العربية للاستضافة
06-10-2009, 09:16 PM
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "Secured By 3JENAN.COM"
# Check Content-Length and reject all non numeric ones
SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'"
# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$"
# Require Content-Length to be provided with every POST request.
SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,msg:'POST request must have a Content-Length header',id:'960012',severity:'4'"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0"
# Restrict type of characters sent
SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEA DERS|!REQUEST_HEADERS:Referer \
"@validateByteRange 1-255" \
"log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1"
SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \
"deny,log,auditlog,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,p hase:2"
# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:1,log,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032'"
# Basic rules with arbitrary command detection
SecRule REQUEST_URI "\.htgroup"
SecRule REQUEST_URI "\.htaccess"
SecRule REQUEST_URI "cd\.\."
SecRule REQUEST_URI "///cgi-bin"
SecRule REQUEST_URI "/cgi-bin///"
SecRule REQUEST_URI "/~root"
SecRule REQUEST_URI "/~ftp"
SecRule REQUEST_URI "/htgrep" chain
SecRule REQUEST_URI "/htgrep"
SecRule REQUEST_URI "/\.history"
SecRule REQUEST_URI "/\.bash_history"
SecRule REQUEST_URI "/~nobody"
SecRule REQUEST_URI "<script"
SecRule REQUEST_URI "psybnc"
SecRule REQUEST_URI "cmd=cd\x20/var"
SecRule REQUEST_URI "dir=http"
SecRule REQUEST_URI "\?STRENGUR"
SecRule REQUEST_URI "/etc/motd"
SecRule REQUEST_URI "/etc/passwd"
SecRule REQUEST_URI "conf/[Only Registered Users Can See Links]"
SecRule REQUEST_URI "/bin/ps"
SecRule REQUEST_URI "bin/tclsh"
SecRule REQUEST_URI "tclsh8\x20"
SecRule REQUEST_URI "udp\.pl"
SecRule REQUEST_URI "linuxdaybot\.txt"
SecRule REQUEST_URI "wget\x20"
SecRule REQUEST_URI "bin/nasm"
SecRule REQUEST_URI "nasm\x20"
SecRule REQUEST_URI "/usr/bin/perl"
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|[Only Registered Users Can See Links]|ftp)\:/"
SecRule REQUEST_URI "links -source "
SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/[Only Registered Users Can See Links]|dev/shm)"
SecRule REQUEST_URI "cd\.\."
SecRule REQUEST_URI "///cgi-bin"
SecRule REQUEST_URI "/cgi-bin///"
SecRule REQUEST_URI "/~named(/| [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~guest(/| [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~logs(/| [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~sshd(/| [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~ftp(/| [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~bin(/| [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~nobody(/| [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/\.history [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$"
SecRule REQUEST_URI "/\.bash_history [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$"
SecRule REQUEST_URI "lynx "
SecRule REQUEST_URI "Fhome"
SecRule REQUEST_URI "cvs"
SecRule REQUEST_URI "\.php\?phpinfo"
SecRule REQUEST_URI "\.php\?phpini"
SecRule REQUEST_URI "\.php\?mem"
SecRule REQUEST_URI "\.php\?cpu"
SecRule REQUEST_URI "\.php\?users"
SecRule REQUEST_URI "\.php\?tmp"
SecRule REQUEST_URI "\.php\?delete"
SecRule REQUEST_URI "curl "
SecRule REQUEST_URI "echo "
SecRule REQUEST_URI "links -dump-width "
SecRule REQUEST_URI "links [Only Registered Users Can See Links] "
SecRule REQUEST_URI "links ftp:// "
SecRule REQUEST_URI "links -source "
SecRule REQUEST_URI "cd /tmp "
SecRule REQUEST_URI "cd /var/tmp "
SecRule REQUEST_URI "cd /etc/[Only Registered Users Can See Links] "
SecRule REQUEST_URI "&highlight=%2527%252E "
SecRule REQUEST_URI "changedir=%2Ftmp%2F.php "
SecRule REQUEST_URI "arta\.zip "
SecRule REQUEST_URI "cmd=cd\x20/var "
SecRule REQUEST_URI "HCL_path=http "
SecRule REQUEST_URI "clamav-partial "
SecRule REQUEST_URI "vi\.recover "
SecRule REQUEST_URI "netenberg "
SecRule REQUEST_URI "psybnc "
SecRule REQUEST_URI "fantastico_de_luxe "
SecRule REQUEST_URI "2Fpublic_html&"
SecRule REQUEST_URI ".htaccess"
SecRule REQUEST_URI "c99sh_datapipe.pl"
SecRule REQUEST_URI "listDBs"
SecRule REQUEST_URI "%2home%2"
SecRule REQUEST_URI "%2home%"
SecRule REQUEST_URI "%home%"
SecRule REQUEST_URI "%home"
SecRule REQUEST_URI "home%"
SecRule REQUEST_URI "%2Fhome%2"
SecRule REQUEST_URI "%2Fhome%"
