dd-trace 2.0.0-beta.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/MIGRATING.md +65 -0
- package/NOTICE +4 -0
- package/package.json +1 -1
- package/packages/datadog-instrumentations/src/dns.js +2 -2
- package/packages/datadog-instrumentations/src/helpers/instrument.js +24 -25
- package/packages/datadog-instrumentations/src/memcached.js +3 -5
- package/packages/datadog-instrumentations/src/mysql.js +5 -7
- package/packages/datadog-plugin-pino/src/index.js +25 -1
- package/packages/dd-trace/lib/version.js +1 -1
- package/packages/dd-trace/src/appsec/index.js +13 -16
- package/packages/dd-trace/src/appsec/recommended.json +1 -1
- package/packages/dd-trace/src/appsec/reporter.js +15 -3
- package/packages/dd-trace/src/config.js +7 -1
package/MIGRATING.md
ADDED
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
# Migrating
|
|
2
|
+
|
|
3
|
+
This guide describes the steps to upgrade dd-trace from a major version to the
|
|
4
|
+
next. If you are having any issues related to migrating, please feel free to
|
|
5
|
+
open an issue or contact our [support](https://www.datadoghq.com/support/) team.
|
|
6
|
+
|
|
7
|
+
## 1.0 to 2.0
|
|
8
|
+
|
|
9
|
+
### Configuration
|
|
10
|
+
|
|
11
|
+
The following configuraton options are no longer available programmatically and
|
|
12
|
+
must be configured using these environment variables:
|
|
13
|
+
|
|
14
|
+
* `enabled` -> `DD_TRACE_ENABLED=true|false`
|
|
15
|
+
* `debug` -> `DD_TRACE_DEBUG=true|false`
|
|
16
|
+
|
|
17
|
+
If environment variables were already used for these options, no action is
|
|
18
|
+
needed.
|
|
19
|
+
|
|
20
|
+
The following configuration options were completely removed and will no longer
|
|
21
|
+
have any effect:
|
|
22
|
+
|
|
23
|
+
* `scope`
|
|
24
|
+
|
|
25
|
+
Startup logs are now disabled by default and can be enabled if needed with
|
|
26
|
+
`DD_TRACE_STARTUP_LOGS=true`.
|
|
27
|
+
|
|
28
|
+
### Removed APIs
|
|
29
|
+
|
|
30
|
+
The original scope manager has been replaced several years ago and has now been
|
|
31
|
+
removed. Any code referencing `tracer.scopeManager()` should be removed or
|
|
32
|
+
replaced with `tracer.scope()` which is documented
|
|
33
|
+
[here](https://datadoghq.dev/dd-trace-js/#scope-manager).
|
|
34
|
+
|
|
35
|
+
### Nested objects as tags
|
|
36
|
+
|
|
37
|
+
Support for nested objects as tags as been removed. When adding an object as a
|
|
38
|
+
tag value, only properties that exist on that object directly will be added as
|
|
39
|
+
tags. If nested properties are also needed, these should be added by hand.
|
|
40
|
+
|
|
41
|
+
For example:
|
|
42
|
+
|
|
43
|
+
```js
|
|
44
|
+
const obj = {
|
|
45
|
+
a: 'foo',
|
|
46
|
+
b: {
|
|
47
|
+
c: 'bar'
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
|
|
51
|
+
// 1.0
|
|
52
|
+
span.setTag('test', obj) // add test.a and test.b.c
|
|
53
|
+
|
|
54
|
+
// 2.0
|
|
55
|
+
span.setTag('test', obj) // add test.a
|
|
56
|
+
span.setTag('test.b', obj.b) // add test.b.c
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
Arrays are no longer supported and must be converted to string manually.
|
|
60
|
+
|
|
61
|
+
### Outgoing request filtering
|
|
62
|
+
|
|
63
|
+
Outgoing request filtering is no longer supported and is now only available for
|
|
64
|
+
incoming requests. This means that the `blocklist` and `allowlist` options on
|
|
65
|
+
the `http` integration no longer have any effect.
|
package/NOTICE
ADDED
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
'use strict'
|
|
2
2
|
|
|
3
|
-
const { channel, addHook,
|
|
3
|
+
const { channel, addHook, AsyncResource } = require('./helpers/instrument')
|
|
4
4
|
const shimmer = require('../../datadog-shimmer')
|
|
5
5
|
|
|
6
6
|
const rrtypes = {
|
|
@@ -53,7 +53,7 @@ function wrap (prefix, fn, expectedArgs, rrtype) {
|
|
|
53
53
|
const errorCh = channel(prefix + ':error')
|
|
54
54
|
|
|
55
55
|
const wrapped = function () {
|
|
56
|
-
const cb = bind(arguments[arguments.length - 1])
|
|
56
|
+
const cb = AsyncResource.bind(arguments[arguments.length - 1])
|
|
57
57
|
if (
|
|
58
58
|
!startCh.hasSubscribers ||
|
|
59
59
|
arguments.length < expectedArgs ||
|
|
@@ -90,32 +90,31 @@ function getBasedir (id) {
|
|
|
90
90
|
}
|
|
91
91
|
|
|
92
92
|
if (semver.satisfies(process.versions.node, '>=16.0.0')) {
|
|
93
|
-
exports.
|
|
94
|
-
exports.bindAsyncResource = AsyncResource.prototype.bind
|
|
93
|
+
exports.AsyncResource = AsyncResource
|
|
95
94
|
} else {
|
|
96
|
-
exports.
