VIA "phenix-prog-phr" SecFilterSelective HTTP_VIA "1\.0 TIETONG" SecFilterSelective HTTP_VIA "webshield\.beitberl\.ac\.il" SecFilterSelective HTTP_VIA "1\.1 www\.any\.com" SecFilterSelective HTTP_VIA "intra\.ckus\.rmutp\.ac\.th" SecFilterSelective HTTP_VIA "poczta\.prochowa12\.waw\.pl" SecFilterSelective HTTP_VIA "1\.1 ICACHE1" SecFilterSelective HTTP_VIA "1\.1 New-Proxy2" SecFilterSelective HTTP_VIA "1\.1 SERVEUR2000" SecFilterSelective HTTP_VIA "intra\.ckus\.rmutp\.ac\.th" SecFilterSelective HTTP_VIA "1\.1 PROXY, 1\.0 NC2100" SecFilterSelective HTTP_VIA "1\.1 www\.rolnas\.com\.pl" SecFilterSelective HTTP_VIA "1\.1 revproxy2" SecFilterSelective HTTP_VIA "1\.1 webmail\.siamcom\.co\.th" SecFilterSelective HTTP_VIA "1\.1 SMS2000\.tutsys\.com" SecFilterSelective HTTP_VIA "1\.1 CAE-SERVER" SecFilterSelective HTTP_VIA "1\.1 WORKGROU-OYOU4X" SecFilterSelective HTTP_VIA "1\.1 INKABANPINPROXY" SecFilterSelective HTTP_VIA "1\.1 DNS4" SecFilterSelective HTTP_VIA "1\.1 www\.rolnas\.com\.pl" SecFilterSelective HTTP_VIA "1\.1 DBSV1008" SecFilterSelective HTTP_VIA "1\.1 NEWISA" SecFilterSelective HTTP_VIA "1\.1 CPGATEWAY02" SecFilterSelective HTTP_VIA "1\.1 router\:3128 $KEN\!$" SecFilterSelective HTTP_VIA "1\.1 PROXYSRV\, 1\.0 supercache5" SecFilterSelective HTTP_VIA "1\.1 ATIPLS1" SecFilterSelective HTTP_VIA "1\.0 SMART\, 1\.0 LOIER2800\:" SecFilterSelective HTTP_VIA "1\.1 62\.93\.34\.160" SecFilterSelective HTTP_VIA "1\.1 fwall\.belcomct\.net" SecFilterSelective HTTP_VIA "1\.1 ZERT-EWDGNMVXUF" SecFilterSelective HTTP_VIA "1\.1 su\.tkp\.edu\.hk" #SecFilterSelective HTTP_VIA "HTTP/1\.1 proxy\[AC1.*" SecFilterSelective HTTP_VIA "HTTP/1\.1 proxy\[AC1E0247" SecFilterSelective HTTP_VIA "1\.1 compujuan\.com\.es" SecFilterSelective HTTP_VIA "1\.1 FEDERATION" #SecFilterSelective HTTP_VIA "1\.1 SERVER-ISA" SecFilterSelective HTTP_VIA "1\.1 EXACTWAPPROXY" SecFilterSelective HTTP_VIA "1\.1 GRNSERVER" SecFilterSelective HTTP_VIA "1\.1 www\.satem\.gob\.ve" SecFilterSelective HTTP_VIA "1\.1 nilcombi\.nilcom\.fr" SecFilterSelective HTTP_VIA "1\.1 cellulant\.lifeismobile\.com" SecFilterSelective HTTP_VIA "1\.1 SR2300-SE7501-H" SecFilterSelective HTTP_VIA "1\.1 www\.dmi\.es" #SecFilterSelective HTTP_VIA "1\.0 cache2\.jed" SecFilterSelective HTTP_VIA "1\.1 BRHCYBER" SecFilterSelective HTTP_VIA "1\.1 132\.110\.2\.12" SecFilterSelective HTTP_VIA "1\.1 .*\.pivotoffice\.com" SecFilterSelective HTTP_VIA "1\.1 .*\.mundo-r\.com" SecFilterSelective HTTP_VIA "1\.1 FAMILYCAREREHAB" SecFilterSelective HTTP_VIA "1\.1 INFORMASERVER" SecFilterSelective HTTP_VIA "1\.1 ITISA" #SecFilterSelective HTTP_VIA "1\.1 NetCache-CLNS-STACK-1" SecFilterSelective HTTP_VIA "1\.1 .