SecRule REQUEST_URI "%Fhome%"
SecRule REQUEST_URI "%Fhome"
SecRule REQUEST_URI "Fhome%"
SecRule REQUEST_URI "2Fpublic_html&"
SecRule REQUEST_URI "/etc/"
SecRule REQUEST_URI "sqlman"
SecRule REQUEST_URI "act=security"
SecRule REQUEST_URI "act=cmd"
SecRule REQUEST_URI "act=chmod"
SecRule REQUEST_URI "act=ls&d="
SecRule REQUEST_URI "act=f&f="
SecRule REQUEST_URI "act=sql"
SecRule REQUEST_URI "Bcc:"
SecRule REQUEST_URI "Bcc:\x20"
SecRule REQUEST_URI "cc:"
SecRule REQUEST_URI "cc:\x20"
SecRule REQUEST_URI "bcc:"
SecRule REQUEST_URI "bcc:\x20"
SecRule REQUEST_URI "bcc: "
SecRule REQUEST_URI "cd "
SecRule REQUEST_URI "mtwerco_"
SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*=/Ri"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/javascript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-javascript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/jscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/vbscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-vbscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/ecmascript/i"
SecRule REQUEST_URI "STYLE[\s]*=[\s]*[^>]expression[\s]*\(/i"
SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>/i"
SecRule REQUEST_URI "<!\[CDATA\[<\]\]>SCRIPT"
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|[Only Registered Users Can See Links])"
# For deny Shells opening
SecRule REQUEST_FILENAME "/(r0nin|TrYaG|TrYg|m0rtix|r57shell|c99shell|phpshel l|void\.ru|phpremoteview|directmail|bash_history|\ .ru/|brute|c991)\.php"
SecRule REQUEST_FILENAME "\.pl"
SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl"
SecRule RESPONSE_BODY "TrYaG"
SecRule RESPONSE_BODY "SnIpEr_SA"
SecRule RESPONSE_BODY "Sniper"
SecRule RESPONSE_BODY "shell"
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_ open|shell_exec|exec|proc_nice|proc_terminate|proc _get_status|proc_close|pfsockopen|leak|apache_chil d_terminate|posix_kill|posix_mkfifo|posix_setpgid| posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I ".htaccess"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "sql_passwd"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "config"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "public_html"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/etc"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/root"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/usr"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/boot"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/var"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/bin"
SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)"
#Generic PHP exploit signatures
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc _open|shell_exec|exec|proc_nice|proc_terminate|pro c_get_status|proc_close|pfsockopen|leak|apache_chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid |posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#Generic PHP exploit signatures
SecRule REQUEST_BODY|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_ open|shell_exec|exec|proc_nice|proc_terminate|proc _get_status|proc_close|pfsockopen|leak|apache_chil d_terminate|posix_kill|posix_mkfifo|posix_setpgid| posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#slightly tighter rules with narrower focus
SecRule REQUEST_URI|REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_ open|shell_exec|exec|proc_nice|proc_terminate|proc _get_status|proc_close|pfsockopen|leak|apache_chil d_terminate|posix_kill|posix_mkfifo|posix_setpgid| posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#Prevent SQL injection in cookies
SecRule REQUEST_COOKIES "((select|grant|delete|insert|drop|alter|replace|tr uncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'"
#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_ open|shell_exec|exec|proc_nice|proc_terminate|proc _get_status|proc_close|pfsockopen|leak|apache_chil d_terminate|posix_kill|posix_mkfifo|posix_setpgid| posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=([Only Registered Users Can See Links]|ftp)\:/.*(cmd|command)="
#script, perl, etc. code in [Only Registered Users Can See Links] string
SecRule [Only Registered Users Can See Links] "\#\!.*/"
#wormsign
SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC"
SecServerSignature "Secured By 3JENAN.COM"
# Check Content-Length and reject all non numeric ones
SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'"
# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$"