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
configurable: true,
|
|
102
|
-
enumerable: false,
|
|
103
|
-
value: fn.length,
|
|
104
|
-
writable: false
|
|
105
|
-
},
|
|
106
|
-
'asyncResource': {
|
|
107
|
-
configurable: true,
|
|
108
|
-
enumerable: true,
|
|
109
|
-
value: this,
|
|
110
|
-
writable: true
|
|
111
|
-
}
|
|
112
|
-
})
|
|
113
|
-
return ret
|
|
114
|
-
}
|
|
95
|
+
exports.AsyncResource = class extends AsyncResource {
|
|
96
|
+
static bind (fn, type, thisArg) {
|
|
97
|
+
type = type || fn.name
|
|
98
|
+
return (new exports.AsyncResource(type || 'bound-anonymous-fn')).bind(fn, thisArg)
|
|
99
|
+
}
|
|
115
100
|
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
101
|
+
bind (fn, thisArg = this) {
|
|
102
|
+
const ret = this.runInAsyncScope.bind(this, fn, thisArg)
|
|
103
|
+
Object.defineProperties(ret, {
|
|
104
|
+
'length': {
|
|
105
|
+
configurable: true,
|
|
106
|
+
enumerable: false,
|
|
107
|
+
value: fn.length,
|
|
108
|
+
writable: false
|
|
109
|
+
},
|
|
110
|
+
'asyncResource': {
|
|
111
|
+
configurable: true,
|
|
112
|
+
enumerable: true,
|
|
113
|
+
value: this,
|
|
114
|
+
writable: true
|
|
115
|
+
}
|
|
116
|
+
})
|
|
117
|
+
return ret
|
|
118
|
+
}
|
|
120
119
|
}
|
|
121
120
|
}
|
|
@@ -1,11 +1,9 @@
|
|
|
1
1
|
'use strict'
|
|
2
2
|
|
|
3
|
-
const { AsyncResource } = require('async_hooks')
|
|
4
3
|
const {
|
|
5
4
|
channel,
|
|
6
5
|
addHook,
|
|
7
|
-
|
|
8
|
-
bindAsyncResource
|
|
6
|
+
AsyncResource
|
|
9
7
|
} = require('./helpers/instrument')
|
|
10
8
|
const shimmer = require('../../datadog-shimmer')
|
|
11
9
|
|
|
@@ -27,9 +25,9 @@ addHook({ name: 'memcached', versions: ['>=2.2'] }, Memcached => {
|
|
|
27
25
|
|
|
28
26
|
const wrappedQueryCompiler = function () {
|
|
29
27
|
const query = queryCompiler.apply(this, arguments)
|
|
30
|
-
const callback =
|
|
28
|
+
const callback = asyncResource.bind(query.callback)
|
|
31
29
|
|
|
32
|
-
query.callback = bind(function (err) {
|
|
30
|
+
query.callback = AsyncResource.bind(function (err) {
|
|
33
31
|
if (err) {
|
|
34
32
|
errorCh.publish(err)
|
|
35
33
|
}
|
|
@@ -1,11 +1,9 @@
|
|
|
1
1
|
'use strict'
|
|
2
2
|
|
|
3
|
-
const { AsyncResource } = require('async_hooks')
|
|
4
3
|
const {
|
|
5
4
|
channel,
|
|
6
5
|
addHook,
|
|
7
|
-
|
|
8
|
-
bindAsyncResource
|
|
6
|
+
AsyncResource
|
|
9
7
|
} = require('./helpers/instrument')
|
|
10
8
|
const shimmer = require('../../datadog-shimmer')
|
|
11
9
|
|
|
@@ -30,8 +28,8 @@ addHook({ name: 'mysql', file: 'lib/Connection.js', versions: ['>=2'] }, Connect
|
|
|
30
28
|
const res = query.apply(this, arguments)
|
|
31
29
|
|
|
32
30
|
if (res._callback) {
|
|
33
|
-
const cb =
|
|
34
|
-
res._callback = bind(function (error, result) {
|
|
31
|
+
const cb = asyncResource.bind(res._callback)
|
|
32
|
+
res._callback = AsyncResource.bind(function (error, result) {
|
|
35
33
|
if (error) {
|
|
36
34
|
errorCh.publish(error)
|
|
37
35
|
}
|
|
@@ -40,7 +38,7 @@ addHook({ name: 'mysql', file: 'lib/Connection.js', versions: ['>=2'] }, Connect
|
|
|
40
38
|
return cb.apply(this, arguments)
|
|
41
39
|
})
|
|
42
40
|
} else {
|
|
43
|
-
const cb = bind(function () {
|
|
41
|
+
const cb = AsyncResource.bind(function () {
|
|
44
42
|
asyncEndCh.publish(undefined)
|
|
45
43
|
})
|
|
46
44
|
res.on('end', cb)
|
|
@@ -62,7 +60,7 @@ addHook({ name: 'mysql', file: 'lib/Connection.js', versions: ['>=2'] }, Connect
|
|
|
62
60
|
|
|
63
61
|
addHook({ name: 'mysql', file: 'lib/Pool.js', versions: ['>=2'] }, Pool => {
|
|
64
62
|
shimmer.wrap(Pool.prototype, 'getConnection', getConnection => function (cb) {
|
|
65
|
-
arguments[0] = bind(cb)
|
|
63
|
+
arguments[0] = AsyncResource.bind(cb)
|
|
66
64
|
return getConnection.apply(this, arguments)
|
|
67
65
|
})
|
|
68
66
|
return Pool
|
|
@@ -100,7 +100,7 @@ module.exports = [
|
|
|
100
100
|
},
|
|
101
101
|
{
|
|
102
102
|
name: 'pino',
|
|
103
|
-
versions: ['>=5.14.0'],
|
|
103
|
+
versions: ['>=5.14.0 <6.8.0'],
|
|
104
104
|
patch (pino, tracer, config) {
|
|
105
105
|
if (!tracer._logInjection) return
|
|
106
106
|
|
|
@@ -112,6 +112,30 @@ module.exports = [
|
|
|
112
112
|
return this.unwrapExport(pino)
|
|
113
113
|
}
|
|
114
114
|
},
|
|
115
|
+
{
|
|
116
|
+
name: 'pino',
|
|
117
|
+
versions: ['>=6.8.0'],
|
|
118
|
+
patch (pino, tracer, config) {
|
|
119
|
+
if (!tracer._logInjection) return
|
|
120
|
+
|
|
121
|
+
const mixinSym = pino.symbols.mixinSym
|
|
122
|
+
|
|
123
|
+
const wrapped = this.wrapExport(pino, createWrapPino(tracer, config, mixinSym, createWrapMixin)(pino))
|
|
124
|
+
|
|
125
|
+
wrapped.pino = wrapped
|
|
126
|
+
wrapped.default = wrapped
|
|
127
|
+
|
|
128
|
+
return wrapped
|
|
129
|
+
},
|
|
130
|
+
unpatch (pino) {
|
|
131
|
+
const unwrapped = this.unwrapExport(pino)
|
|
132
|
+
|
|
133
|
+
unwrapped.pino = unwrapped
|
|
134
|
+
unwrapped.default = unwrapped
|
|
135
|
+
|
|
136
|
+
return unwrapped
|
|
137
|
+
}
|
|
138
|
+
},
|
|
115
139
|
{
|
|
116
140
|
name: 'pino-pretty',
|
|
117
141
|
versions: ['>=3'], // will only work starting from pino@5.0.0 as previous versions are not using pino-pretty
|
|
@@ -1 +1 @@
|
|
|
1
|
-
module.exports = '2.0.0
|
|
1
|
+
module.exports = '2.0.0'
|
|
@@ -25,6 +25,8 @@ function enable (config) {
|
|
|
25
25
|
return
|
|
26
26
|
}
|
|
27
27
|
|
|
28
|
+
Reporter.setRateLimit(config.appsec.rateLimit)
|
|
29
|
+
|
|
28
30
|
incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
|
|
29
31
|
incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
|
|
30
32
|
|
|
@@ -49,19 +51,6 @@ function incomingHttpStartTranslator (data) {
|
|
|
49
51
|
|
|
50
52
|
store.set('req', data.req)
|
|
51
53
|
store.set('res', data.res)
|
|
52
|
-
|
|
53
|
-
const headers = Object.assign({}, data.req.headers)
|
|
54
|
-
delete headers.cookie
|
|
55
|
-
|
|
56
|
-
const context = store.get('context')
|
|
57
|
-
|
|
58
|
-
Gateway.propagate({
|
|
59
|
-
[addresses.HTTP_INCOMING_URL]: data.req.url,
|
|
60
|
-
[addresses.HTTP_INCOMING_HEADERS]: headers,
|
|
61
|
-
[addresses.HTTP_INCOMING_METHOD]: data.req.method,
|
|
62
|
-
[addresses.HTTP_INCOMING_REMOTE_IP]: data.req.socket.remoteAddress,
|
|
63
|
-
[addresses.HTTP_INCOMING_REMOTE_PORT]: data.req.socket.remotePort
|
|
64
|
-
}, context)
|
|
65
54
|
}
|
|
66
55
|
|
|
67
56
|
function incomingHttpEndTranslator (data) {
|
|
@@ -69,13 +58,21 @@ function incomingHttpEndTranslator (data) {
|
|
|
69
58
|
|
|
70
59
|
if (!context) return
|
|
71
60
|
|
|
61
|
+
const requestHeaders = Object.assign({}, data.req.headers)
|
|
62
|
+
delete requestHeaders.cookie
|
|
63
|
+
|
|
72
64
|
// TODO: this doesn't support headers sent with res.writeHead()
|
|
73
|
-
const
|
|
74
|
-
delete
|
|
65
|
+
const responseHeaders = Object.assign({}, data.res.getHeaders())
|
|
66
|
+
delete responseHeaders['set-cookie']
|
|
75
67
|
|
|
76
68
|
const payload = {
|
|
69
|
+
[addresses.HTTP_INCOMING_URL]: data.req.url,
|
|
70
|
+
[addresses.HTTP_INCOMING_HEADERS]: requestHeaders,
|
|
71
|
+
[addresses.HTTP_INCOMING_METHOD]: data.req.method,
|
|
72
|
+
[addresses.HTTP_INCOMING_REMOTE_IP]: data.req.socket.remoteAddress,
|
|
73
|
+
[addresses.HTTP_INCOMING_REMOTE_PORT]: data.req.socket.remotePort,
|
|
77
74
|
[addresses.HTTP_INCOMING_RESPONSE_CODE]: data.res.statusCode,
|
|
78
|
-
[addresses.HTTP_INCOMING_RESPONSE_HEADERS]:
|
|
75
|
+
[addresses.HTTP_INCOMING_RESPONSE_HEADERS]: responseHeaders
|
|
79
76
|
}
|
|
80
77
|
|
|
81
78
|
// TODO: temporary express instrumentation, will use express plugin later
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":"2.1","rules":[{"id":"crs-913-110","name":"Found request header associated with Acunetix security scanner","tags":{"type":"security_scanner","crs_id":"913110","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies"}],"list":["acunetix-product","(acunetix web vulnerability scanner","acunetix-scanning-agreement","acunetix-user-agreement"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"crs-913-120","name":"Found request filename/argument associated with security scanner","tags":{"type":"security_scanner","crs_id":"913120","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"}],"list":["/.adsensepostnottherenonobook","/<invalid>hello.html","/actsensepostnottherenonotive","/acunetix-wvs-test-for-some-inexistent-file","/antidisestablishmentarianism","/appscan_fingerprint/mac_address","/arachni-","/cybercop","/nessus_is_probing_you_","/nessustest","/netsparker-","/rfiinc.txt","/thereisnowaythat-you-canbethere","/w3af/remotefileinclude.html","appscan_fingerprint","w00tw00t.at.isc.sans.dfind","w00tw00t.at.blackhats.romanian.anti-sec"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"crs-920-260","name":"Unicode Full/Half Width Abuse Attack Attempt","tags":{"type":"http_protocol_violation","crs_id":"920260","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"\\%u[fF]{2}[0-9a-fA-F]{2}","options":{"case_sensitive":true,"min_length":6}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-921-110","name":"HTTP Request Smuggling Attack","tags":{"type":"http_protocol_violation","crs_id":"921110","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"}],"regex":"(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+[^\\s]+\\s+http/\\d","options":{"case_sensitive":true,"min_length":12}},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"crs-921-140","name":"HTTP Header Injection Attack via headers","tags":{"type":"http_protocol_violation","crs_id":"921140","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies"}],"regex":"[\\n\\r]","options":{"case_sensitive":true,"min_length":1}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-921-160","name":"HTTP Header Injection Attack via payload (CR/LF and header-name detected)","tags":{"type":"http_protocol_violation","crs_id":"921160","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.path_params"}],"regex":"[\\n\\r]+(?:\\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\s*:","options":{"case_sensitive":true,"min_length":3}},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"crs-930-100","name":"Obfuscated Path Traversal Attack (/../)","tags":{"type":"lfi","crs_id":"930100","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.uri.raw"},{"address":"server.request.headers.no_cookies"}],"regex":"(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2}(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))","options":{"min_length":4}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-930-110","name":"Simple Path Traversal Attack (/../)","tags":{"type":"lfi","crs_id":"930110","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.uri.raw"},{"address":"server.request.headers.no_cookies"}],"regex":"(?:(?:^|[\\\\/])\\.