*\.as5587\.net" SecFilterSelective HTTP_VIA "1\.1 Maua" SecFilterSelective HTTP_VIA "1\.1 JUNIOR" SecFilterSelective HTTP_VIA "1\.1 offsetinternet" SecFilterSelective HTTP_VIA ".*codevasf\.gov\.br" SecFilterSelective HTTP_VIA "1\.1 www\.aha\.at" SecFilterSelective HTTP_VIA "1\.1 ucavilapruebas\.es" SecFilterSelective HTTP_VIA "1\.1 .*\.insightfirst\.com" SecFilterSelective HTTP_VIA "1\.1 if3\.insightfirst\.com" SecFilterSelective HTTP_VIA "1\.1 SERV132" SecFilterSelective HTTP_VIA "1\.1 CacheFORCE" SecFilterSelective HTTP_VIA "1\.1 dgc-squid" #SecFilterSelective HTTP_VIA "1\.1 CS6200C" SecFilterSelective HTTP_VIA "1\.1 NTS-SERVER" SecFilterSelective HTTP_VIA "1\.1 AJF-JTC-ISA01" SecFilterSelective HTTP_VIA "1\.1 neptun\.ci\.uw\.edu\.pl" SecFilterSelective HTTP_VIA "1\.1 2-net\.ro" SecFilterSelective HTTP_VIA "1\.1 .*\.usscript\.com" SecFilterSelective HTTP_VIA "1\.1 SSIP_SERVER3" SecFilterSelective HTTP_VIA "1\.1 SYVKOV422GX" SecFilterSelective HTTP_VIA "1\.1 .*\.arbuzowa\.net" SecFilterSelective HTTP_VIA "1\.1 www\.kevsclub\.com" SecFilterSelective HTTP_VIA "1\.0 KALIMBA" SecFilterSelective HTTP_VIA "1\.0 NETOUT-SERVER" SecFilterSelective HTTP_VIA "1\.0 NTMARVWALL01" SecFilterSelective HTTP_VIA "1\.0 PROXYSES2" SecFilterSelective HTTP_VIA "1\.0 ptcdb\.edu\.ps" SecFilterSelective HTTP_VIA "1\.0 px1nr $NetCache NetApp/5\.6\.1D25$" SecFilterSelective HTTP_VIA "1\.0 px8so $NetCache NetApp/5\.6\.1D25$" SecFilterSelective HTTP_VIA "1\.0 SERV132, 1\.0 netcache1 $NetCache NetApp/6\.0\.1$" SecFilterSelective HTTP_VIA "1\.0 TEKIYA02 $NetCache NetApp/5\.6\.2$, TEKIYA03, 1\.0 TEKIYA02 $NetCache NetApp/5\.6\.2$" #SecFilterSelective HTTP_VIA "1\.1 10\.0\.1\.20" #SecFilterSelective HTTP_VIA "1\.1 127\.0\.0\.1" SecFilterSelective HTTP_VIA "1\.1 146\.83\.216\.207" SecFilterSelective HTTP_VIA "1\.1 202\.88\.250\.211" SecFilterSelective HTTP_VIA "1\.1 213\.155\.209\.204" SecFilterSelective HTTP_VIA "1\.1 accel10\.click21\.com\.br" SecFilterSelective HTTP_VIA "1\.1 alcyonix\.dyndns\.ws" SecFilterSelective HTTP_VIA "1\.1 athos\.chem\.demokritos\.gr" SecFilterSelective HTTP_VIA "1\.1 ATIPLS1" SecFilterSelective HTTP_VIA "1\.1 BBSM52" #SecFilterSelective HTTP_VIA "1\.1 bnb-cache1 $NetCache NetApp.*$, 1\.1 rba-cache1" SecFilterSelective HTTP_VIA "1\.1 cacheB\.ipko\.net" SecFilterSelective HTTP_VIA "1\.1 CAE-SERVER" SecFilterSelective HTTP_VIA "1\.1 CATHODE" #SecFilterSelective HTTP_VIA "1\.1 cha-cache1 \(NetCache NetApp.*" SecFilterSelective HTTP_VIA "1\.1 CSB-NC2 \(NetCache NetApp.*" SecFilterSelective HTTP_VIA "1\.1 cuchimilco\.huaral\.org" SecFilterSelective HTTP_VIA "1\.1 DBSV1008" SecFilterSelective HTTP_VIA "1\.1 dns2\.araxa\.com\.br" SecFilterSelective HTTP_VIA "1\.1 EMERSON, 1\.0 C6100 \(NetCache NetApp.