# Require Content-Length to be provided with every POST request.
SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,msg:'POST request must have a Content-Length header',id:'960012',severity:'4'"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0"
# Restrict type of characters sent
SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEA DERS|!REQUEST_HEADERS:Referer \
"@validateByteRange 1-255" \
"log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1"
SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \
"deny,log,auditlog,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,p hase:2"
# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:1,log,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032'"
# Basic rules with arbitrary command detection
SecRule REQUEST_URI "\.htgroup"
SecRule REQUEST_URI "\.htaccess"
SecRule REQUEST_URI "cd\.\."
SecRule REQUEST_URI "///cgi-bin"
SecRule REQUEST_URI "/cgi-bin///"
SecRule REQUEST_URI "/~root"
SecRule REQUEST_URI "/~ftp"
SecRule REQUEST_URI "/htgrep" chain
SecRule REQUEST_URI "/htgrep"
SecRule REQUEST_URI "/\.history"
SecRule REQUEST_URI "/\.bash_history"
SecRule REQUEST_URI "/~nobody"
SecRule REQUEST_URI "<script"
SecRule REQUEST_URI "psybnc"
SecRule REQUEST_URI "cmd=cd\x20/var"
SecRule REQUEST_URI "dir=http"
SecRule REQUEST_URI "\?STRENGUR"
SecRule REQUEST_URI "/etc/motd"
SecRule REQUEST_URI "/etc/passwd"
SecRule REQUEST_URI "conf/[Only Registered Users Can See Links]"
SecRule REQUEST_URI "/bin/ps"
SecRule REQUEST_URI "bin/tclsh"
SecRule REQUEST_URI "tclsh8\x20"
SecRule REQUEST_URI "udp\.pl"
SecRule REQUEST_URI "linuxdaybot\.txt"
SecRule REQUEST_URI "wget\x20"
SecRule REQUEST_URI "bin/nasm"
SecRule REQUEST_URI "nasm\x20"
SecRule REQUEST_URI "/usr/bin/perl"
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|[Only Registered Users Can See Links]|ftp)\:/"
SecRule REQUEST_URI "links -source "
SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/[Only Registered Users Can See Links]|dev/shm)"
SecRule REQUEST_URI "cd\.\."
SecRule REQUEST_URI "///cgi-bin"
SecRule REQUEST_URI "/cgi-bin///"
SecRule REQUEST_URI "/~named(/| [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~guest(/| [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~logs(/| [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~sshd(/| [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~ftp(/| [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~bin(/| [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~nobody(/| [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/\.history [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$"
SecRule REQUEST_URI "/\.bash_history [Only Registered Users Can See Links](0\.9|1\.0|1\.1)$"
SecRule REQUEST_URI "lynx "
SecRule REQUEST_URI "Fhome"
SecRule REQUEST_URI "cvs"
SecRule REQUEST_URI "\.php\?phpinfo"
SecRule REQUEST_URI "\.php\?phpini"
SecRule REQUEST_URI "\.php\?mem"
SecRule REQUEST_URI "\.php\?cpu"
SecRule REQUEST_URI "\.php\?users"
SecRule REQUEST_URI "\.php\?tmp"
SecRule REQUEST_URI "\.php\?delete"
SecRule REQUEST_URI "curl "
SecRule REQUEST_URI "echo "
SecRule REQUEST_URI "links -dump-width "
SecRule REQUEST_URI "links [Only Registered Users Can See Links] "
SecRule REQUEST_URI "links ftp:// "
SecRule REQUEST_URI "links -source "
SecRule REQUEST_URI "cd /tmp "
SecRule REQUEST_URI "cd /var/tmp "
SecRule REQUEST_URI "cd /etc/[Only Registered Users Can See Links] "
SecRule REQUEST_URI "&highlight=%2527%252E "
SecRule REQUEST_URI "changedir=%2Ftmp%2F.php "
SecRule REQUEST_URI "arta\.zip "
SecRule REQUEST_URI "cmd=cd\x20/var "
SecRule REQUEST_URI "HCL_path=http "
SecRule REQUEST_URI "clamav-partial "
SecRule REQUEST_URI "vi\.recover "
SecRule REQUEST_URI "netenberg "
SecRule REQUEST_URI "psybnc "
SecRule REQUEST_URI "fantastico_de_luxe "
SecRule REQUEST_URI "2Fpublic_html&"
SecRule REQUEST_URI ".htaccess"
SecRule REQUEST_URI "c99sh_datapipe.pl"
SecRule REQUEST_URI "listDBs"
SecRule REQUEST_URI "%2home%2"
SecRule REQUEST_URI "%2home%"
SecRule REQUEST_URI "%home%"
SecRule REQUEST_URI "%home"
SecRule REQUEST_URI "home%"
SecRule REQUEST_URI "%2Fhome%2"
SecRule REQUEST_URI "%2Fhome%"
SecRule REQUEST_URI "%Fhome%"
SecRule REQUEST_URI "%Fhome"