\\.[\\\\/]|[\\\\/]\\.\\.(?:[\\\\/]|$))","options":{"case_sensitive":true,"min_length":3}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-930-120","name":"OS File Access Attempt","tags":{"type":"lfi","crs_id":"930120","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"list":[".htaccess",".htdigest",".htpasswd",".addressbook",".aptitude/config",".bash_config",".bash_history",".bash_logout",".bash_profile",".bashrc",".cache/notify-osd.log",".config/odesk/odesk team.conf",".cshrc",".dockerignore",".drush/",".eslintignore",".fbcindex",".forward",".git",".gitattributes",".gitconfig",".gnupg/",".hplip/hplip.conf",".ksh_history",".lesshst",".lftp/",".lhistory",".lldb-history",".local/share/mc/",".lynx_cookies",".my.cnf",".mysql_history",".nano_history",".node_repl_history",".pearrc",".php_history",".pinerc",".pki/",".proclog",".procmailrc",".psql_history",".python_history",".rediscli_history",".rhistory",".rhosts",".sh_history",".sqlite_history",".ssh/authorized_keys",".ssh/config",".ssh/id_dsa",".ssh/id_dsa.pub",".ssh/id_rsa",".ssh/id_rsa.pub",".ssh/identity",".ssh/identity.pub",".ssh/known_hosts",".subversion/auth",".subversion/config",".subversion/servers",".tconn/tconn.conf",".tcshrc",".vidalia/vidalia.conf",".viminfo",".vimrc",".www_acl",".wwwacl",".xauthority",".zhistory",".zshrc",".zsh_history",".nsconfig","etc/redis.conf","etc/redis-sentinel.conf","etc/php.ini","bin/php.ini","etc/httpd/php.ini","usr/lib/php.ini","usr/lib/php/php.ini","usr/local/etc/php.ini","usr/local/lib/php.ini","usr/local/php/lib/php.ini","usr/local/php4/lib/php.ini","usr/local/php5/lib/php.ini","usr/local/apache/conf/php.ini","etc/php4.4/fcgi/php.ini","etc/php4/apache/php.ini","etc/php4/apache2/php.ini","etc/php5/apache/php.ini","etc/php5/apache2/php.ini","etc/php/php.ini","etc/php/php4/php.ini","etc/php/apache/php.ini","etc/php/apache2/php.ini","web/conf/php.ini","usr/local/zend/etc/php.ini","opt/xampp/etc/php.ini","var/local/www/conf/php.ini","etc/php/cgi/php.ini","etc/php4/cgi/php.ini","etc/php5/cgi/php.ini","home2/bin/stable/apache/php.ini","home/bin/stable/apache/php.ini","etc/httpd/conf.d/php.conf","php5/php.ini","php4/php.ini","php/php.ini","windows/php.ini","winnt/php.ini","apache/php/php.ini","xampp/apache/bin/php.ini","netserver/bin/stable/apache/php.ini","volumes/macintosh_hd1/usr/local/php/lib/php.ini","etc/mono/1.0/machine.config","etc/mono/2.0/machine.config","etc/mono/2.0/web.config","etc/mono/config","usr/local/cpanel/logs/stats_log","usr/local/cpanel/logs/access_log","usr/local/cpanel/logs/error_log","usr/local/cpanel/logs/license_log","usr/local/cpanel/logs/login_log","var/cpanel/cpanel.config","var/log/sw-cp-server/error_log","usr/local/psa/admin/logs/httpsd_access_log","usr/local/psa/admin/logs/panel.log","var/log/sso/sso.log","usr/local/psa/admin/conf/php.ini","etc/sw-cp-server/applications.d/plesk.conf","usr/local/psa/admin/conf/site_isolation_settings.ini","usr/local/sb/config","etc/sw-cp-server/applications.d/00-sso-cpserver.conf","etc/sso/sso_config.ini","etc/mysql/conf.d/old_passwords.cnf","var/log/mysql/mysql-bin.log","var/log/mysql/mysql-bin.index","var/log/mysql/data/mysql-bin.index","var/log/mysql.log","var/log/mysql.err","var/log/mysqlderror.log","var/log/mysql/mysql.log","var/log/mysql/mysql-slow.log","var/log/mysql-bin.index","var/log/data/mysql-bin.index","var/mysql.log","var/mysql-bin.index","var/data/mysql-bin.index","program files/mysql/mysql server 5.0/data/{host}.err","program files/mysql/mysql server 5.0/data/mysql.log","program files/mysql/mysql server 5.0/data/mysql.err","program files/mysql/mysql server 5.0/data/mysql-bin.log","program files/mysql/mysql server 5.0/data/mysql-bin.index","program files/mysql/data/{host}.err","program files/mysql/data/mysql.log","program files/mysql/data/mysql.err","program files/mysql/data/mysql-bin.log","program files/mysql/data/mysql-bin.index","mysql/data/{host}.err","mysql/data/mysql.log","mysql/data/mysql.err","mysql/data/mysql-bin.log","mysql/data/mysql-bin.index","usr/local/mysql/data/mysql.log","usr/local/mysql/data/mysql.err","usr/local/mysql/data/mysql-bin.log","usr/local/mysql/data/mysql-slow.log","usr/local/mysql/data/mysqlderror.log","usr/local/mysql/data/{host}.err","usr/local/mysql/data/mysql-bin.index","var/lib/mysql/my.cnf","etc/mysql/my.cnf","etc/my.cnf","program files/mysql/mysql server 5.0/my.ini","program files/mysql/mysql server 5.0/my.cnf","program files/mysql/my.ini","program files/mysql/my.cnf","mysql/my.ini","mysql/my.cnf","mysql/bin/my.ini","var/postgresql/log/postgresql.log","var/log/postgresql/postgresql.log","var/log/postgres/pg_backup.log","var/log/postgres/postgres.log","var/log/postgresql.log","var/log/pgsql/pgsql.log","var/log/postgresql/postgresql-8.1-main.log","var/log/postgresql/postgresql-8.3-main.log","var/log/postgresql/postgresql-8.4-main.log","var/log/postgresql/postgresql-9.0-main.log","var/log/postgresql/postgresql-9.1-main.log","var/log/pgsql8.log","var/log/postgresql/postgres.log","var/log/pgsql_log","var/log/postgresql/main.log","var/log/cron/var/log/postgres.log","usr/internet/pgsql/data/postmaster.log","usr/local/pgsql/data/postgresql.log","usr/local/pgsql/data/pg_log","postgresql/log/pgadmin.log","var/lib/pgsql/data/postgresql.conf","var/postgresql/db/postgresql.conf","var/nm2/postgresql.conf","usr/local/pgsql/data/postgresql.conf","usr/local/pgsql/data/pg_hba.conf","usr/internet/pgsql/data/pg_hba.conf","usr/local/pgsql/data/passwd","usr/local/pgsql/bin/pg_passwd","etc/postgresql/postgresql.conf","etc/postgresql/pg_hba.conf","home/postgres/data/postgresql.conf","home/postgres/data/pg_version","home/postgres/data/pg_ident.conf","home/postgres/data/pg_hba.conf","program files/postgresql/8.3/data/pg_hba.conf","program files/postgresql/8.3/data/pg_ident.conf","program files/postgresql/8.3/data/postgresql.conf","program files/postgresql/8.4/data/pg_hba.conf","program files/postgresql/8.4/data/pg_ident.conf","program files/postgresql/8.4/data/postgresql.conf","program files/postgresql/9.0/data/pg_hba.conf","program files/postgresql/9.0/data/pg_ident.conf","program files/postgresql/9.0/data/postgresql.conf","program files/postgresql/9.1/data/pg_hba.conf","program files/postgresql/9.1/data/pg_ident.conf","program files/postgresql/9.1/data/postgresql.conf","wamp/logs/access.log","wamp/logs/apache_error.log","wamp/logs/genquery.log","wamp/logs/mysql.log","wamp/logs/slowquery.log","wamp/bin/apache/apache2.2.22/logs/access.log","wamp/bin/apache/apache2.2.22/logs/error.log","wamp/bin/apache/apache2.2.21/logs/access.log","wamp/bin/apache/apache2.2.21/logs/error.log","wamp/bin/mysql/mysql5.5.24/data/mysql-bin.index","wamp/bin/mysql/mysql5.5.16/data/mysql-bin.index","wamp/bin/apache/apache2.2.21/conf/httpd.conf","wamp/bin/apache/apache2.2.22/conf/httpd.conf","wamp/bin/apache/apache2.2.21/wampserver.conf","wamp/bin/apache/apache2.2.22/wampserver.conf","wamp/bin/apache/apache2.2.22/conf/wampserver.conf","wamp/bin/mysql/mysql5.5.24/my.ini","wamp/bin/mysql/mysql5.5.24/wampserver.conf","wamp/bin/mysql/mysql5.5.16/my.ini","wamp/bin/mysql/mysql5.5.16/wampserver.conf","wamp/bin/php/php5.3.8/php.ini","wamp/bin/php/php5.4.3/php.ini","xampp/apache/logs/access.log","xampp/apache/logs/error.log","xampp/mysql/data/mysql-bin.index","xampp/mysql/data/mysql.err","xampp/mysql/data/{host}.err","xampp/sendmail/sendmail.log","xampp/apache/conf/httpd.conf","xampp/filezillaftp/filezilla server.xml","xampp/mercurymail/mercury.ini","xampp/php/php.ini","xampp/phpmyadmin/config.inc.php","xampp/sendmail/sendmail.ini","xampp/webalizer/webalizer.conf","opt/lampp/etc/httpd.conf","xampp/htdocs/aca.txt","xampp/htdocs/admin.php","xampp/htdocs/leer.txt","usr/local/apache/logs/audit_log","usr/local/apache2/logs/audit_log","logs/security_debug_log","logs/security_log","usr/local/apache/conf/modsec.conf","usr/local/apache2/conf/modsec.conf","winnt/system32/logfiles/msftpsvc","winnt/system32/logfiles/msftpsvc1","winnt/system32/logfiles/msftpsvc2","windows/system32/logfiles/msftpsvc","windows/system32/logfiles/msftpsvc1","windows/system32/logfiles/msftpsvc2","etc/logrotate.d/proftpd","www/logs/proftpd.system.log","var/log/proftpd","var/log/proftpd/xferlog.legacy","var/log/proftpd.access_log","var/log/proftpd.xferlog","etc/pam.d/proftpd","etc/proftp.conf","etc/protpd/proftpd.conf","etc/vhcs2/proftpd/proftpd.conf","etc/proftpd/modules.conf","var/log/vsftpd.log","etc/vsftpd.chroot_list","etc/logrotate.d/vsftpd.log","etc/vsftpd/vsftpd.conf","etc/vsftpd.conf","etc/chrootusers","var/log/xferlog","var/adm/log/xferlog","etc/wu-ftpd/ftpaccess","etc/wu-ftpd/ftphosts","etc/wu-ftpd/ftpusers","var/log/pure-ftpd/pure-ftpd.log","logs/pure-ftpd.log","var/log/pureftpd.log","usr/sbin/pure-config.pl","usr/etc/pure-ftpd.conf","etc/pure-ftpd/pure-ftpd.conf","usr/local/etc/pure-ftpd.conf","usr/local/etc/pureftpd.pdb","usr/local/pureftpd/etc/pureftpd.pdb","usr/local/pureftpd/sbin/pure-config.pl","usr/local/pureftpd/etc/pure-ftpd.conf","etc/pure-ftpd.conf","etc/pure-ftpd/pure-ftpd.pdb","etc/pureftpd.pdb","etc/pureftpd.passwd","etc/pure-ftpd/pureftpd.pdb","usr/ports/ftp/pure-ftpd/pure-ftpd.conf","usr/ports/ftp/pure-ftpd/pureftpd.pdb","usr/ports/ftp/pure-ftpd/pureftpd.passwd","usr/ports/net/pure-ftpd/pure-ftpd.conf","usr/ports/net/pure-ftpd/pureftpd.pdb","usr/ports/net/pure-ftpd/pureftpd.passwd","usr/pkgsrc/net/pureftpd/pure-ftpd.conf","usr/pkgsrc/net/pureftpd/pureftpd.pdb","usr/pkgsrc/net/pureftpd/pureftpd.passwd","usr/ports/contrib/pure-ftpd/pure-ftpd.conf","usr/ports/contrib/pure-ftpd/pureftpd.pdb","usr/ports/contrib/pure-ftpd/pureftpd.passwd","var/log/muddleftpd","usr/sbin/mudlogd","etc/muddleftpd/mudlog","etc/muddleftpd.com","etc/muddleftpd/mudlogd.conf","etc/muddleftpd/muddleftpd.conf","var/log/muddleftpd.conf","usr/sbin/mudpasswd","etc/muddleftpd/muddleftpd.passwd","etc/muddleftpd/passwd","var/log/ftp-proxy/ftp-proxy.log","var/log/ftp-proxy","var/log/ftplog","etc/logrotate.d/ftp","etc/ftpchroot","etc/ftphosts","etc/ftpusers","var/log/exim_mainlog","var/log/exim/mainlog","var/log/maillog","var/log/exim_paniclog","var/log/exim/paniclog","var/log/exim/rejectlog","var/log/exim_rejectlog","winnt/system32/logfiles/smtpsvc","winnt/system32/logfiles/smtpsvc1","winnt/system32/logfiles/smtpsvc2","winnt/system32/logfiles/smtpsvc3","winnt/system32/logfiles/smtpsvc4","winnt/system32/logfiles/smtpsvc5","windows/system32/logfiles/smtpsvc","windows/system32/logfiles/smtpsvc1","windows/system32/logfiles/smtpsvc2","windows/system32/logfiles/smtpsvc3","windows/system32/logfiles/smtpsvc4","windows/system32/logfiles/smtpsvc5","etc/osxhttpd/osxhttpd.conf","system/library/webobjects/adaptors/apache2.2/apache.conf","etc/apache2/sites-available/default","etc/apache2/sites-available/default-ssl","etc/apache2/sites-enabled/000-default","etc/apache2/sites-enabled/default","etc/apache2/apache2.conf","etc/apache2/ports.conf","usr/local/etc/apache/httpd.conf","usr/pkg/etc/httpd/httpd.conf","usr/pkg/etc/httpd/httpd-default.conf","usr/pkg/etc/httpd/httpd-vhosts.conf","etc/httpd/mod_php.conf","etc/httpd/extra/httpd-ssl.conf","etc/rc.d/rc.httpd","usr/local/apache/conf/httpd.conf.default","usr/local/apache/conf/access.conf","usr/local/apache22/conf/httpd.conf","usr/local/apache22/httpd.conf","usr/local/etc/apache22/conf/httpd.conf","usr/local/apps/apache22/conf/httpd.conf","etc/apache22/conf/httpd.conf","etc/apache22/httpd.conf","opt/apache22/conf/httpd.conf","usr/local/etc/apache2/vhosts.conf","usr/local/apache/conf/vhosts.conf","usr/local/apache2/conf/vhosts.conf","usr/local/apache/conf/vhosts-custom.conf","usr/local/apache2/conf/vhosts-custom.conf","etc/apache/default-server.conf","etc/apache2/default-server.conf","usr/local/apache2/conf/extra/httpd-ssl.conf","usr/local/apache2/conf/ssl.conf","etc/httpd/conf.d","usr/local/etc/apache22/httpd.conf","usr/local/etc/apache2/httpd.conf","etc/apache2/httpd2.conf","etc/apache2/ssl-global.conf","etc/apache2/vhosts.d/00_default_vhost.conf","apache/conf/httpd.conf","etc/apache/httpd.conf","etc/httpd/conf","http/httpd.conf","usr/local/apache1.3/conf/httpd.conf","usr/local/etc/httpd/conf","var/apache/conf/httpd.conf","var/www/conf","www/apache/conf/httpd.conf","www/conf/httpd.conf","etc/init.d","etc/apache/access.conf","etc/rc.conf","www/logs/freebsddiary-error.log","www/logs/freebsddiary-access_log","library/webserver/documents/index.html","library/webserver/documents/index.htm","library/webserver/documents/default.html","library/webserver/documents/default.htm","library/webserver/documents/index.php","library/webserver/documents/default.php","var/log/webmin/miniserv.log","usr/local/etc/webmin/miniserv.conf","etc/webmin/miniserv.conf","usr/local/etc/webmin/miniserv.users","etc/webmin/miniserv.users","winnt/system32/logfiles/w3svc/inetsvn1.log","winnt/system32/logfiles/w3svc1/inetsvn1.log","winnt/system32/logfiles/w3svc2/inetsvn1.log","winnt/system32/logfiles/w3svc3/inetsvn1.log","windows/system32/logfiles/w3svc/inetsvn1.log","windows/system32/logfiles/w3svc1/inetsvn1.log","windows/system32/logfiles/w3svc2/inetsvn1.log","windows/system32/logfiles/w3svc3/inetsvn1.log","var/log/httpd/access_log","var/log/httpd/error_log","apache/logs/error.log","apache/logs/access.log","apache2/logs/error.log","apache2/logs/access.log","logs/error.log","logs/access.log","etc/httpd/logs/access_log","etc/httpd/logs/access.log","etc/httpd/logs/error_log","etc/httpd/logs/error.log","usr/local/apache/logs/access_log","usr/local/apache/logs/access.log","usr/local/apache/logs/error_log","usr/local/apache/logs/error.log","usr/local/apache2/logs/access_log","usr/local/apache2/logs/access.log","usr/local/apache2/logs/error_log","usr/local/apache2/logs/error.log","var/www/logs/access_log","var/www/logs/access.log","var/www/logs/error_log","var/www/logs/error.log","var/log/httpd/access.log","var/log/httpd/error.log","var/log/apache/access_log","var/log/apache/access.log","var/log/apache/error_log","var/log/apache/error.log","var/log/apache2/access_log","var/log/apache2/access.log","var/log/apache2/error_log","var/log/apache2/error.log","var/log/access_log","var/log/access.log","var/log/error_log","var/log/error.log","opt/lampp/logs/access_log","opt/lampp/logs/error_log","opt/xampp/logs/access_log","opt/xampp/logs/error_log","opt/lampp/logs/access.log","opt/lampp/logs/error.log","opt/xampp/logs/access.log","opt/xampp/logs/error.log","program files/apache group/apache/logs/access.log","program files/apache group/apache/logs/error.log","program files/apache software foundation/apache2.2/logs/error.log","program files/apache software