رولز جديدة للمودسيكيورتي

رووح القلوب

عضو جديد
20 مارس 2009
246
1
0
السلام عليكم ورحمة الله وبركاته .

تنبيه قبل البدء في الموضوع :

قد لا تتوافق الرولز مع بعض الاسكربتات التي بها ثغرات او مشاكل برمجيه فلا احد يلقي اللوم علينا من البدايه .

الرولز تعمل حاليا علي اكثر من 120 سيرفر بدون اي مشكلة في اي موقع بها فمن تواجهه مشكله بالرولز اما ان يكون بحذفها او ان يقوم بفحصها لمعرفه سبب العطل لديه .

PHP:
mv /usr/local/apache/conf/modsec2.user.conf /usr/local/apache/conf/modsec2.user.conf2
PHP:
nano /usr/local/apache/conf/modsec2.user.conf
اضف التالي في الملف :
PHP:
#fake server banner - NOYB used - no one needs to know what we are using 
SecServerSignature "Security Modelayer.com" 

SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI ".htaccess"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "sql_passwd"
#SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/home" 
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "public_html" 
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/etc" 
#SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/root"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/usr"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/boot"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/var"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/bin"
SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)"
SecRule ARGS|HTTP_Content-Length|REQUEST_COOKIES  "/etc"


#Don't accept chunked encodings
#modsecurity can not look at these, so this is a hole
#that can bypass your rules, the rule before this one
#should cover this, but hey paranoia is cheap
SecRule HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'"

#Code injection via content length
SecRule HTTP_Content-Length "\;(system|passthru|exec)\(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'"

##generic recursion signatures
SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'"
SecRule REQUEST_URI "\.\./\.\./"

#generic path recurision sig
#generic bogus path sigs
SecRule REQUEST_URI "\.\.\./" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'"

#Generic PHP exploit signatures
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#Generic PHP exploit signatures
SecRule REQUEST_BODY|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#slightly tighter rules with narrower focus
SecRule REQUEST_URI|REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"


#Prevent command injection through cookies
SecRule REQUEST_COOKIES "\; cmd="

#Prevent SQL injection in UA
SecRule HTTP_USER_AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300012,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'"

# Generic filter to prevent SQL injection attacks
# Understand that all SQL filters are very limited and are very difficult 
# to prevent false postives and negatives.  
# Pplease report false positives/negatives to abuse@modelayer.com
SecRule REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)" "chain,id:300013,rev:1,severity:2,msg:'Generic SQL injection protection'"
SecRule REQUEST_URI|REQUEST_BODY "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"

#Generic SQL sigs
SecRule ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL injection protection'"


#Generic SQL sigs
SecRule ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"



#Generic SQL sigs
SecRule REQUEST_URI "!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)" "chain,id:300016,rev:2,severity:2,msg:'Generic SQL injection protection'"
SecRule ARGS "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)" 

#Meta character SQL injection
SecRule REQUEST_URI "\'.*(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)|and.*char\(.*\)"  "id:380015,rev:1,severity:2,msg:'Generic SQL metacharacter URI injection protection'"

#Generic command line attack filter
SecRule REQUEST_URI "!(/Count\.cgi)" "chain,id:300017,rev:1,severity:2,msg:'Generic command line attack filter'"
SecRule REQUEST_URI|REQUEST_BODY "\|+.*[\x20].*[\x20].*\|"

#Generic PHP bad functions protection
#PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html
SecRule ARGS compress\.zlib:

#Generic XSS filter
#please report false positives
SecRule REQUEST_URI "!/mt\.cgi" chain
SecRule REQUEST_URI|REQUEST_BODY "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#XSS in referrer and UA headers
SecRule HTTP_REFERER|HTTP_USER_AGENT "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#PHP Injection Attack generic signature
SecRule REQUEST_URI  "\.php" chain
SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"

#PHP Injection Attack generic signature
SecRule REQUEST_URI  "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))"

#Generic PHP remote file inclusion attack signature
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI "(http|https|ftp)\:/" chain
SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Generic PHP remote file inclusion attack signature with command
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI "(http|https|ftp)\:/" chain
SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#really broad furl_fopen attack sig
#tune this for your system
SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
SecRule ARGS "(ht|f)tps?:/" 
SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/" 

#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="

#script, perl, etc. code in HTTP_Referer string
SecRule HTTP_Referer "\#\!.*/"