SecRule REQUEST_URI "Fhome%"
SecRule REQUEST_URI "2Fpublic_html&"
SecRule REQUEST_URI "/etc/"
SecRule REQUEST_URI "sqlman"
SecRule REQUEST_URI "act=security"
SecRule REQUEST_URI "act=cmd"
SecRule REQUEST_URI "act=chmod"
SecRule REQUEST_URI "act=ls&d="
SecRule REQUEST_URI "act=f&f="
SecRule REQUEST_URI "act=sql"
SecRule REQUEST_URI "Bcc:"
SecRule REQUEST_URI "Bcc:\x20"
SecRule REQUEST_URI "cc:"
SecRule REQUEST_URI "cc:\x20"
SecRule REQUEST_URI "bcc:"
SecRule REQUEST_URI "bcc:\x20"
SecRule REQUEST_URI "bcc: "
SecRule REQUEST_URI "cd "
SecRule REQUEST_URI "mtwerco_"
SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*=/Ri"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/javascript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-javascript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/jscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/vbscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-vbscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/ecmascript/i"
SecRule REQUEST_URI "STYLE[\s]*=[\s]*[^>]expression[\s]*\(/i"
SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>/i"
SecRule REQUEST_URI "<!\[CDATA\[<\]\]>SCRIPT"
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|[Only Registered Users Can See Links])"
# For deny Shells opening
SecRule REQUEST_FILENAME "/(r0nin|TrYaG|TrYg|m0rtix|r57shell|c99shell|phpshel l|void\.ru|phpremoteview|directmail|bash_history|\ .ru/|brute|c991)\.php"
SecRule REQUEST_FILENAME "\.pl"
SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl"
SecRule RESPONSE_BODY "TrYaG"
SecRule RESPONSE_BODY "SnIpEr_SA"
SecRule RESPONSE_BODY "Sniper"
SecRule RESPONSE_BODY "shell"
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_ open|shell_exec|exec|proc_nice|proc_terminate|proc _get_status|proc_close|pfsockopen|leak|apache_chil d_terminate|posix_kill|posix_mkfifo|posix_setpgid| posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I ".htaccess"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "sql_passwd"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "config"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "public_html"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/etc"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/root"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/usr"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/boot"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/var"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/bin"
SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)"
#Generic PHP exploit signatures
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc _open|shell_exec|exec|proc_nice|proc_terminate|pro c_get_status|proc_close|pfsockopen|leak|apache_chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid |posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#Generic PHP exploit signatures
SecRule REQUEST_BODY|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_ open|shell_exec|exec|proc_nice|proc_terminate|proc _get_status|proc_close|pfsockopen|leak|apache_chil d_terminate|posix_kill|posix_mkfifo|posix_setpgid| posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#slightly tighter rules with narrower focus
SecRule REQUEST_URI|REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_ open|shell_exec|exec|proc_nice|proc_terminate|proc _get_status|proc_close|pfsockopen|leak|apache_chil d_terminate|posix_kill|posix_mkfifo|posix_setpgid| posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#Prevent SQL injection in cookies
SecRule REQUEST_COOKIES "((select|grant|delete|insert|drop|alter|replace|tr uncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'"
#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_ open|shell_exec|exec|proc_nice|proc_terminate|proc _get_status|proc_close|pfsockopen|leak|apache_chil d_terminate|posix_kill|posix_mkfifo|posix_setpgid| posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=([Only Registered Users Can See Links]|ftp)\:/.*(cmd|command)="
#script, perl, etc. code in [Only Registered Users Can See Links] string
SecRule [Only Registered Users Can See Links] "\#\!.*/"
#wormsign
SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC"