RubyGems - ddtrace - Versions diffs - 1.0.0 → 1.9.0 - Mend

ddtrace 1.0.0 → 1.9.0

Files changed (646) hide show

data/lib/datadog/appsec/assets/waf_rules/recommended.json CHANGED Viewed

@@ -1,9 +1,34 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.3.1"
+    "rules_version": "1.4.3"
   },
   "rules": [
+    {
+      "id": "blk-001-001",
+      "name": "Block IP Addresses",
+      "tags": {
+        "type": "block_ip",
+        "category": "security_response"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "http.client_ip"
+              }
+            ],
+            "data": "blocked_ips"
+          },
+          "operator": "ip_match"
+        }
+      ],
+      "transformers": [],
+      "on_match": [
+        "block"
+      ]
+    },
     {
       "id": "crs-913-110",
       "name": "Acunetix",
@@ -224,7 +249,7 @@
                 "address": "server.request.headers.no_cookies"
               }
             ],
-            "regex": "(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2}(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))",
+            "regex": "(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2,3}(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/|\\x5c)",
             "options": {
               "min_length": 4
             }
@@ -255,7 +280,7 @@
                 "address": "server.request.headers.no_cookies"
               }
             ],
-            "regex": "(?:(?:^|[\\\\/])\\.\\.[\\\\/]|[\\\\/]\\.\\.(?:[\\\\/]|$))",
+            "regex": "(?:(?:^|[\\x5c/])\\.{2,3}[\\x5c/]|[\\x5c/]\\.{2,3}(?:[\\x5c/]|$))",
             "options": {
               "case_sensitive": true,
               "min_length": 3
@@ -299,6 +324,8 @@
               "/.htpasswd",
               "/.addressbook",
               "/.aptitude/config",
+              ".aws/config",
+              ".aws/credentials",
               "/.bash_config",
               "/.bash_history",
               "/.bash_logout",
@@ -330,6 +357,7 @@
               "/.nano_history",
               "/.node_repl_history",
               "/.pearrc",
+              "/.pgpass",
               "/.php_history",
               "/.pinerc",
               ".pki/",
@@ -350,6 +378,8 @@
               ".ssh/id_rsa.pub",
               ".ssh/identity",
               ".ssh/identity.pub",
+              ".ssh/id_ecdsa",
+              ".ssh/id_ecdsa.pub",
               ".ssh/known_hosts",
               ".subversion/auth",
               ".subversion/config",
@@ -366,6 +396,225 @@
               "/.zshrc",
               "/.zsh_history",
               "/.nsconfig",
+              "data/elasticsearch",
+              "data/kafka",
+              "etc/ansible",
+              "etc/bind",
+              "etc/centos-release",
+              "etc/centos-release-upstream",
+              "etc/clam.d",
+              "etc/elasticsearch",
+              "etc/freshclam.conf",
+              "etc/gshadow",
+              "etc/gshadow-",
+              "etc/httpd",
+              "etc/kafka",
+              "etc/kibana",
+              "etc/logstash",
+              "etc/lvm",
+              "etc/mongod.conf",
+              "etc/my.cnf",
+              "etc/nuxeo.conf",
+              "etc/pki",
+              "etc/postfix",
+              "etc/scw-release",
+              "etc/subgid",
+              "etc/subgid-",
+              "etc/sudoers.d",
+              "etc/sysconfig",
+              "etc/system-release-cpe",
+              "opt/nuxeo",
+              "opt/tomcat",
+              "tmp/kafka-logs",
+              "usr/lib/rpm/rpm.log",
+              "var/data/elasticsearch",
+              "var/lib/elasticsearch",
+              "etc/.java",
+              "etc/acpi",
+              "etc/alsa",
+              "etc/alternatives",
+              "etc/apache2",
+              "etc/apm",
+              "etc/apparmor",
+              "etc/apparmor.d",
+              "etc/apport",
+              "etc/apt",
+              "etc/asciidoc",
+              "etc/avahi",
+              "etc/bash_completion.d",
+              "etc/binfmt.d",
+              "etc/bluetooth",
+              "etc/bonobo-activation",
+              "etc/brltty",
+              "etc/ca-certificates",
+              "etc/calendar",
+              "etc/chatscripts",
+              "etc/chromium-browser",
+              "etc/clamav",
+              "etc/cni",
+              "etc/console-setup",
+              "etc/coraza-waf",
+              "etc/cracklib",
+              "etc/cron.d",
+              "etc/cron.daily",
+              "etc/cron.hourly",
+              "etc/cron.monthly",
+              "etc/cron.weekly",
+              "etc/cups",
+              "etc/cups.save",
+              "etc/cupshelpers",
+              "etc/dbus-1",
+              "etc/dconf",
+              "etc/default",
+              "etc/depmod.d",
+              "etc/dhcp",
+              "etc/dictionaries-common",
+              "etc/dkms",
+              "etc/dnsmasq.d",
+              "etc/dockeretc/dpkg",
+              "etc/emacs",
+              "etc/environment.d",
+              "etc/fail2ban",
+              "etc/firebird",
+              "etc/firefox",
+              "etc/fonts",
+              "etc/fwupd",
+              "etc/gconf",
+              "etc/gdb",
+              "etc/gdm3",
+              "etc/geoclue",
+              "etc/ghostscript",
+              "etc/gimp",
+              "etc/glvnd",
+              "etc/gnome",
+              "etc/gnome-vfs-2.0",
+              "etc/gnucash",
+              "etc/gnustep",
+              "etc/groff",
+              "etc/grub.d",
+              "etc/gss",
+              "etc/gtk-2.0",
+              "etc/gtk-3.0",
+              "etc/hp",
+              "etc/ifplugd",
+              "etc/imagemagick-6",
+              "etc/init",
+              "etc/init.d",
+              "etc/initramfs-tools",
+              "etc/insserv.conf.d",
+              "etc/iproute2",
+              "etc/iptables",
+              "etc/java",
+              "etc/java-11-openjdk",
+              "etc/java-17-oracle",
+              "etc/java-8-openjdk",
+              "etc/kernel",
+              "etc/ld.so.conf.d",
+              "etc/ldap",
+              "etc/libblockdev",
+              "etc/libibverbs.d",
+              "etc/libnl-3",
+              "etc/libpaper.d",
+              "etc/libreoffice",
+              "etc/lighttpd",
+              "etc/logcheck",
+              "etc/logrotate.d",
+              "etc/lynx",
+              "etc/mail",
+              "etc/mc",
+              "etc/menu",
+              "etc/menu-methods",
+              "etc/modprobe.d",
+              "etc/modsecurity",
+              "etc/modules-load.d",
+              "etc/monit",
+              "etc/mono",
+              "etc/mplayer",
+              "etc/mpv",
+              "etc/muttrc.d",
+              "etc/mysql",
+              "etc/netplan",
+              "etc/network",
+              "etc/networkd-dispatcher",
+              "etc/networkmanager",
+              "etc/newt",
+              "etc/nghttpx",
+              "etc/nikto",
+              "etc/odbcdatasources",
+              "etc/openal",
+              "etc/openmpi",
+              "etc/opt",
+              "etc/osync",
+              "etc/packagekit",
+              "etc/pam.d",
+              "etc/pcmcia",
+              "etc/perl",
+              "etc/php",
+              "etc/pki",
+              "etc/pm",
+              "etc/polkit-1",
+              "etc/postfix",
+              "etc/ppp",
+              "etc/profile.d",
+              "etc/proftpd",
+              "etc/pulse",
+              "etc/python",
+              "etc/rc0.d",
+              "etc/rc1.d",
+              "etc/rc2.d",
+              "etc/rc3.d",
+              "etc/rc4.d",
+              "etc/rc5.d",
+              "etc/rc6.d",
+              "etc/rcs.d",
+              "etc/resolvconf",
+              "etc/rsyslog.d",
+              "etc/samba",
+              "etc/sane.d",
+              "etc/security",
+              "etc/selinux",
+              "etc/sensors.d",
+              "etc/sgml",