#generic command line attack
SecRule REQUEST_URI|ARGS "\|*id\;echo*\|"


#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"

#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecRule ARGS "\?\&(cmd|inc|name)="

#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="

#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="

#Bogus file extensions generic signature
SecRule REQUEST_URI  "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt"

#PHP remote path attach generic signature
SecRule REQUEST_URI  "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecRule REQUEST_URI  "\.php.*path=(http|https|ftp)\:/"

#generic attack sig
SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"

# WEB-ATTACKS uname -a command attempt
SecRule REQUEST_URI "uname" chain
SecRule REQUEST_URI "\x20-a" 

#Generic argument protection rule against bad meta characters
#SecRule "ARGS" "!^[A-Za-z0-9.&/?@_%=:;, -]*$"

#generic php attack sigs
SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"

# WEB-ATTACKS xterm command attempt
SecRule REQUEST_URI "/usr/X11R6/bin/xterm"

# WEB-ATTACKS /etc/shadow access
SecRule REQUEST_URI "/etc/shadow"

# WEB-ATTACKS /bin/ps command attempt
SecRule REQUEST_URI "/bin/ps"

# WEB-ATTACKS /usr/bin/id command attempt
SecRule REQUEST_URI  "/usr/bin/id" chain
SecRule REQUEST_URI "\x20" 

# WEB-ATTACKS echo command attempt
SecRule REQUEST_URI  "/bin/echo" chain
SecRule REQUEST_URI "\x20" 

# WEB-ATTACKS kill command attempt
SecRule REQUEST_URI  "/bin/kill" chain
SecRule REQUEST_URI "\x20" 

# WEB-ATTACKS chmod command attempt
SecRule REQUEST_URI  "/bin/chmod" chain
SecRule REQUEST_URI "\x20" 

# WEB-ATTACKS chsh command attempt
SecRule REQUEST_URI   "/usr/bin/chsh"

# WEB-ATTACKS gcc command attempt
SecRule REQUEST_URI  "gcc" chain
SecRule REQUEST_URI "x20-o" 

# WEB-ATTACKS /usr/bin/cc command attempt
SecRule REQUEST_URI  "/usr/bin/cc" chain
SecRule REQUEST_URI "\x20" 

# WEB-ATTACKS /usr/bin/cpp command attempt
SecRule REQUEST_URI  "/usr/bin/cpp" chain
SecRule REQUEST_URI "\x20" 

# WEB-ATTACKS /usr/bin/g++ command attempt
SecRule REQUEST_URI  "/usr/bin/g\+\+" chain
SecRule REQUEST_URI "\x20" 

# WEB-ATTACKS g++ command attempt
SecRule REQUEST_URI  "g\+\+\x20" chain
SecRule REQUEST_URI "\x20" 

# WEB-ATTACKS bin/python access attempt
SecRule REQUEST_URI  "bin/python" chain
SecRule REQUEST_URI "\x20" 

# WEB-ATTACKS python access attempt
#SecRule "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecRule REQUEST_URI "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecRule REQUEST_URI "tclsh8\x20"

# WEB-ATTACKS bin/nasm command attempt
SecRule REQUEST_URI "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecRule REQUEST_URI "nasm\x20"

# WEB-ATTACKS /usr/bin/perl execution attempt
SecRule REQUEST_URI "/usr/bin/perl"

# WEB-ATTACKS traceroute command attempt
SecRule REQUEST_URI  "traceroute" chain
SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 

# WEB-ATTACKS ping command attempt
SecRule REQUEST_URI  "/bin/ping" chain
SecRule REQUEST_URI "\x20" 

# WEB-ATTACKS X application to remote host attempt
SecRule REQUEST_URI "\x20-display\x20"

# WEB-ATTACKS mail command attempt
SecRule REQUEST_URI  "/bin/mail" chain
SecRule REQUEST_URI "\x20" 

# WEB-ATTACKS /bin/ls command attempt
SecRule REQUEST_URI "/bin/ls" chain
SecRule REQUEST_URI "\x20" 

# WEB-ATTACKS /etc/inetd.conf access
SecRule REQUEST_URI  "/etc/inetd\.conf"

# WEB-ATTACKS /etc/motd access
SecRule REQUEST_URI  "/etc/motd"

# WEB-ATTACKS conf/httpd.conf attempt
SecRule REQUEST_URI  "conf/httpd\.conf"

# WEB-MISC .htpasswd access
SecRule REQUEST_URI  "\.htpasswd" 

# WEB-MISC /etc/passwd access
SecRule REQUEST_URI  "/etc/passwd" 

# WEB-MISC nessus 1.X 404 probe
SecRule REQUEST_URI "/nessus_is_probing_you_" 

# WEB-MISC nessus 2.x 404 probe
SecRule REQUEST_URI "/NessusTest" 

# WEB-MISC ls%20-l
SecRule REQUEST_URI  "ls" chain
SecRule REQUEST_URI "\x20-l" 

# WEB-MISC apache directory disclosure attempt
SecRule REQUEST_URI "////////" 

#musicat empower attempt
SecRule REQUEST_URI "/empower\?DB="

# WEB-MISC *%0a.pl access
SecRule REQUEST_URI "/*\x0a\.pl" 

#PHPBB worm sigs
SecRule REQUEST_URI "!(tiki-searchindex\.php)" chain
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"

#PHP defenses
SecRule ARGS:PHPSESSID "!^[0-9a-z]*$" 

#PHP defenses
SecRule ARGS "^(globals($|\[)|php:/)"

#PHP defenses
SecRule REQUEST_COOKIES:PHPSESSID "!^[0-9a-z]*$"

#PHP defenses
SecRule REQUEST_COOKIES:sessionid "!^[0-9a-z\.]*$"

# Web-attacks chdir
SecRule REQUEST_URI "&(cmd|command)=chdir\x20"

# TIKIWIKI
SecRule REQUEST_URI  "/tiki-map.phtml\?mapfile=\.\./\.\./"

#SMTP redirects
SecRule REQUEST_URI_RAW ^(http|https)\:/.+:25 

#These are VERY experiemental, please report false positives/negatives, etc.
#very experimental generic remote download sig
#foo IP or FQDN, or foo http/https/ftp://whatever
SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 

#Command inline detection
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 

#very experimental connect command sig
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"

#Commands, also need a major rework, these also have issues
SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" 
#SecRule REQUEST_URI "echo\x20" 
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
#SecRule REQUEST_URI "mkdir\x20" 
SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)" 
SecRule REQUEST_URI "cd \.\." 
SecRule REQUEST_URI "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$" 

#generic block for fwrite fopen uploads
SecRule REQUEST_URI "fwrite" chain
SecRule REQUEST_URI "fopen" 

#generic sig for more bad PHP functions
SecRule REQUEST_URI "chr\(([0-9]{1,3})\)"
SecRule ARGS_NAMES "^php:/"

# WEB-MISC Tomcat view source attempt
SecRule REQUEST_URI "\x252ejsp"

# WEB-MISC whisker HEAD/./
#SecRule "HEAD/./"

# WEB-FRONTPAGE .... request
SecRule REQUEST_URI "\.\.\.\./"

#experimental CSS rule
#SecRule REQUEST_URI "/(\x3C|<)(\x2F|\/)*[a-z0-9\%]+(\x3E|>)"

#Generic attack rules pcre format
#cross site scripting attempt IMG onerror or onload
SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*="

#cross site scripting attempt TYPE + JAVASCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/javascript"

#cross site scripting attempt STYLE + JAVASCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-javascript"

#cross site scripting attempt STYLE + JSCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/jscript"

# cross site scripting attempt STYLE + VBSCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/vbscript"

#cross site scripting attempt STYLE + VBSCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-vbscript"

#cross site scripting attempt STYLE + ECMACRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/ecmascript"

# cross site scripting attempt STYLE + EXPRESSION
SecRule REQUEST_URI "STYLE[\s]*=[\s]*[^>]expression[\s]*\("

#cross site scripting attempt STYLE + EXPRESSION
SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>"

# cross site scripting attempt using XML
SecRule REQUEST_URI "<!\[CDATA\[<\]\]>SCRIPT"

#cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)"

#cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI "window\.execScript[\s]*\("

#cross site scripting attempt to execute Javascript code
SecRule REQUEST_URI "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]"

#cross site scripting stealth attempt to execute Javascript code
#may false alarm for some language sets
SecRule REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain
SecRule REQUEST_URI|REQUEST_BODY "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"

#Apache /server-info accessible
SecRule REQUEST_URI   "/server-info" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"

#Apache /server-status accessible
#Modified so apache-protect can run
SecRule REQUEST_URI "^/server-status/$" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"

#generic Common HTTP vulnerability
SecRule REQUEST_URI "/\?cwd=/"

#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]"

#Experimental XML-RPC generic attack sigs
SecRule REQUEST_BODY "\'\,\'\'\)\)\;"
SecRule REQUEST_BODY "\<param\>\<name\>.*\'\)\;"

#MTS
#XML-RPC generic attack sigs
SecRule REQUEST_HEADERS "^Content-Type\: application/xml" chain
SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain
SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" chain
SecRule REQUEST_BODY "methodCall\>"
#Specific XML-RPC attacks on xmlrpc.php
SecRule REQUEST_URI "(xmlrpc|xmlrpc.*)\.php" chain
SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain
SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"

#Too generic, unless you know you won't see this in any of the fields of an XMLRPC message on your system
#SecRule REQUEST_URI "/xmlrpc\.php" chain
#SecRule "(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"

#XML-RPC SQL injection generic signature
SecRule REQUEST_URI "(xmlrpc|xmlrpc_.*)\.php" chain
SecRule REQUEST_BODY  "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>"

#generic remote file inclusion vulns
SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/"
SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/"
SecRule REQUEST_URI "/index\.php\?libDir=http://xxxxxxxx"
SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/"

#catch smuggling attacks

#SecRule "^(GET|POST).*Host:.*^(GET|POST)" 

#Drupal remote command execution vulnerability exploit signature

#This is already covered in another generic signature, but just in case you leave it out, here it is

#again with a slightly tigher regexp
SecRule REQUEST_BODY "\<.*php .*\(.*\)\;system\(.*\).*php*\>"

#Slightly stronger version of the above
SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"



#Generic PHP attack sig
SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)"

#Generic Nessus request filter
SecRule REQUEST_URI "NessusTest*\.html"

#Generic PHP payload command injection and upload vulnerabilities
SecRule REQUEST_BODY "<\?php" chain
SecRule REQUEST_BODY  "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
SecRule REQUEST_BODY "\<\?php"

#Generic XML RPC attack sig
SecRule REQUEST_BODY "\'(______BEGIN______|_____FIM_____)\'\;"

#HTTP header PHP code injection attacks
SecRule HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)"

#wormsign
SecRule REQUEST_HEADERS "XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+"
SecRule REQUEST_BODY "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC"

#phpbb wormsign
SecRule REQUEST_URI|REQUEST_BODY "echo _GHC/RST_"

#Generic PHP avatar upload exploits
SecRule REQUEST_URI "\.php" chain
SecRule REQUEST_BODY "Content-Disposition\: form-data\; name=\"avatar\"\;" chain
SecRule REQUEST_BODY "\<\?php" chain
SecRule REQUEST_BODY "\?>"

#Fake image file shell attacvk
SecRule REQUEST_HEADERS:Content-Type "image/.*"
SecRule REQUEST_BODY "chr\("

#bogus graphics file
SecRule REQUEST_HEADERS:Content-Disposition "\.php" chain
SecRule REQUEST_HEADERS:Content-Type "(image/gif|image/jpg|image/png|image/bmp)"

#wormsign
SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC"

#Special account protection
SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"

#Generic PHP fopen sig
SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\("
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecRule REQUEST_URI "/\.it/viewde"
SecRule REQUEST_URI "/cmd\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"

#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"

#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"

#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="

#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"

#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"

#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="

#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="

#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"

#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="

#new unknown kit
SecRule REQUEST_URI "/oops?&"

# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY   "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY   "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY   "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI   "/phpterm"

#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"

#new unknown kits
SecRule REQUEST_URI   "/iblis\.htm\?" 
SecRule REQUEST_URI   "/gif\.gif\?" 
SecRule REQUEST_URI   "/go\.php\.txt\?" 
SecRule REQUEST_URI   "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/iys\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/zehir\.asp"
SecRule REQUEST_URI   "/aflast\.txt\?"
SecRule REQUEST_URI   "/sikat\.txt\?&cmd" 
SecRule REQUEST_URI   "/t\.gif\?" 
SecRule REQUEST_URI   "/phpbb_patch\?&"
SecRule REQUEST_URI   "/phpbb2_patch\?&"
SecRule REQUEST_URI   "/lukka\?&"

#new kit
SecRule REQUEST_URI   "/c99shell\.txt"
SecRule REQUEST_URI   "/c99\.txt\?"

#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="

#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="

#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"

#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY   "HiMaster\!\<\?php system\("
SecRule REQUEST_URI|REQUEST_BODY   "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecRule REQUEST_URI   "help_text_vars\.php\?suntzu=


#25dec new one
SecRule REQUEST_URI   "anggands\.(gif|jpe?g|txt|bmp|png)\?"

#26dec new kit
SecRule REQUEST_URI   "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/vsf\.vsf\?&"

#27dec
SecRule REQUEST_URI   "/scan1\.0/scan/"
SecRule REQUEST_URI   "test\.txt\?&"

#30dec
SecRule REQUEST_URI   "\.k4ka\.txt\?"
#31dec
SecRule REQUEST_URI   "/php\.txt\?"

#1 jan
SecRule REQUEST_URI   "/sql\.txt\?"
SecRule REQUEST_URI   "bind\.(gif|jpe?g|txt|bmp|png)\?"

#22feb
SecRule REQUEST_URI   "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"

#24mar
SecRule REQUEST_URI   "/docLib/cmd\.asp"
SecRule REQUEST_URI   "\.asp\?pageName=AppFileExplorer"
SecRule REQUEST_URI   "\.asp\?.*showUpload&thePath="
SecRule REQUEST_URI   "\.asp\?.*theAct=inject&thePath="

#some broken attack program
SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm
SecRule REQUEST_URI "/r57en\.php"
#c99 rootshell
SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"
#generic shell
SecRule REQUEST_URI "shell\.txt"
SecRule REQUEST_URI "files/.*\.php\.menu\?cmd="
#bad scanner
SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
#wormsign
SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
#New SEL attack seen
SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
#New SQL attack seen
SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"

#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"
#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"
#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="
#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
SecRule REQUEST_URI|REQUEST_BASENAME|REQUEST_FILENAME|REQUEST_HEADERS|RESPONSE_BODY|REQUEST_BODY "/(r0nin|m0rtix|r57shell|too20|phpshell|shell|sniper_sa|sniper_sa2|64|c99|r57|xp|.xp|mohajer|mysql|cgitelnet|Locus7|msql|safe|symlink|sym4|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute)\.ph(p(3|4)?|tml)" log,
#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
#new unknown kit
SecRule REQUEST_URI "/oops?&"
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY   "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY   "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY   "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI   "/phpterm"
#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
#new unknown kits
SecRule REQUEST_URI   "/iblis\.htm\?" 
SecRule REQUEST_URI   "/gif\.gif\?" 
SecRule REQUEST_URI   "/go\.php\.txt\?" 
SecRule REQUEST_URI   "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/iys\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/zehir\.asp"
SecRule REQUEST_URI   "/aflast\.txt\?"
SecRule REQUEST_URI   "/sikat\.txt\?&cmd" 
SecRule REQUEST_URI   "/t\.gif\?" 
SecRule REQUEST_URI   "/phpbb_patch\?&"
SecRule REQUEST_URI   "/phpbb2_patch\?&"
SecRule REQUEST_URI   "/lukka\?&"
#new kit
SecRule REQUEST_URI   "/c99shell\.txt"
SecRule REQUEST_URI   "/c99\.txt\?"
#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="
#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="
#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"
#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY   "HiMaster\!\<\?php system\("
SecRule REQUEST_URI|REQUEST_BODY   "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecRule REQUEST_URI   "help_text_vars\.php\?suntzu="
#25dec new one
SecRule REQUEST_URI   "anggands\.(gif|jpe?g|txt|bmp|png)\?"
#26dec new kit
SecRule REQUEST_URI   "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/vsf\.vsf\?&"
#27dec
SecRule REQUEST_URI   "/scan1\.0/scan/"
SecRule REQUEST_URI   "test\.txt\?&"
#30dec
SecRule REQUEST_URI   "\.k4ka\.txt\?"
#31dec
SecRule REQUEST_URI   "/php\.txt\?"
#1 jan
SecRule REQUEST_URI   "/sql\.txt\?"
SecRule REQUEST_URI   "bind\.(gif|jpe?g|txt|bmp|png)\?"
#22feb
SecRule REQUEST_URI   "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
#24mar
SecRule REQUEST_URI   "/docLib/cmd\.asp"
SecRule REQUEST_URI   "\.asp\?pageName=AppFileExplorer"
SecRule REQUEST_URI   "\.asp\?.*showUpload&thePath="
SecRule REQUEST_URI   "\.asp\?.*theAct=inject&thePath="
#some broken attack program
SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm"
SecRule REQUEST_URI "/r57en\.php"
SecRule REQUEST_URI "\.htaccess"
SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
#c99 rootshell
SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=|tools|ftpquickbrute|mkdir|phpinfo|upload|delete|eval|)"
#generic shell
SecRule REQUEST_URI "shell\.txt"
#bad scanner
SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
#wormsign
SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
#New SEL attack seen
SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
#New SQL attack seen
SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecRule ARGS "\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="
#PHP remote path attach generic signature
SecRule REQUEST_URI  "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecRule REQUEST_URI  "\.php.*path=(http|https|ftp)\:/"
#generic attack sig
SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
# WEB-ATTACKS uname -a command attempt
SecRule REQUEST_URI "uname" chain
SecRule REQUEST_URI "\x20-a" 
#generic php attack sigs
SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"
# WEB-ATTACKS xterm command attempt
SecRule REQUEST_URI "/usr/X11R6/bin/xterm"
# WEB-ATTACKS /etc/shadow access
SecRule REQUEST_URI "/etc/shadow"
# WEB-ATTACKS /bin/ps command attempt
SecRule REQUEST_URI "/bin/ps"
# WEB-ATTACKS /usr/bin/id command attempt
SecRule REQUEST_URI  "/usr/bin/id" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS echo command attempt
SecRule REQUEST_URI  "/bin/echo" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS kill command attempt
SecRule REQUEST_URI  "/bin/kill" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS chmod command attempt
SecRule REQUEST_URI  "/bin/chmod" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS chsh command attempt
SecRule REQUEST_URI   "/usr/bin/chsh"
# WEB-ATTACKS gcc command attempt
SecRule REQUEST_URI  "gcc" chain
SecRule REQUEST_URI "x20-o" 
# WEB-ATTACKS /usr/bin/cc command attempt
SecRule REQUEST_URI  "/usr/bin/cc" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /usr/bin/cpp command attempt
SecRule REQUEST_URI  "/usr/bin/cpp" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /usr/bin/g++ command attempt
SecRule REQUEST_URI  "/usr/bin/g\+\+" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS g++ command attempt
SecRule REQUEST_URI  "g\+\+\x20" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS bin/python access attempt
SecRule REQUEST_URI  "bin/python" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS python access attempt
#SecRule "python\x20"
# WEB-ATTACKS bin/tclsh execution attempt
SecRule REQUEST_URI "bin/tclsh"
# WEB-ATTACKS tclsh execution attempt
SecRule REQUEST_URI "tclsh8\x20"
# WEB-ATTACKS bin/nasm command attempt
SecRule REQUEST_URI "bin/nasm"
# WEB-ATTACKS nasm command attempt
SecRule REQUEST_URI "nasm\x20"
# WEB-ATTACKS /usr/bin/perl execution attempt
SecRule REQUEST_URI "/usr/bin/perl"
# WEB-ATTACKS traceroute command attempt
SecRule REQUEST_URI  "traceroute" chain
SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
# WEB-ATTACKS ping command attempt
SecRule REQUEST_URI  "/bin/ping" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS X application to remote host attempt
SecRule REQUEST_URI "\x20-display\x20"
# WEB-ATTACKS mail command attempt
SecRule REQUEST_URI  "/bin/mail" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /bin/ls command attempt
SecRule REQUEST_URI "/bin/ls" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /etc/inetd.conf access
SecRule REQUEST_URI  "/etc/inetd\.conf"

# WEB-ATTACKS /etc/motd access
SecRule REQUEST_URI  "/etc/motd"

# WEB-ATTACKS conf/httpd.conf attempt
SecRule REQUEST_URI  "conf/httpd\.conf"

# WEB-MISC .htpasswd access
SecRule REQUEST_URI  "\.htpasswd" 

# WEB-MISC /etc/passwd access
SecRule REQUEST_URI  "/etc/passwd" 

# WEB-MISC ls%20-l
SecRule REQUEST_URI  "ls" chain
SecRule REQUEST_URI "\x20-l" 

# WEB-MISC apache directory disclosure attempt
SecRule REQUEST_URI "////////" 

# Web-attacks chdir
SecRule REQUEST_URI "&(cmd|command)=chdir\x20"
SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 

#very experimental connect command sig
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" 
#SecRule REQUEST_URI "echo\x20" 
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
#SecRule REQUEST_URI "mkdir\x20" 
SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)"
SecRule REQUEST_URI "cd \.\."
SecRule REQUEST_URI "fopen"
SecRule REQUEST_URI "\.\.\.\./"
SecRule REQUEST_URI "^/server-status/$" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"
SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)"
SecRule REQUEST_BODY "<\?php" chain
SecRule REQUEST_BODY  "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
SecRule REQUEST_BODY "\<\?php"
SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"
SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\(" 


## -- General rules -------------------- 
SecRule ARGS "c:/" t:normalisePathWin 
SecRule ARGS "\.\./" t:normalisePathWin 
SecRule ARGS "d:/" t:normalisePathWin 

## -- phpBB attack -------------------- 
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" 
SecRule REQUEST_LINE "wget "
SecRule REQUEST_LINE "lynx "
SecRule REQUEST_LINE "Fhome"
SecRule REQUEST_LINE "ftp "
SecRule REQUEST_LINE "cvs"
SecRule REQUEST_LINE "php?phpinfo"
SecRule REQUEST_LINE "php?phpini"
SecRule REQUEST_LINE "php?mem"
SecRule REQUEST_LINE "php?cpu"
SecRule REQUEST_LINE "php?users"
SecRule REQUEST_LINE "php?tmp"
SecRule REQUEST_LINE "php?delete"
SecRule REQUEST_LINE "cmd"
SecRule REQUEST_LINE "act=sql&"
SecRule REQUEST_LINE "ssh "
SecRule REQUEST_LINE "echo "
SecRule REQUEST_LINE "links -dump "
SecRule REQUEST_LINE "links -dump-charset "
SecRule REQUEST_LINE "links -dump-width "
SecRule REQUEST_LINE "links http:// "
SecRule REQUEST_LINE "links ftp:// "
SecRule REQUEST_LINE "links -source "
SecRule REQUEST_LINE "mkdir "
SecRule REQUEST_LINE "cd /tmp "
SecRule REQUEST_LINE "cd /var/tmp "
SecRule REQUEST_LINE "cd /etc/httpd/proxy "
SecRule REQUEST_LINE "&highlight=%2527%252E "
SecRule REQUEST_LINE "changedir=%2Ftmp%2F.php "
SecRule REQUEST_LINE "arta\.zip "
SecRule REQUEST_LINE "cmd=cd\x20/var "
SecRule REQUEST_LINE "HCL_path=http "
SecRule REQUEST_LINE "clamav-partial "
SecRule REQUEST_LINE "vi\.recover "
SecRule REQUEST_LINE "netenberg "
SecRule REQUEST_LINE "psybnc "
SecRule REQUEST_LINE "fantastico_de_luxe "
SecRule REQUEST_LINE "2Fpublic_html&"
SecRule REQUEST_LINE ".htaccess"
SecRule REQUEST_LINE "sql_passwd"
SecRule REQUEST_LINE "c99sh_datapipe.pl"
SecRule REQUEST_LINE "listDBs"
SecRule REQUEST_LINE "%2home%2"
SecRule REQUEST_LINE "%2home%"
SecRule REQUEST_LINE "%home%"
SecRule REQUEST_LINE "%home"
SecRule REQUEST_LINE "home%"
SecRule REQUEST_LINE "%2Fhome%2"
SecRule REQUEST_LINE "%2Fhome%"
SecRule REQUEST_LINE "%Fhome%"
SecRule REQUEST_LINE "%Fhome"
SecRule REQUEST_LINE "Fhome%"
SecRule REQUEST_LINE "2Fpublic_html&"         
SecRule REQUEST_LINE "/etc/"         
SecRule REQUEST_LINE "bcc:" 
SecRule REQUEST_LINE "bcc\x3a" 
SecRule REQUEST_LINE "cc:" 
SecRule REQUEST_LINE "cc\x3a" 
SecRule REQUEST_LINE "bcc:|Bcc:|BCC:" chain  
SecRule REQUEST_BODY "Bcc:" 
SecRule REQUEST_BODY "Bcc:\x20" 
SecRule REQUEST_BODY "cc:" 
SecRule REQUEST_BODY "cc:\x20" 
SecRule REQUEST_BODY "bcc:" 
SecRule REQUEST_BODY "bcc:\x20" 
SecRule REQUEST_BODY "bcc: " 
SecRule REQUEST_LINE "Bcc:" 
SecRule REQUEST_LINE "Bcc:\x20" 
SecRule REQUEST_LINE "cc:" 
SecRule REQUEST_LINE "cc:\x20" 
SecRule REQUEST_LINE "bcc:" 
SecRule REQUEST_LINE "bcc:\x20" 
SecRule REQUEST_LINE "bcc: " 
SecRule REQUEST_LINE "cd "
#SecRule REQUEST_LINE "cat "
#SecRule REQUEST_LINE "ls "
#SecRule REQUEST_LINE "id "

#SecRule REQUEST_URI "/admincp/user\.php" chain

#WEB-PHP phpbb quick-reply.php arbitrary command attempt 
SecRule REQUEST_LINE "/quick-reply\.php" chain 
SecRule REQUEST_BODY "wget "
SecRule REQUEST_BODY "lynx "
SecRule REQUEST_BODY "Fhome"
SecRule REQUEST_BODY "ftp "
SecRule REQUEST_BODY "cvs "
#SecRule REQUEST_BODY "cmd"
SecRule REQUEST_BODY "curl "
SecRule REQUEST_BODY "act=sql&"
SecRule REQUEST_BODY "ssh "
SecRule REQUEST_BODY "echo "
SecRule REQUEST_BODY "links -dump "
SecRule REQUEST_BODY "links -dump-charset "
SecRule REQUEST_BODY "links -dump-width "
SecRule REQUEST_BODY "links http:// "
SecRule REQUEST_BODY "links ftp:// "
SecRule REQUEST_BODY "links -source "
SecRule REQUEST_BODY "mkdir "
SecRule REQUEST_BODY "cd /tmp "
SecRule REQUEST_BODY "cd /var/tmp "
SecRule REQUEST_BODY "cd /etc/httpd/proxy "
SecRule REQUEST_BODY "&highlight=%2527%252E "
SecRule REQUEST_BODY "changedir=%2Ftmp%2F.php "
SecRule REQUEST_BODY "arta\.zip "
SecRule REQUEST_BODY "cmd=cd\x20/var "
SecRule REQUEST_BODY "HCL_path=http "
SecRule REQUEST_BODY "clamav-partial "
SecRule REQUEST_BODY "vi\.recover "
SecRule REQUEST_BODY "netenberg "
SecRule REQUEST_BODY "psybnc "
SecRule REQUEST_BODY "fantastico_de_luxe "
SecRule REQUEST_BODY ".htaccess"

#SecRule REQUEST_BODY "sql_passwd"
SecRule REQUEST_BODY "c99sh_datapipe.pl"
SecRule REQUEST_BODY "listDBs"
SecRule REQUEST_BODY "%2home%2"
SecRule REQUEST_BODY "%2home%"
SecRule REQUEST_BODY "%home%"
SecRule REQUEST_BODY "%home"
SecRule REQUEST_BODY "home%"
SecRule REQUEST_BODY "%2Fhome%2"
SecRule REQUEST_BODY "%2Fhome%"
SecRule REQUEST_BODY "%Fhome%"
SecRule REQUEST_BODY "%Fhome"
SecRule REQUEST_BODY "Fhome%"
SecRule REQUEST_BODY "2Fpublic_html&"         
SecRule REQUEST_BODY "/etc/"      
SecRule REQUEST_BODY "db_server"     
SecRule REQUEST_BODY "SHOW DATABASES "  

# For deny Shells opening  
SecRule REQUEST_FILENAME "/(r57shell|TrYaG|TrYg|m0rtix|r0nin|c99shell|phpshell|sa3ekashell|crackit|c777|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute|c991)\.php" 
SecRule REQUEST_FILENAME "\.pl" 
SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;" 
SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl"    
SecRule RESPONSE_BODY "TrYaG" 
SecRule RESPONSE_BODY "shell" 
SecRule RESPONSE_BODY "Sniper" 
SecRule RESPONSE_BODY "SnIpEr_SA" 
SecRule RESPONSE_BODY "c99"
PHP:
/etc/init.d/httpd restart
من يرغب في استرجاع الرولز القديمه الخاصه به ينفذ الامر التالي :


PHP:
mv /usr/local/apache/conf/modsec2.user.conf2 /usr/local/apache/conf/modsec2.user.conf
PHP:
/etc/init.d/httpd restart
و السلام عليكم ورحمة الله وبركاته