*" SecFilterSelective HTTP_VIA "1\.1 EPPD_SERVER" SecFilterSelective HTTP_VIA "1\.1 fox-server1\.foxschool\.lan" SecFilterSelective HTTP_VIA "1\.1 http-istcf1" SecFilterSelective HTTP_VIA "1\.1 JUNIOR" #SecFilterSelective HTTP_VIA "1\.1 lnac2 \(NetCache NetApp.*" SecFilterSelective HTTP_VIA "1\.1 LTSP03\.glenwood\.k12\.mo\.us" #SecFilterSelective HTTP_VIA "1\.1 MAILSERVER" SecFilterSelective HTTP_VIA "1\.1 natty\.intranet" #SecFilterSelective HTTP_VIA "1\.1 netcache1-ctn \(NetCache NetApp.*" #SecFilterSelective HTTP_VIA "1\.1 netcache1 \(NetCache NetApp.*" #SecFilterSelective HTTP_VIA "1\.1 NetCache3 \(NetCache NetApp.*" SecFilterSelective HTTP_VIA "1\.1 NetCache-CLNS-STACK-1 \(NetCache NetApp.*" #SecFilterSelective HTTP_VIA "1\.1 nme-nxg-pr1\.tpg\.com\.au" SecFilterSelective HTTP_VIA "1\.1 no-dns\.as5587\.net" SecFilterSelective HTTP_VIA "1\.1 ns07\.contentex\.net" SecFilterSelective HTTP_VIA "1\.1 NYNETSRV01" SecFilterSelective HTTP_VIA "1\.1 OTXXSERV" SecFilterSelective HTTP_VIA "1\.1 proxy\.marshall\.k12\.wi\.us" SecFilterSelective HTTP_VIA "1\.1 SERV132, 1\.0 netcache1 \(NetCache NetApp.*" SecFilterSelective HTTP_VIA "1\.1 SERVER-ISA" SecFilterSelective HTTP_VIA "1\.1 SERVEUR-CYBER" SecFilterSelective HTTP_VIA "1\.1 slave02\.terrarica\.net" SecFilterSelective HTTP_VIA "1\.1 SMS2000\.tutsys\.com" SecFilterSelective HTTP_VIA "1\.1 spacebears" SecFilterSelective HTTP_VIA "1\.1 squid2-sydny\.eftel\.com" SecFilterSelective HTTP_VIA "1\.1 SSIP_SERVER3" SecFilterSelective HTTP_VIA "1\.1 SYVKOV422GX" SecFilterSelective HTTP_VIA "1\.1 trixie" SecFilterSelective HTTP_VIA "1\.1 wc-02 \(NetCache NetApp.*" SecFilterSelective HTTP_VIA "1\.1 webmail\.siamcom\.co\.th" SecFilterSelective HTTP_VIA "1\.1 www\.arbuzowa\.net" SecFilterSelective HTTP_VIA "1\.1 www\.gkcabunoc\.com" SecFilterSelective HTTP_VIA "1\.1 addyon\.webair\.com" SecFilterSelective HTTP_VIA "1\.1 alcyonix\.dyndns\.ws" SecFilterSelective HTTP_VIA "1\.1 proxy\.pcdl\.gov\.br" SecFilterSelective HTTP_VIA "1\.1 ichigo\.icsmail\.net" SecFilterSelective HTTP_VIA "1\.1 80\.177\.18\.74" SecFilterSelective HTTP_VIA "1\.1 raptor[0-9][a-z]\.watchdog\.net\.nz" SecFilterSelective HTTP_VIA "1\.0 proxy[0-9]\..*\.maxnet\.net\.nz" SecFilterSelective HTTP_VIA "1\.0 proxy[0-9]\.akl[0-9]\.maxnet\.net\.nz" SecFilterSelective HTTP_VIA "1\.1 POMGFIREWALL" SecFilterSelective HTTP_VIA "1\.1 alfred\.nssi\.telus\.com" SecFilterSelective HTTP_VIA "1\.1 .*\.acdi-cida\.gc\.ca" SecFilterSelective HTTP_VIA "CIDA13\.acdi-cida\.gc\.ca" #generic sig for a bad site SecFilterSelective REQUEST_URI "(http|https|ftp).*\.exs\.cx/.*/nc4hk\.swf"