+              "etc/signon-ui",
+              "etc/skel",
+              "etc/snmp",
+              "etc/sound",
+              "etc/spamassassin",
+              "etc/speech-dispatcher",
+              "etc/ssh",
+              "etc/ssl",
+              "etc/sudoers.d",
+              "etc/sysctl.d",
+              "etc/sysstat",
+              "etc/systemd",
+              "etc/terminfo",
+              "etc/texmf",
+              "etc/thermald",
+              "etc/thnuclnt",
+              "etc/thunderbird",
+              "etc/timidity",
+              "etc/tmpfiles.d",
+              "etc/ubuntu-advantage",
+              "etc/udev",
+              "etc/udisks2",
+              "etc/ufw",
+              "etc/update-manager",
+              "etc/update-motd.d",
+              "etc/update-notifier",
+              "etc/upower",
+              "etc/urlview",
+              "etc/usb_modeswitch.d",
+              "etc/vim",
+              "etc/vmware",
+              "etc/vmware-installer",
+              "etc/vmware-vix",
+              "etc/vulkan",
+              "etc/w3m",
+              "etc/wireshark",
+              "etc/wpa_supplicant",
+              "etc/x11",
+              "etc/xdg",
+              "etc/xml",
               "etc/redis.conf",
               "etc/redis-sentinel.conf",
               "etc/php.ini",
@@ -417,10 +666,8 @@
               "usr/local/cpanel/logs/license_log",
               "usr/local/cpanel/logs/login_log",
               "var/cpanel/cpanel.config",
-              "var/log/sw-cp-server/error_log",
               "usr/local/psa/admin/logs/httpsd_access_log",
               "usr/local/psa/admin/logs/panel.log",
-              "var/log/sso/sso.log",
               "usr/local/psa/admin/conf/php.ini",
               "etc/sw-cp-server/applications.d/plesk.conf",
               "usr/local/psa/admin/conf/site_isolation_settings.ini",
@@ -428,16 +675,6 @@
               "etc/sw-cp-server/applications.d/00-sso-cpserver.conf",
               "etc/sso/sso_config.ini",
               "etc/mysql/conf.d/old_passwords.cnf",
-              "var/log/mysql/mysql-bin.log",
-              "var/log/mysql/mysql-bin.index",
-              "var/log/mysql/data/mysql-bin.index",
-              "var/log/mysql.log",
-              "var/log/mysql.err",
-              "var/log/mysqlderror.log",
-              "var/log/mysql/mysql.log",
-              "var/log/mysql/mysql-slow.log",
-              "var/log/mysql-bin.index",
-              "var/log/data/mysql-bin.index",
               "var/mysql.log",
               "var/mysql-bin.index",
               "var/data/mysql-bin.index",
@@ -474,21 +711,6 @@
               "mysql/my.cnf",
               "mysql/bin/my.ini",
               "var/postgresql/log/postgresql.log",
-              "var/log/postgresql/postgresql.log",
-              "var/log/postgres/pg_backup.log",
-              "var/log/postgres/postgres.log",
-              "var/log/postgresql.log",
-              "var/log/pgsql/pgsql.log",
-              "var/log/postgresql/postgresql-8.1-main.log",
-              "var/log/postgresql/postgresql-8.3-main.log",
-              "var/log/postgresql/postgresql-8.4-main.log",
-              "var/log/postgresql/postgresql-9.0-main.log",
-              "var/log/postgresql/postgresql-9.1-main.log",
-              "var/log/pgsql8.log",
-              "var/log/postgresql/postgres.log",
-              "var/log/pgsql_log",
-              "var/log/postgresql/main.log",
-              "var/log/cron/var/log/postgres.log",
               "usr/internet/pgsql/data/postmaster.log",
               "usr/local/pgsql/data/postgresql.log",
               "usr/local/pgsql/data/pg_log",
@@ -572,29 +794,21 @@
               "windows/system32/logfiles/msftpsvc2",
               "etc/logrotate.d/proftpd",
               "www/logs/proftpd.system.log",
-              "var/log/proftpd",
-              "var/log/proftpd/xferlog.legacy",
-              "var/log/proftpd.access_log",
-              "var/log/proftpd.xferlog",
               "etc/pam.d/proftpd",
               "etc/proftp.conf",
               "etc/protpd/proftpd.conf",
               "etc/vhcs2/proftpd/proftpd.conf",
               "etc/proftpd/modules.conf",
-              "var/log/vsftpd.log",
               "etc/vsftpd.chroot_list",
               "etc/logrotate.d/vsftpd.log",
               "etc/vsftpd/vsftpd.conf",
               "etc/vsftpd.conf",
               "etc/chrootusers",
-              "var/log/xferlog",
               "var/adm/log/xferlog",
               "etc/wu-ftpd/ftpaccess",
               "etc/wu-ftpd/ftphosts",
               "etc/wu-ftpd/ftpusers",
-              "var/log/pure-ftpd/pure-ftpd.log",
               "logs/pure-ftpd.log",
-              "var/log/pureftpd.log",
               "usr/sbin/pure-config.pl",
               "usr/etc/pure-ftpd.conf",
               "etc/pure-ftpd/pure-ftpd.conf",
@@ -620,30 +834,18 @@
               "usr/ports/contrib/pure-ftpd/pure-ftpd.conf",
               "usr/ports/contrib/pure-ftpd/pureftpd.pdb",
               "usr/ports/contrib/pure-ftpd/pureftpd.passwd",
-              "var/log/muddleftpd",
               "usr/sbin/mudlogd",
               "etc/muddleftpd/mudlog",
               "etc/muddleftpd.com",
               "etc/muddleftpd/mudlogd.conf",
               "etc/muddleftpd/muddleftpd.conf",
-              "var/log/muddleftpd.conf",
               "usr/sbin/mudpasswd",
               "etc/muddleftpd/muddleftpd.passwd",
               "etc/muddleftpd/passwd",
-              "var/log/ftp-proxy/ftp-proxy.log",
-              "var/log/ftp-proxy",
-              "var/log/ftplog",
               "etc/logrotate.d/ftp",
               "etc/ftpchroot",
               "etc/ftphosts",
               "etc/ftpusers",
-              "var/log/exim_mainlog",
-              "var/log/exim/mainlog",
-              "var/log/maillog",
-              "var/log/exim_paniclog",
-              "var/log/exim/paniclog",
-              "var/log/exim/rejectlog",
-              "var/log/exim_rejectlog",
               "winnt/system32/logfiles/smtpsvc",
               "winnt/system32/logfiles/smtpsvc1",
               "winnt/system32/logfiles/smtpsvc2",
@@ -716,7 +918,6 @@
               "library/webserver/documents/default.htm",
               "library/webserver/documents/index.php",
               "library/webserver/documents/default.php",
-              "var/log/webmin/miniserv.log",
               "usr/local/etc/webmin/miniserv.conf",
               "etc/webmin/miniserv.conf",
               "usr/local/etc/webmin/miniserv.users",
@@ -729,8 +930,6 @@
               "windows/system32/logfiles/w3svc1/inetsvn1.log",
               "windows/system32/logfiles/w3svc2/inetsvn1.log",
               "windows/system32/logfiles/w3svc3/inetsvn1.log",
-              "var/log/httpd/access_log",
-              "var/log/httpd/error_log",
               "apache/logs/error.log",
               "apache/logs/access.log",
               "apache2/logs/error.log",
@@ -753,20 +952,6 @@
               "var/www/logs/access.log",
               "var/www/logs/error_log",
               "var/www/logs/error.log",
-              "var/log/httpd/access.log",
-              "var/log/httpd/error.log",
-              "var/log/apache/access_log",
-              "var/log/apache/access.log",
-              "var/log/apache/error_log",
-              "var/log/apache/error.log",
-              "var/log/apache2/access_log",
-              "var/log/apache2/access.log",
-              "var/log/apache2/error_log",
-              "var/log/apache2/error.log",
-              "var/log/access_log",
-              "var/log/access.log",
-              "var/log/error_log",
-              "var/log/error.log",
               "opt/lampp/logs/access_log",
               "opt/lampp/logs/error_log",
               "opt/xampp/logs/access_log",
@@ -905,7 +1090,6 @@
               "usr/share/tomcat6/conf/context.xml",
               "usr/share/tomcat6/conf/workers.properties",
               "usr/share/tomcat6/conf/logging.properties",
-              "var/log/tomcat6/catalina.out",
               "var/cpanel/tomcat.options",
               "usr/local/jakarta/tomcat/logs/catalina.out",
               "usr/local/jakarta/tomcat/logs/catalina.err",
@@ -986,23 +1170,14 @@
               "program files/[jboss]/server/default/log/boot.log",
               "[jboss]/server/default/log/server.log",
               "[jboss]/server/default/log/boot.log",
-              "var/log/lighttpd.error.log",
-              "var/log/lighttpd.access.log",
               "var/lighttpd.log",
               "var/logs/access.log",
-              "var/log/lighttpd/",
-              "var/log/lighttpd/error.log",
-              "var/log/lighttpd/access.www.log",
-              "var/log/lighttpd/error.www.log",
-              "var/log/lighttpd/access.log",
               "usr/local/apache2/logs/lighttpd.error.log",
               "usr/local/apache2/logs/lighttpd.log",
               "usr/local/apache/logs/lighttpd.error.log",
               "usr/local/apache/logs/lighttpd.log",
               "usr/local/lighttpd/log/lighttpd.error.log",
               "usr/local/lighttpd/log/access.log",
-              "var/log/lighttpd/{domain}/access.log",
-              "var/log/lighttpd/{domain}/error.log",
               "usr/home/user/var/log/lighttpd.error.log",
               "usr/home/user/var/log/apache.log",
               "home/user/lighttpd/lighttpd.conf",
@@ -1012,12 +1187,6 @@
               "usr/local/lighttpd/conf/lighttpd.conf",
               "usr/local/etc/lighttpd.conf.new",
               "var/www/.lighttpdpassword",
-              "var/log/nginx/access_log",
-              "var/log/nginx/error_log",
-              "var/log/nginx/access.log",
-              "var/log/nginx/error.log",
-              "var/log/nginx.access_log",
-              "var/log/nginx.error_log",
               "logs/access_log",
               "logs/error_log",
               "etc/nginx/nginx.conf",
@@ -1033,12 +1202,6 @@
               "usr/local/logs/access.log",
               "usr/local/samba/lib/log.user",
               "usr/local/logs/samba.log",
-              "var/log/samba/log.smbd",
-              "var/log/samba/log.nmbd",
-              "var/log/samba.log",
-              "var/log/samba.log1",
-              "var/log/samba.log2",
-              "var/log/log.smb",
               "etc/samba/netlogon",
               "etc/smbpasswd",
               "etc/smb.conf",
@@ -1067,10 +1230,6 @@
               "etc/wicd/manager-settings.conf",
               "etc/wicd/wired-settings.conf",
               "etc/wicd/wireless-settings.conf",
-              "var/log/ipfw.log",
-              "var/log/ipfw",
-              "var/log/ipfw/ipfw.log",
-              "var/log/ipfw.today",
               "etc/ipfw.rules",
               "etc/ipfw.conf",
               "etc/firewall.rules",
@@ -1089,33 +1248,6 @@
               "etc/bluetooth/main.conf",
               "etc/bluetooth/network.conf",
               "etc/bluetooth/rfcomm.conf",
-              "proc/self/environ",
-              "proc/self/mounts",
-              "proc/self/stat",
-              "proc/self/status",
-              "proc/self/cmdline",
-              "proc/self/fd/0",
-              "proc/self/fd/1",
-              "proc/self/fd/2",
-              "proc/self/fd/3",
-              "proc/self/fd/4",
-              "proc/self/fd/5",
-              "proc/self/fd/6",
-              "proc/self/fd/7",
-              "proc/self/fd/8",
-              "proc/self/fd/9",
-              "proc/self/fd/10",
-              "proc/self/fd/11",
-              "proc/self/fd/12",
-              "proc/self/fd/13",
-              "proc/self/fd/14",
-              "proc/self/fd/15",
-              "proc/version",
-              "proc/devices",
-              "proc/cpuinfo",
-              "proc/meminfo",
-              "proc/net/tcp",
-              "proc/net/udp",
               "etc/bash_completion.d/debconf",
               "root/.bash_logout",
               "root/.bash_history",
@@ -1153,39 +1285,12 @@
               "var/adm/aculog",
               "var/adm/vold.log",
               "var/adm/log/asppp.log",
-              "var/log/poplog",
-              "var/log/authlog",
               "var/lp/logs/lpsched",
               "var/lp/logs/lpnet",
               "var/lp/logs/requests",
               "var/cron/log",
               "var/saf/_log",
               "var/saf/port/log",
-              "var/log/news.all",
-              "var/log/news/news.all",
-              "var/log/news/news.crit",
-              "var/log/news/news.err",
-              "var/log/news/news.notice",
-              "var/log/news/suck.err",
-              "var/log/news/suck.notice",
-              "var/log/messages",
-              "var/log/messages.1",
-              "var/log/user.log",
-              "var/log/user.log.1",
-              "var/log/auth.log",
-              "var/log/pm-powersave.log",
-              "var/log/xorg.0.log",
-              "var/log/daemon.log",
-              "var/log/daemon.log.1",
-              "var/log/kern.log",
-              "var/log/kern.log.1",
-              "var/log/mail.err",
-              "var/log/mail.info",
-              "var/log/mail.warn",
-              "var/log/ufw.log",
-              "var/log/boot.log",
-              "var/log/syslog",
-              "var/log/syslog.1",
               "tmp/access.log",
               "etc/sensors.conf",
               "etc/sensors3.conf",
@@ -1271,6 +1376,8 @@
               "etc/sudoers",
               "etc/sysconfig/network-scripts/ifcfg-eth0",
               "etc/redhat-release",
+              "etc/scw-release",
+              "etc/system-release-cpe",
               "etc/debian_version",
               "etc/fedora-release",
               "etc/mandrake-release",
@@ -1287,11 +1394,7 @@
               "root/.ksh_history",
               "root/.xauthority",
               "usr/lib/security/mkuser.default",
-              "var/log/squirrelmail.log",
-              "var/log/apache2/squirrelmail.log",
-              "var/log/apache2/squirrelmail.err.log",
               "var/lib/squirrelmail/prefs/squirrelmail.log",
-              "var/log/mail.log",
               "etc/squirrelmail/apache.conf",
               "etc/squirrelmail/config_local.php",
               "etc/squirrelmail/default_pref",
@@ -1345,6 +1448,134 @@
               "etc/vmware-tools/config",
               "etc/vmware-tools/tpvmlp.conf",
               "etc/vmware-tools/vmware-tools-libraries.conf",
+              "var/log",
+              "var/log/sw-cp-server/error_log",
+              "var/log/sso/sso.log",
+              "var/log/dpkg.log",
+              "var/log/btmp",
+              "var/log/utmp",
+              "var/log/wtmp",
+              "var/log/mysql/mysql-bin.log",
+              "var/log/mysql/mysql-bin.index",
+              "var/log/mysql/data/mysql-bin.index",
+              "var/log/mysql.log",
+              "var/log/mysql.err",
+              "var/log/mysqlderror.log",
+              "var/log/mysql/mysql.log",
+              "var/log/mysql/mysql-slow.log",
+              "var/log/mysql-bin.index",
+              "var/log/data/mysql-bin.index",
+              "var/log/postgresql/postgresql.log",
+              "var/log/postgres/pg_backup.log",
+              "var/log/postgres/postgres.log",
+              "var/log/postgresql.log",
+              "var/log/pgsql/pgsql.log",
+              "var/log/postgresql/postgresql-8.1-main.log",
+              "var/log/postgresql/postgresql-8.3-main.log",
+              "var/log/postgresql/postgresql-8.4-main.log",
+              "var/log/postgresql/postgresql-9.0-main.log",
+              "var/log/postgresql/postgresql-9.1-main.log",
+              "var/log/pgsql8.log",
+              "var/log/postgresql/postgres.log",
+              "var/log/pgsql_log",
+              "var/log/postgresql/main.log",
+              "var/log/cron",
+              "var/log/postgres.log",
+              "var/log/proftpd",
+              "var/log/proftpd/xferlog.legacy",
+              "var/log/proftpd.access_log",
+              "var/log/proftpd.xferlog",
+              "var/log/vsftpd.log",
+              "var/log/xferlog",
+              "var/log/pure-ftpd/pure-ftpd.log",
+              "var/log/pureftpd.log",
+              "var/log/muddleftpd",
+              "var/log/muddleftpd.conf",
+              "var/log/ftp-proxy/ftp-proxy.log",
+              "var/log/ftp-proxy",
+              "var/log/ftplog",
+              "var/log/exim_mainlog",
+              "var/log/exim/mainlog",
+              "var/log/maillog",
+              "var/log/exim_paniclog",
+              "var/log/exim/paniclog",
+              "var/log/exim/rejectlog",
+              "var/log/exim_rejectlog",
+              "var/log/webmin/miniserv.log",
+              "var/log/httpd/access_log",
+              "var/log/httpd/error_log",
+              "var/log/httpd/access.log",
+              "var/log/httpd/error.log",
+              "var/log/apache/access_log",
+              "var/log/apache/access.log",
+              "var/log/apache/error_log",
+              "var/log/apache/error.log",
+              "var/log/apache2/access_log",
+              "var/log/apache2/access.log",
+              "var/log/apache2/error_log",
+              "var/log/apache2/error.log",
+              "var/log/access_log",
+              "var/log/access.log",
+              "var/log/error_log",
+              "var/log/error.log",
+              "var/log/tomcat6/catalina.out",
+              "var/log/lighttpd.error.log",
+              "var/log/lighttpd.access.log",
+              "var/logs/access.log",
+              "var/log/lighttpd/",
+              "var/log/lighttpd/error.log",
+              "var/log/lighttpd/access.www.log",
+              "var/log/lighttpd/error.www.log",
+              "var/log/lighttpd/access.log",
+              "var/log/lighttpd/{domain}/access.log",
+              "var/log/lighttpd/{domain}/error.log",
+              "var/log/nginx/access_log",
+              "var/log/nginx/error_log",
+              "var/log/nginx/access.log",
+              "var/log/nginx/error.log",
+              "var/log/nginx.access_log",
+              "var/log/nginx.error_log",
+              "var/log/samba/log.smbd",
+              "var/log/samba/log.nmbd",
+              "var/log/samba.log",
+              "var/log/samba.log1",
+              "var/log/samba.log2",
+              "var/log/log.smb",
+              "var/log/ipfw.log",
+              "var/log/ipfw",
+              "var/log/ipfw/ipfw.log",
+              "var/log/ipfw.today",
+              "var/log/poplog",
+              "var/log/authlog",
+              "var/log/news.all",
+              "var/log/news/news.all",
+              "var/log/news/news.crit",
+              "var/log/news/news.err",
+              "var/log/news/news.notice",
+              "var/log/news/suck.err",
+              "var/log/news/suck.notice",
+              "var/log/messages",
+              "var/log/messages.1",
+              "var/log/user.log",
+              "var/log/user.log.1",
+              "var/log/auth.log",
+              "var/log/pm-powersave.log",
+              "var/log/xorg.0.log",
+              "var/log/daemon.log",
+              "var/log/daemon.log.1",
+              "var/log/kern.log",
+              "var/log/kern.log.1",
+              "var/log/mail.err",
+              "var/log/mail.info",
+              "var/log/mail.warn",
+              "var/log/ufw.log",
+              "var/log/boot.log",
+              "var/log/syslog",
+              "var/log/syslog.1",
+              "var/log/squirrelmail.log",
+              "var/log/apache2/squirrelmail.log",
+              "var/log/apache2/squirrelmail.err.log",
+              "var/log/mail.log",
               "var/log/vmware/hostd.log",
               "var/log/vmware/hostd-1.log",
               "/wp-config.php",
@@ -1369,8 +1600,8 @@
               "/web.config",
               "includes/config.php",
               "includes/configure.php",
-              "config.inc.php",
-              "localsettings.php",
+              "/config.inc.php",
+              "/localsettings.php",
               "inc/config.php",
               "typo3conf/localconf.php",
               "config/app.php",
@@ -1397,7 +1628,122 @@
               "/ormconfig.json",
               "/tsconfig.json",
               "/webpack.config.js",
-              "/yarn.lock"
+              "/yarn.lock",
+              "proc/0",
+              "proc/1",
+              "proc/2",
+              "proc/3",
+              "proc/4",
+              "proc/5",
+              "proc/6",
+              "proc/7",
+              "proc/8",
+              "proc/9",
+              "proc/acpi",
+              "proc/asound",
+              "proc/bootconfig",
+              "proc/buddyinfo",
+              "proc/bus",
+              "proc/cgroups",
+              "proc/cmdline",
+              "proc/config.gz",
+              "proc/consoles",
+              "proc/cpuinfo",
+              "proc/crypto",
+              "proc/devices",
+              "proc/diskstats",
+              "proc/dma",
+              "proc/docker",
+              "proc/driver",
+              "proc/dynamic_debug",
+              "proc/execdomains",
+              "proc/fb",
+              "proc/filesystems",
+              "proc/fs",
+              "proc/interrupts",
+              "proc/iomem",
+              "proc/ioports",
+              "proc/ipmi",
+              "proc/irq",
+              "proc/kallsyms",
+              "proc/kcore",
+              "proc/keys",
+              "proc/keys",
+              "proc/key-users",
+              "proc/kmsg",
+              "proc/kpagecgroup",
+              "proc/kpagecount",
+              "proc/kpageflags",
+              "proc/latency_stats",
+              "proc/loadavg",
+              "proc/locks",
+              "proc/mdstat",
+              "proc/meminfo",
+              "proc/misc",
+              "proc/modules",
+              "proc/mounts",
+              "proc/mpt",
+              "proc/mtd",
+              "proc/mtrr",
+              "proc/net",
+              "proc/net/tcp",
+              "proc/net/udp",
+              "proc/pagetypeinfo",
+              "proc/partitions",
+              "proc/pressure",
+              "proc/sched_debug",
+              "proc/schedstat",
+              "proc/scsi",
+              "proc/self",
+              "proc/self/cmdline",
+              "proc/self/environ",
+              "proc/self/fd/0",
+              "proc/self/fd/1",
+              "proc/self/fd/10",
+              "proc/self/fd/11",
+              "proc/self/fd/12",
+              "proc/self/fd/13",
+              "proc/self/fd/14",
+              "proc/self/fd/15",
+              "proc/self/fd/2",
+              "proc/self/fd/3",
+              "proc/self/fd/4",
+              "proc/self/fd/5",
+              "proc/self/fd/6",
+              "proc/self/fd/7",
+              "proc/self/fd/8",
+              "proc/self/fd/9",
+              "proc/self/mounts",
+              "proc/self/stat",
+              "proc/self/status",
+              "proc/slabinfo",
+              "proc/softirqs",
+              "proc/stat",
+              "proc/swaps",
+              "proc/sys",
+              "proc/sysrq-trigger",
+              "proc/sysvipc",
+              "proc/thread-self",
+              "proc/timer_list",
+              "proc/timer_stats",
+              "proc/tty",
+              "proc/uptime",
+              "proc/version",
+              "proc/version_signature",
+              "proc/vmallocinfo",
+              "proc/vmstat",
+              "proc/zoneinfo",
+              "sys/block",
+              "sys/bus",
+              "sys/class",
+              "sys/dev",
+              "sys/devices",
+              "sys/firmware",
+              "sys/fs",
+              "sys/hypervisor",
+              "sys/kernel",
+              "sys/module",
+              "sys/power"
             ]
           },
           "operator": "phrase_match"
@@ -1456,7 +1802,7 @@
                 "address": "server.request.path_params"
               }
             ],
-            "regex": "^(?i:file|ftps?|https?).*?\\?+$",
+            "regex": "^(?i:file|ftps?|http)://.*?\\?+$",
             "options": {
               "case_sensitive": true,
               "min_length": 4
@@ -1511,103 +1857,456 @@
               "$ostype",
               "$path",
               "$pwd",
+              "dev/fd/",
+              "dev/null",
+              "dev/stderr",
+              "dev/stdin",
+              "dev/stdout",
+              "dev/tcp/",
+              "dev/udp/",
+              "dev/zero",
+              "etc/group",
+              "etc/master.passwd",
+              "etc/passwd",
+              "etc/pwd.db",
+              "etc/shadow",
+              "etc/shells",
+              "etc/spwd.db",
+              "proc/self/",
+              "bin/7z",
+              "bin/7za",
+              "bin/7zr",
+              "bin/ab",
+              "bin/agetty",
+              "bin/ansible-playbook",
+              "bin/apt",
+              "bin/apt-get",
+              "bin/ar",
+              "bin/aria2c",
+              "bin/arj",
+              "bin/arp",
+              "bin/as",
+              "bin/ascii-xfr",
+              "bin/ascii85",
+              "bin/ash",
+              "bin/aspell",
+              "bin/at",
+              "bin/atobm",
+              "bin/awk",
+              "bin/base32",
+              "bin/base64",
+              "bin/basenc",
               "bin/bash",
+              "bin/bpftrace",
+              "bin/bridge",
+              "bin/bundler",
+              "bin/bunzip2",
+              "bin/busctl",
+              "bin/busybox",
+              "bin/byebug",
+              "bin/bzcat",
+              "bin/bzcmp",
+              "bin/bzdiff",
+              "bin/bzegrep",
+              "bin/bzexe",
+              "bin/bzfgrep",
+              "bin/bzgrep",
+              "bin/bzip2",
+              "bin/bzip2recover",
+              "bin/bzless",
+              "bin/bzmore",
+              "bin/bzz",
+              "bin/c89",
+              "bin/c99",
+              "bin/cancel",
+              "bin/capsh",
               "bin/cat",
+              "bin/cc",
+              "bin/certbot",
+              "bin/check_by_ssh",
+              "bin/check_cups",
+              "bin/check_log",
+              "bin/check_memory",
+              "bin/check_raid",
+              "bin/check_ssl_cert",
+              "bin/check_statusfile",
+              "bin/chmod",
+              "bin/choom",
+              "bin/chown",
+              "bin/chroot",
+              "bin/clang",
+              "bin/clang++",
+              "bin/cmp",
+              "bin/cobc",
+              "bin/column",
+              "bin/comm",
+              "bin/composer",
+              "bin/core_perl/zipdetails",
+              "bin/cowsay",
+              "bin/cowthink",
+              "bin/cp",
+              "bin/cpan",
+              "bin/cpio",
+              "bin/cpulimit",
+              "bin/crash",
+              "bin/crontab",
               "bin/csh",
+              "bin/csplit",
+              "bin/csvtool",
+              "bin/cupsfilter",
+              "bin/curl",
+              "bin/cut",
               "bin/dash",
+              "bin/date",
+              "bin/dd",
+              "bin/dev/fd/",
+              "bin/dev/null",
+              "bin/dev/stderr",
+              "bin/dev/stdin",
+              "bin/dev/stdout",
+              "bin/dev/tcp/",
+              "bin/dev/udp/",
+              "bin/dev/zero",
+              "bin/dialog",
+              "bin/diff",
+              "bin/dig",
+              "bin/dmesg",
+              "bin/dmidecode",
+              "bin/dmsetup",
+              "bin/dnf",
+              "bin/docker",
+              "bin/dosbox",
+              "bin/dpkg",
               "bin/du",
+              "bin/dvips",
+              "bin/easy_install",
+              "bin/eb",
               "bin/echo",
+              "bin/ed",
+              "bin/efax",
+              "bin/emacs",
+              "bin/env",
+              "bin/eqn",
+              "bin/es",
+              "bin/esh",
+              "bin/etc/group",
+              "bin/etc/master.passwd",
+              "bin/etc/passwd",
+              "bin/etc/pwd.db",
+              "bin/etc/shadow",
+              "bin/etc/shells",
+              "bin/etc/spwd.db",
+              "bin/ex",
+              "bin/exiftool",
+              "bin/expand",
+              "bin/expect",
+              "bin/expr",
+              "bin/facter",
+              "bin/fetch",
+              "bin/file",
+              "bin/find",
+              "bin/finger",
+              "bin/fish",
+              "bin/flock",
+              "bin/fmt",
+              "bin/fold",
+              "bin/fping",
+              "bin/ftp",
+              "bin/gawk",
+              "bin/gcc",
+              "bin/gcore",
+              "bin/gdb",
+              "bin/gem",
+              "bin/genie",
+              "bin/genisoimage",
+              "bin/ghc",
+              "bin/ghci",
+              "bin/gimp",
+              "bin/ginsh",
+              "bin/git",
+              "bin/grc",
               "bin/grep",
+              "bin/gtester",
+              "bin/gunzip",
+              "bin/gzexe",
+              "bin/gzip",
+              "bin/hd",
+              "bin/head",
+              "bin/hexdump",
+              "bin/highlight",
+              "bin/hping3",
+              "bin/iconv",
+              "bin/id",
+              "bin/iftop",
+              "bin/install",
+              "bin/ionice",
+              "bin/ip",
+              "bin/irb",
+              "bin/ispell",
+              "bin/jjs",
+              "bin/join",
+              "bin/journalctl",
+              "bin/jq",
+              "bin/jrunscript",
+              "bin/knife",
+              "bin/ksh",
+              "bin/ksshell",
+              "bin/latex",
+              "bin/ld",
+              "bin/ldconfig",
               "bin/less",
+              "bin/lftp",
+              "bin/ln",
+              "bin/loginctl",
+              "bin/logsave",
+              "bin/look",
+              "bin/lp",
               "bin/ls",
+              "bin/ltrace",
+              "bin/lua",
+              "bin/lualatex",
+              "bin/luatex",
+              "bin/lwp-download",
+              "bin/lwp-request",
+              "bin/lz",
+              "bin/lz4",
+              "bin/lz4c",
+              "bin/lz4cat",
+              "bin/lzcat",
+              "bin/lzcmp",
+              "bin/lzdiff",
+              "bin/lzegrep",
+              "bin/lzfgrep",
+              "bin/lzgrep",
+              "bin/lzless",
+              "bin/lzma",
+              "bin/lzmadec",
+              "bin/lzmainfo",
+              "bin/lzmore",
+              "bin/mail",
+              "bin/make",
+              "bin/man",
+              "bin/mawk",
+              "bin/mkfifo",
               "bin/mknod",
               "bin/more",
+              "bin/mosquitto",
+              "bin/mount",
+              "bin/msgattrib",
+              "bin/msgcat",
+              "bin/msgconv",
+              "bin/msgfilter",
+              "bin/msgmerge",
+              "bin/msguniq",
+              "bin/mtr",
+              "bin/mv",
+              "bin/mysql",
+              "bin/nano",
+              "bin/nasm",
+              "bin/nawk",
               "bin/nc",
+              "bin/ncat",
+              "bin/neofetch",
+              "bin/nice",
+              "bin/nl",
+              "bin/nm",
+              "bin/nmap",
+              "bin/node",
+              "bin/nohup",
+              "bin/npm",
+              "bin/nroff",
+              "bin/nsenter",
+              "bin/octave",
+              "bin/od",
+              "bin/openssl",
+              "bin/openvpn",
+              "bin/openvt",
+              "bin/opkg",
+              "bin/paste",
+              "bin/pax",
+              "bin/pdb",
+              "bin/pdflatex",
+              "bin/pdftex",
+              "bin/pdksh",
+              "bin/perf",
+              "bin/perl",
+              "bin/pg",
+              "bin/php",
+              "bin/php-cgi",
+              "bin/php5",
+              "bin/php7",
+              "bin/pic",
+              "bin/pico",
+              "bin/pidstat",
+              "bin/pigz",
+              "bin/pip",
+              "bin/pkexec",
+              "bin/pkg",
+              "bin/pr",
+              "bin/printf",
+              "bin/proc/self/",
+              "bin/pry",
               "bin/ps",
+              "bin/psed",
+              "bin/psftp",
+              "bin/psql",
+              "bin/ptx",
+              "bin/puppet",
+              "bin/pxz",
+              "bin/python",
+              "bin/python2",
+              "bin/python3",
+              "bin/rake",
               "bin/rbash",
+              "bin/rc",
+              "bin/readelf",
+              "bin/red",
+              "bin/redcarpet",
+              "bin/restic",
+              "bin/rev",
+              "bin/rlogin",
+              "bin/rlwrap",
+              "bin/rpm",
+              "bin/rpmquery",
+              "bin/rsync",
+              "bin/ruby",
+              "bin/run-mailcap",
+              "bin/run-parts",
+              "bin/rview",
+              "bin/rvim",
+              "bin/sash",
+              "bin/sbin/capsh",
+              "bin/sbin/logsave",
+              "bin/sbin/service",
+              "bin/sbin/start-stop-daemon",
+              "bin/scp",
+              "bin/screen",
+              "bin/script",
+              "bin/sed",
+              "bin/service",
+              "bin/setarch",
+              "bin/sftp",
+              "bin/sg",
               "bin/sh",
+              "bin/shuf",
               "bin/sleep",
+              "bin/slsh",
+              "bin/smbclient",
+              "bin/snap",
+              "bin/socat",
+              "bin/soelim",
+              "bin/sort",
+              "bin/split",
+              "bin/sqlite3",
+              "bin/ss",
+              "bin/ssh",
+              "bin/ssh-keygen",
+              "bin/ssh-keyscan",
+              "bin/sshpass",
+              "bin/start-stop-daemon",
+              "bin/stdbuf",
+              "bin/strace",
+              "bin/strings",
               "bin/su",
+              "bin/sysctl",
+              "bin/systemctl",
+              "bin/systemd-resolve",
+              "bin/tac",
+              "bin/tail",
+              "bin/tar",
+              "bin/task",
+              "bin/taskset",
+              "bin/tbl",
+              "bin/tclsh",
+              "bin/tcpdump",
               "bin/tcsh",
+              "bin/tee",
+              "bin/telnet",
+              "bin/tex",
+              "bin/tftp",
+              "bin/tic",
+              "bin/time",
+              "bin/timedatectl",
+              "bin/timeout",
+              "bin/tmux",
+              "bin/top",
+              "bin/troff",
+              "bin/tshark",
+              "bin/ul",
               "bin/uname",
-              "dev/fd/",
-              "dev/null",
-              "dev/stderr",
-              "dev/stdin",
-              "dev/stdout",
-              "dev/tcp/",
-              "dev/udp/",
-              "dev/zero",
-              "etc/group",
-              "etc/master.passwd",
-              "etc/passwd",
-              "etc/pwd.db",
-              "etc/shadow",
-              "etc/shells",
-              "etc/spwd.db",
-              "proc/self/",
-              "usr/bin/awk",
-              "usr/bin/base64",
-              "usr/bin/cat",
-              "usr/bin/cc",
-              "usr/bin/clang",
-              "usr/bin/clang++",
-              "usr/bin/curl",
-              "usr/bin/diff",
-              "usr/bin/env",
-              "usr/bin/fetch",
-              "usr/bin/file",
-              "usr/bin/find",
-              "usr/bin/ftp",
-              "usr/bin/gawk",
-              "usr/bin/gcc",
-              "usr/bin/head",
-              "usr/bin/hexdump",
-              "usr/bin/id",
-              "usr/bin/less",
-              "usr/bin/ln",
-              "usr/bin/mkfifo",
-              "usr/bin/more",
-              "usr/bin/nc",
-              "usr/bin/ncat",
-              "usr/bin/nice",
-              "usr/bin/nmap",
-              "usr/bin/perl",
-              "usr/bin/php",
-              "usr/bin/php5",
-              "usr/bin/php7",
-              "usr/bin/php-cgi",
-              "usr/bin/printf",
-              "usr/bin/psed",
-              "usr/bin/python",
-              "usr/bin/python2",
-              "usr/bin/python3",
-              "usr/bin/ruby",
-              "usr/bin/sed",
-              "usr/bin/socat",
-              "usr/bin/tail",
-              "usr/bin/tee",
-              "usr/bin/telnet",
-              "usr/bin/top",
-              "usr/bin/uname",
-              "usr/bin/wget",
-              "usr/bin/who",
-              "usr/bin/whoami",
-              "usr/bin/xargs",
-              "usr/bin/xxd",
-              "usr/bin/yes",
-              "usr/local/bin/bash",
-              "usr/local/bin/curl",
-              "usr/local/bin/ncat",
-              "usr/local/bin/nmap",
-              "usr/local/bin/perl",
-              "usr/local/bin/php",
-              "usr/local/bin/python",
-              "usr/local/bin/python2",
-              "usr/local/bin/python3",
-              "usr/local/bin/rbash",
-              "usr/local/bin/ruby",
-              "usr/local/bin/wget"
+              "bin/uncompress",
+              "bin/unexpand",
+              "bin/uniq",
+              "bin/unlz4",
+              "bin/unlzma",
+              "bin/unpigz",
+              "bin/unrar",
+              "bin/unshare",
+              "bin/unxz",
+              "bin/unzip",
+              "bin/unzstd",
+              "bin/update-alternatives",
+              "bin/uudecode",
+              "bin/uuencode",
+              "bin/valgrind",
+              "bin/vi",
+              "bin/view",
+              "bin/vigr",
+              "bin/vim",
+              "bin/vimdiff",
+              "bin/vipw",
+              "bin/virsh",
+              "bin/volatility",
+              "bin/wall",
+              "bin/watch",
+              "bin/wc",
+              "bin/wget",
+              "bin/whiptail",
+              "bin/who",
+              "bin/whoami",
+              "bin/whois",
+              "bin/wireshark",
+              "bin/wish",
+              "bin/xargs",
+              "bin/xelatex",
+              "bin/xetex",
+              "bin/xmodmap",
+              "bin/xmore",
+              "bin/xpad",
+              "bin/xxd",
+              "bin/xz",
+              "bin/xzcat",
+              "bin/xzcmp",
+              "bin/xzdec",
+              "bin/xzdiff",
+              "bin/xzegrep",
+              "bin/xzfgrep",
+              "bin/xzgrep",
+              "bin/xzless",
+              "bin/xzmore",
+              "bin/yarn",
+              "bin/yelp",
+              "bin/yes",
+              "bin/yum",
+              "bin/zathura",
+              "bin/zip",
+              "bin/zipcloak",
+              "bin/zipcmp",
+              "bin/zipdetails",
+              "bin/zipgrep",
+              "bin/zipinfo",
+              "bin/zipmerge",
+              "bin/zipnote",
+              "bin/zipsplit",
+              "bin/ziptool",
+              "bin/zsh",
+              "bin/zsoelim",
+              "bin/zstd",
+              "bin/zstdcat",
+              "bin/zstdgrep",
+              "bin/zstdless",
+              "bin/zstdmt",
+              "bin/zypper"
             ]
           },
           "operator": "phrase_match"
@@ -1791,14 +2490,6 @@
             ],
             "list": [
               "$globals",
-              "$http_cookie_vars",
-              "$http_env_vars",
-              "$http_get_vars",
-              "$http_post_files",
-              "$http_post_vars",
-              "$http_raw_post_data",
-              "$http_request_vars",
-              "$http_server_vars",
               "$_cookie",
               "$_env",
               "$_files",
@@ -1808,7 +2499,17 @@
               "$_server",
               "$_session",
               "$argc",
-              "$argv"
+              "$argv",
+              "$http_\\u200bresponse_\\u200bheader",
+              "$php_\\u200berrormsg",
+              "$http_cookie_vars",
+              "$http_env_vars",
+              "$http_get_vars",
+              "$http_post_files",
+              "$http_post_vars",
+              "$http_raw_post_data",
+              "$http_request_vars",
+              "$http_server_vars"
             ]
           },
           "operator": "phrase_match"
@@ -1993,8 +2694,9 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\(.*\\)",
+            "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|lert|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)",
             "options": {
+              "case_sensitive": true,
               "min_length": 5
             }
           },
@@ -2067,7 +2769,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "(?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://",
+            "regex": "(?:(?:bzip|ssh)2|z(?:lib|ip)|(?:ph|r)ar|expect|glob|ogg)://",
             "options": {
               "case_sensitive": true,
               "min_length": 6
@@ -2082,7 +2784,7 @@
     },
     {
       "id": "crs-934-100",
-      "name": "Node.js Injection Attack",
+      "name": "Node.js Injection Attack 1/2",
       "tags": {
         "type": "js_code_injection",
         "crs_id": "934100",
@@ -2105,7 +2807,43 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "(?:(?:_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|(?:new\\s+Function|\\beval)\\s*\\(|String\\s*\\.\\s*fromCharCode|function\\s*\\(\\s*\\)\\s*{|this\\.constructor)|module\\.exports\\s*=)",
+            "regex": "\\b(?:(?:l(?:(?:utimes|chmod)(?:Sync)?|(?:stat|ink)Sync)|w(?:rite(?:(?:File|v)(?:Sync)?|Sync)|atchFile)|u(?:n(?:watchFile|linkSync)|times(?:Sync)?)|s(?:(?:ymlink|tat)Sync|pawn(?:File|Sync))|ex(?:ec(?:File(?:Sync)?|Sync)|istsSync)|a(?:ppendFile|ccess)(?:Sync)?|(?:Caveat|Inode)s|open(?:dir)?Sync|new\\s+Function|Availability|\\beval)\\s*\\(|m(?:ain(?:Module\\s*(?:\\W*\\s*(?:constructor|require)|\\[)|\\s*(?:\\W*\\s*(?:constructor|require)|\\[))|kd(?:temp(?:Sync)?|irSync)\\s*\\(|odule\\.exports\\s*=)|c(?:(?:(?:h(?:mod|own)|lose)Sync|reate(?:Write|Read)Stream|p(?:Sync)?)\\s*\\(|o(?:nstructor\\s*(?:\\W*\\s*_load|\\[)|pyFile(?:Sync)?\\s*\\())|f(?:(?:(?:s(?:(?:yncS)?|tatS)|datas(?:yncS)?)ync|ch(?:mod|own)(?:Sync)?)\\s*\\(|u(?:nction\\s*\\(\\s*\\)\\s*{|times(?:Sync)?\\s*\\())|r(?:e(?:(?:ad(?:(?:File|link|dir)?Sync|v(?:Sync)?)|nameSync)\\s*\\(|quire\\s*(?:\\W*\\s*main|\\[))|m(?:Sync)?\\s*\\()|process\\s*(?:\\W*\\s*(?:mainModule|binding)|\\[)|t(?:his\\.constructor|runcateSync\\s*\\()|_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|global\\s*(?:\\W*\\s*process|\\[)|String\\s*\\.\\s*fromCharCode|binding\\s*\\[)",
+            "options": {
+              "case_sensitive": true,
+              "min_length": 3
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "crs-934-101",
+      "name": "Node.js Injection Attack 2/2",
+      "tags": {
+        "type": "js_code_injection",
+        "crs_id": "934101",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "\\b(?:w(?:atch|rite)|(?:spaw|ope)n|exists|close|fork|read)\\s*\\(",
             "options": {
               "case_sensitive": true,
               "min_length": 5
@@ -2117,11 +2855,11 @@
       "transformers": []
     },
     {
-      "id": "crs-941-100",
-      "name": "XSS Attack Detected via libinjection",
+      "id": "crs-941-110",
+      "name": "XSS Filter - Category 1: Script Tag Vector",
       "tags": {
         "type": "xss",
-        "crs_id": "941100",
+        "crs_id": "941110",
         "category": "attack_attempt"
       },
       "conditions": [
@@ -2152,9 +2890,13 @@
               {
                 "address": "grpc.server.request.message"
               }
-            ]
+            ],
+            "regex": "<script[^>]*>[\\s\\S]*?",
+            "options": {
+              "min_length": 8
+            }
           },
-          "operator": "is_xss"
+          "operator": "match_regex"
         }
       ],
       "transformers": [
@@ -2162,11 +2904,11 @@
       ]
     },
     {
-      "id": "crs-941-110",
-      "name": "XSS Filter - Category 1: Script Tag Vector",
+      "id": "crs-941-120",
+      "name": "XSS Filter - Category 2: Event Handler Vector",
       "tags": {
         "type": "xss",
-        "crs_id": "941110",
+        "crs_id": "941120",
         "category": "attack_attempt"
       },
       "conditions": [
@@ -2198,7 +2940,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "<script[^>]*>[\\s\\S]*?",
+            "regex": "[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on(?:d(?:r(?:ag(?:en(?:ter|d)|leave|start|over)?|op)|urationchange|blclick)|s(?:e(?:ek(?:ing|ed)|arch|lect)|u(?:spend|bmit)|talled|croll|how)|m(?:ouse(?:(?:lea|mo)ve|o(?:ver|ut)|enter|down|up)|essage)|p(?:a(?:ge(?:hide|show)|(?:st|us)e)|lay(?:ing)?|rogress)|c(?:anplay(?:through)?|o(?:ntextmenu|py)|hange|lick|ut)|a(?:nimation(?:iteration|start|end)|(?:fterprin|bor)t)|t(?:o(?:uch(?:cancel|start|move|end)|ggle)|imeupdate)|f(?:ullscreen(?:change|error)|ocus(?:out|in)?)|(?:(?:volume|hash)chang|o(?:ff|n)lin)e|b(?:efore(?:unload|print)|lur)|load(?:ed(?:meta)?data|start)?|r(?:es(?:ize|et)|atechange)|key(?:press|down|up)|w(?:aiting|heel)|in(?:valid|put)|e(?:nded|rror)|unload)[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]",
             "options": {
               "min_length": 8
             }
@@ -2211,11 +2953,11 @@
       ]
     },
     {
-      "id": "crs-941-120",
-      "name": "XSS Filter - Category 2: Event Handler Vector",
+      "id": "crs-941-140",
+      "name": "XSS Filter - Category 4: Javascript URI Vector",
       "tags": {
         "type": "xss",
-        "crs_id": "941120",
+        "crs_id": "941140",
         "category": "attack_attempt"
       },
       "conditions": [
@@ -2247,9 +2989,9 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on[a-zA-Z]{3,25}[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]",
+            "regex": "[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\\(javascript",
             "options": {
-              "min_length": 8
+              "min_length": 18
             }
           },
           "operator": "match_regex"
@@ -2260,11 +3002,11 @@
       ]
     },
     {
-      "id": "crs-941-140",
-      "name": "XSS Filter - Category 4: Javascript URI Vector",
+      "id": "crs-941-170",
+      "name": "NoScript XSS InjectionChecker: Attribute Injection",
       "tags": {
         "type": "xss",
-        "crs_id": "941140",
+        "crs_id": "941170",
         "category": "attack_attempt"
       },
       "conditions": [
@@ -2291,14 +3033,11 @@
               },
               {
                 "address": "server.request.path_params"
-              },
-              {
-                "address": "grpc.server.request.message"
               }
             ],
-            "regex": "[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\\(javascript",
+            "regex": "(?:\\W|^)(?:javascript:(?:[\\s\\S]+[=\\x5c\\(\\[\\.<]|[\\s\\S]*?(?:\\bname\\b|\\x5c[ux]\\d)))|@\\W*?i\\W*?m\\W*?p\\W*?o\\W*?r\\W*?t\\W*?(?:/\\*[\\s\\S]*?)?(?:[\\\"']|\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\()|[^-]*?-\\W*?m\\W*?o\\W*?z\\W*?-\\W*?b\\W*?i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g[^:]*?:\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\(",
             "options": {
-              "min_length": 18
+              "min_length": 6
             }
           },
           "operator": "match_regex"
@@ -2414,7 +3153,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)",
+            "regex": "(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|\\n|\\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)",
             "options": {
               "case_sensitive": true,
               "min_length": 12
@@ -2762,11 +3501,11 @@
       "transformers": []
     },
     {
-      "id": "crs-942-100",
-      "name": "SQL Injection Attack Detected via libinjection",
+      "id": "crs-941-390",
+      "name": "Javascript method detected",
       "tags": {
-        "type": "sql_injection",
-        "crs_id": "942100",
+        "type": "xss",
+        "crs_id": "941390",
         "category": "attack_attempt"
       },
       "conditions": [
@@ -2785,21 +3524,24 @@
               {
                 "address": "grpc.server.request.message"
               }
-            ]
+            ],
+            "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function|alert|prompt)\\s*\\([^\\)]",
+            "options": {
+              "case_sensitive": true,
+              "min_length": 5
+            }
           },
-          "operator": "is_sqli"
+          "operator": "match_regex"
         }
       ],
-      "transformers": [
-        "removeNulls"
-      ]
+      "transformers": []
     },
     {
-      "id": "crs-942-160",
-      "name": "Detects blind sqli tests using sleep() or benchmark()",
+      "id": "crs-942-100",
+      "name": "SQL Injection Attack Detected via libinjection",
       "tags": {
         "type": "sql_injection",
-        "crs_id": "942160",
+        "crs_id": "942100",
         "category": "attack_attempt"
       },
       "conditions": [
@@ -2818,24 +3560,21 @@
               {
                 "address": "grpc.server.request.message"
               }
-            ],
-            "regex": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))",
-            "options": {
-              "case_sensitive": true,
-              "min_length": 7
-            }
+            ]
           },
-          "operator": "match_regex"
+          "operator": "is_sqli"
         }
       ],
-      "transformers": []
+      "transformers": [
+        "removeNulls"
+      ]
     },
     {
-      "id": "crs-942-190",
-      "name": "Detects MSSQL code execution and information gathering attempts",
+      "id": "crs-942-160",
+      "name": "Detects blind sqli tests using sleep() or benchmark()",
       "tags": {
         "type": "sql_injection",
-        "crs_id": "942190",
+        "crs_id": "942160",
         "category": "attack_attempt"
       },
       "conditions": [
@@ -2855,9 +3594,10 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "(?:\\b(?:(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|u(?:nion(?:[\\w(?:\\s]*?select| select @)|ser\\s*?\\([^\\)]*?)|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|into[\\s+]+(?:dump|out)file\\s*?[\\\"'`]|from\\W+information_schema\\W|exec(?:ute)?\\s+master\\.)|[\\\"'`](?:;?\\s*?(?:union\\b\\s*?(?:(?:distin|sele)ct|all)|having|select)\\b\\s*?[^\\s]|\\s*?!\\s*?[\\\"'`\\w])|\\s*?exec(?:ute)?.*?\\Wxp_cmdshell|\\Wiif\\s*?\\()",
+            "regex": "(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))",
             "options": {
-              "min_length": 3
+              "case_sensitive": true,
+              "min_length": 7
             }
           },
           "operator": "match_regex"
@@ -3031,10 +3771,10 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))",
+            "regex": "(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)",
             "options": {
               "case_sensitive": true,
-              "min_length": 5
+              "min_length": 3
             }
           },
           "operator": "match_regex"
@@ -3069,7 +3809,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)\\b|(?:(?:(?:trunc|cre)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\\s+\\w+|u(?:nion\\s*(?:(?:distin|sele)ct|all)\\b|pdate\\s+\\w+))|\\b(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|end\\s*?\\);)|[\\\"'`\\w]\\s+as\\b\\s*[\\\"'`\\w]+\\s*\\bfrom|[\\s(?:]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)",
+            "regex": "(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|union\\s*(?:(?:distin|sele)ct|all))\\b|\\b(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|[\\s(]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)",
             "options": {
               "min_length": 5
             }
@@ -3338,6 +4078,45 @@
         "lowercase"
       ]
     },
+    {
+      "id": "crs-944-260",
+      "name": "Remote Command Execution: Malicious class-loading payload",
+      "tags": {
+        "type": "java_code_injection",
+        "crs_id": "944260",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "(?:class\\.module\\.classLoader\\.resources\\.context\\.parent\\.pipeline|springframework\\.context\\.support\\.FileSystemXmlApplicationContext)",
+            "options": {
+              "case_sensitive": true,
+              "min_length": 58
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "dog-000-001",
       "name": "Look for Cassandra injections",
@@ -3383,6 +4162,9 @@
           "operator": "match_regex",
           "parameters": {
             "inputs": [
+              {
+                "address": "server.request.uri.raw"
+              },
               {
                 "address": "server.request.query"
               },
@@ -3396,7 +4178,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "[#%$]{[^}]+[^\\w\\s][^}]+}",
+            "regex": "[#%$]{(?:[^}]+[^\\w\\s}\\-_][^}]+|\\d+-\\d+)}",
             "options": {
               "case_sensitive": true
             }
@@ -3469,6 +4251,140 @@
         "keys_only"
       ]
     },
+    {
+      "id": "dog-000-005",
+      "name": "Node.js: Prototype pollution through __proto__",
+      "tags": {
+        "type": "js_code_injection",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              }
+            ],
+            "regex": "^__proto__$"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [
+        "keys_only"
+      ]
+    },
+    {
+      "id": "dog-000-006",
+      "name": "Node.js: Prototype pollution through constructor.prototype",
+      "tags": {
+        "type": "js_code_injection",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              }
+            ],
+            "regex": "^constructor$"
+          },
+          "operator": "match_regex"
+        },
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              }
+            ],
+            "regex": "^prototype$"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [
+        "keys_only"
+      ]
+    },
+    {
+      "id": "dog-000-007",
+      "name": "Server side template injection: Velocity & Freemarker",
+      "tags": {
+        "type": "java_code_injection",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "#(?:set|foreach|macro|parse|if)\\(.*\\)|<#assign.*>"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "dog-931-001",
+      "name": "RFI: URL Payload to well known RFI target",
+      "tags": {
+        "type": "rfi",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              }
+            ],
+            "regex": "^(?i:file|ftps?|https?).*/rfiinc\\.txt\\?+$",
+            "options": {
+              "case_sensitive": true,
+              "min_length": 17
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "nfd-000-001",
       "name": "Detect common directory discovery scans",
@@ -4277,7 +5193,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10}|localhost)(:[0-9]{1,5})?(\\/.*|)$"
+            "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10})(:[0-9]{1,5})?(\\/.*|)$"
           },
           "operator": "match_regex"
         }
@@ -4346,7 +5262,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "^(http|https):\\/\\/(.*burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io)"
+            "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click)"
           },
           "operator": "match_regex"
         }
@@ -5534,6 +6450,40 @@
       ],
       "transformers": []
     },
+    {
+      "id": "ua0-600-56x",
+      "name": "Datadog test scanner - blocking version: user-agent",
+      "tags": {
+        "type": "security_scanner",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              },
+              {
+                "address": "grpc.server.request.metadata",
+                "key_path": [
+                  "dd-canary"
+                ]
+              }
+            ],
+            "regex": "^dd-test-scanner-log-block$"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [],
+      "on_match": [
+        "block"
+      ]
+    },
     {
       "id": "ua0-600-5xx",
       "name": "Blind SQL Injection Brute Forcer",