foundation/apache2.2/logs/access.log","opt/apache/apache.conf","opt/apache/conf/apache.conf","opt/apache2/apache.conf","opt/apache2/conf/apache.conf","opt/httpd/apache.conf","opt/httpd/conf/apache.conf","etc/httpd/apache.conf","etc/apache2/apache.conf","etc/httpd/conf/apache.conf","usr/local/apache/apache.conf","usr/local/apache/conf/apache.conf","usr/local/apache2/apache.conf","usr/local/apache2/conf/apache.conf","usr/local/php/apache.conf.php","usr/local/php4/apache.conf.php","usr/local/php5/apache.conf.php","usr/local/php/apache.conf","usr/local/php4/apache.conf","usr/local/php5/apache.conf","private/etc/httpd/apache.conf","opt/apache/apache2.conf","opt/apache/conf/apache2.conf","opt/apache2/apache2.conf","opt/apache2/conf/apache2.conf","opt/httpd/apache2.conf","opt/httpd/conf/apache2.conf","etc/httpd/apache2.conf","etc/httpd/conf/apache2.conf","usr/local/apache/apache2.conf","usr/local/apache/conf/apache2.conf","usr/local/apache2/apache2.conf","usr/local/apache2/conf/apache2.conf","usr/local/php/apache2.conf.php","usr/local/php4/apache2.conf.php","usr/local/php5/apache2.conf.php","usr/local/php/apache2.conf","usr/local/php4/apache2.conf","usr/local/php5/apache2.conf","private/etc/httpd/apache2.conf","usr/local/apache/conf/httpd.conf","usr/local/apache2/conf/httpd.conf","etc/httpd/conf/httpd.conf","etc/apache/apache.conf","etc/apache/conf/httpd.conf","etc/apache2/httpd.conf","usr/apache2/conf/httpd.conf","usr/apache/conf/httpd.conf","usr/local/etc/apache/conf/httpd.conf","usr/local/apache/httpd.conf","usr/local/apache2/httpd.conf","usr/local/httpd/conf/httpd.conf","usr/local/etc/apache2/conf/httpd.conf","usr/local/etc/httpd/conf/httpd.conf","usr/local/apps/apache2/conf/httpd.conf","usr/local/apps/apache/conf/httpd.conf","usr/local/php/httpd.conf.php","usr/local/php4/httpd.conf.php","usr/local/php5/httpd.conf.php","usr/local/php/httpd.conf","usr/local/php4/httpd.conf","usr/local/php5/httpd.conf","etc/apache2/conf/httpd.conf","etc/http/conf/httpd.conf","etc/httpd/httpd.conf","etc/http/httpd.conf","etc/httpd.conf","opt/apache/conf/httpd.conf","opt/apache2/conf/httpd.conf","var/www/conf/httpd.conf","private/etc/httpd/httpd.conf","private/etc/httpd/httpd.conf.default","etc/apache2/vhosts.d/default_vhost.include","etc/apache2/conf.d/charset","etc/apache2/conf.d/security","etc/apache2/envvars","etc/apache2/mods-available/autoindex.conf","etc/apache2/mods-available/deflate.conf","etc/apache2/mods-available/dir.conf","etc/apache2/mods-available/mem_cache.conf","etc/apache2/mods-available/mime.conf","etc/apache2/mods-available/proxy.conf","etc/apache2/mods-available/setenvif.conf","etc/apache2/mods-available/ssl.conf","etc/apache2/mods-enabled/alias.conf","etc/apache2/mods-enabled/deflate.conf","etc/apache2/mods-enabled/dir.conf","etc/apache2/mods-enabled/mime.conf","etc/apache2/mods-enabled/negotiation.conf","etc/apache2/mods-enabled/php5.conf","etc/apache2/mods-enabled/status.conf","program files/apache group/apache/conf/httpd.conf","program files/apache group/apache2/conf/httpd.conf","program files/xampp/apache/conf/apache.conf","program files/xampp/apache/conf/apache2.conf","program files/xampp/apache/conf/httpd.conf","program files/apache group/apache/apache.conf","program files/apache group/apache/conf/apache.conf","program files/apache group/apache2/conf/apache.conf","program files/apache group/apache/apache2.conf","program files/apache group/apache/conf/apache2.conf","program files/apache group/apache2/conf/apache2.conf","program files/apache software foundation/apache2.2/conf/httpd.conf","volumes/macintosh_hd1/opt/httpd/conf/httpd.conf","volumes/macintosh_hd1/opt/apache/conf/httpd.conf","volumes/macintosh_hd1/opt/apache2/conf/httpd.conf","volumes/macintosh_hd1/usr/local/php/httpd.conf.php","volumes/macintosh_hd1/usr/local/php4/httpd.conf.php","volumes/macintosh_hd1/usr/local/php5/httpd.conf.php","volumes/webbackup/opt/apache2/conf/httpd.conf","volumes/webbackup/private/etc/httpd/httpd.conf","volumes/webbackup/private/etc/httpd/httpd.conf.default","usr/local/etc/apache/vhosts.conf","usr/local/jakarta/tomcat/conf/jakarta.conf","usr/local/jakarta/tomcat/conf/server.xml","usr/local/jakarta/tomcat/conf/context.xml","usr/local/jakarta/tomcat/conf/workers.properties","usr/local/jakarta/tomcat/conf/logging.properties","usr/local/jakarta/dist/tomcat/conf/jakarta.conf","usr/local/jakarta/dist/tomcat/conf/server.xml","usr/local/jakarta/dist/tomcat/conf/context.xml","usr/local/jakarta/dist/tomcat/conf/workers.properties","usr/local/jakarta/dist/tomcat/conf/logging.properties","usr/share/tomcat6/conf/server.xml","usr/share/tomcat6/conf/context.xml","usr/share/tomcat6/conf/workers.properties","usr/share/tomcat6/conf/logging.properties","var/log/tomcat6/catalina.out","var/cpanel/tomcat.options","usr/local/jakarta/tomcat/logs/catalina.out","usr/local/jakarta/tomcat/logs/catalina.err","opt/tomcat/logs/catalina.out","opt/tomcat/logs/catalina.err","usr/share/logs/catalina.out","usr/share/logs/catalina.err","usr/share/tomcat/logs/catalina.out","usr/share/tomcat/logs/catalina.err","usr/share/tomcat6/logs/catalina.out","usr/share/tomcat6/logs/catalina.err","usr/local/apache/logs/mod_jk.log","usr/local/jakarta/tomcat/logs/mod_jk.log","usr/local/jakarta/dist/tomcat/logs/mod_jk.log","opt/[jboss]/server/default/conf/jboss-minimal.xml","opt/[jboss]/server/default/conf/jboss-service.xml","opt/[jboss]/server/default/conf/jndi.properties","opt/[jboss]/server/default/conf/log4j.xml","opt/[jboss]/server/default/conf/login-config.xml","opt/[jboss]/server/default/conf/standardjaws.xml","opt/[jboss]/server/default/conf/standardjboss.xml","opt/[jboss]/server/default/conf/server.log.properties","opt/[jboss]/server/default/deploy/jboss-logging.xml","usr/local/[jboss]/server/default/conf/jboss-minimal.xml","usr/local/[jboss]/server/default/conf/jboss-service.xml","usr/local/[jboss]/server/default/conf/jndi.properties","usr/local/[jboss]/server/default/conf/log4j.xml","usr/local/[jboss]/server/default/conf/login-config.xml","usr/local/[jboss]/server/default/conf/standardjaws.xml","usr/local/[jboss]/server/default/conf/standardjboss.xml","usr/local/[jboss]/server/default/conf/server.log.properties","usr/local/[jboss]/server/default/deploy/jboss-logging.xml","private/tmp/[jboss]/server/default/conf/jboss-minimal.xml","private/tmp/[jboss]/server/default/conf/jboss-service.xml","private/tmp/[jboss]/server/default/conf/jndi.properties","private/tmp/[jboss]/server/default/conf/log4j.xml","private/tmp/[jboss]/server/default/conf/login-config.xml","private/tmp/[jboss]/server/default/conf/standardjaws.xml","private/tmp/[jboss]/server/default/conf/standardjboss.xml","private/tmp/[jboss]/server/default/conf/server.log.properties","private/tmp/[jboss]/server/default/deploy/jboss-logging.xml","tmp/[jboss]/server/default/conf/jboss-minimal.xml","tmp/[jboss]/server/default/conf/jboss-service.xml","tmp/[jboss]/server/default/conf/jndi.properties","tmp/[jboss]/server/default/conf/log4j.xml","tmp/[jboss]/server/default/conf/login-config.xml","tmp/[jboss]/server/default/conf/standardjaws.xml","tmp/[jboss]/server/default/conf/standardjboss.xml","tmp/[jboss]/server/default/conf/server.log.properties","tmp/[jboss]/server/default/deploy/jboss-logging.xml","program files/[jboss]/server/default/conf/jboss-minimal.xml","program files/[jboss]/server/default/conf/jboss-service.xml","program files/[jboss]/server/default/conf/jndi.properties","program files/[jboss]/server/default/conf/log4j.xml","program files/[jboss]/server/default/conf/login-config.xml","program files/[jboss]/server/default/conf/standardjaws.xml","program files/[jboss]/server/default/conf/standardjboss.xml","program files/[jboss]/server/default/conf/server.log.properties","program files/[jboss]/server/default/deploy/jboss-logging.xml","[jboss]/server/default/conf/jboss-minimal.xml","[jboss]/server/default/conf/jboss-service.xml","[jboss]/server/default/conf/jndi.properties","[jboss]/server/default/conf/log4j.xml","[jboss]/server/default/conf/login-config.xml","[jboss]/server/default/conf/standardjaws.xml","[jboss]/server/default/conf/standardjboss.xml","[jboss]/server/default/conf/server.log.properties","[jboss]/server/default/deploy/jboss-logging.xml","opt/[jboss]/server/default/log/server.log","opt/[jboss]/server/default/log/boot.log","usr/local/[jboss]/server/default/log/server.log","usr/local/[jboss]/server/default/log/boot.log","private/tmp/[jboss]/server/default/log/server.log","private/tmp/[jboss]/server/default/log/boot.log","tmp/[jboss]/server/default/log/server.log","tmp/[jboss]/server/default/log/boot.log","program files/[jboss]/server/default/log/server.log","program files/[jboss]/server/default/log/boot.log","[jboss]/server/default/log/server.log","[jboss]/server/default/log/boot.log","var/log/lighttpd.error.log","var/log/lighttpd.access.log","var/lighttpd.log","var/logs/access.log","var/log/lighttpd/","var/log/lighttpd/error.log","var/log/lighttpd/access.www.log","var/log/lighttpd/error.www.log","var/log/lighttpd/access.log","usr/local/apache2/logs/lighttpd.error.log","usr/local/apache2/logs/lighttpd.log","usr/local/apache/logs/lighttpd.error.log","usr/local/apache/logs/lighttpd.log","usr/local/lighttpd/log/lighttpd.error.log","usr/local/lighttpd/log/access.log","var/log/lighttpd/{domain}/access.log","var/log/lighttpd/{domain}/error.log","usr/home/user/var/log/lighttpd.error.log","usr/home/user/var/log/apache.log","home/user/lighttpd/lighttpd.conf","usr/home/user/lighttpd/lighttpd.conf","etc/lighttpd/lighthttpd.conf","usr/local/etc/lighttpd.conf","usr/local/lighttpd/conf/lighttpd.conf","usr/local/etc/lighttpd.conf.new","var/www/.lighttpdpassword","var/log/nginx/access_log","var/log/nginx/error_log","var/log/nginx/access.log","var/log/nginx/error.log","var/log/nginx.access_log","var/log/nginx.error_log","logs/access_log","logs/error_log","etc/nginx/nginx.conf","usr/local/etc/nginx/nginx.conf","usr/local/nginx/conf/nginx.conf","usr/local/zeus/web/global.cfg","usr/local/zeus/web/log/errors","opt/lsws/conf/httpd_conf.xml","usr/local/lsws/conf/httpd_conf.xml","opt/lsws/logs/error.log","opt/lsws/logs/access.log","usr/local/lsws/logs/error.log","usr/local/logs/access.log","usr/local/samba/lib/log.user","usr/local/logs/samba.log","var/log/samba/log.smbd","var/log/samba/log.nmbd","var/log/samba.log","var/log/samba.log1","var/log/samba.log2","var/log/log.smb","etc/samba/netlogon","etc/smbpasswd","etc/smb.conf","etc/samba/dhcp.conf","etc/samba/smb.conf","etc/samba/samba.conf","etc/samba/smb.conf.user","etc/samba/smbpasswd","etc/samba/smbusers","etc/samba/private/smbpasswd","usr/local/etc/smb.conf","usr/local/samba/lib/smb.conf.user","etc/dhcp3/dhclient.conf","etc/dhcp3/dhcpd.conf","etc/dhcp/dhclient.conf","program files/vidalia bundle/polipo/polipo.conf","etc/tor/tor-tsocks.conf","etc/stunnel/stunnel.conf","etc/tsocks.conf","etc/tinyproxy/tinyproxy.conf","etc/miredo-server.conf","etc/miredo.conf","etc/miredo/miredo-server.conf","etc/miredo/miredo.conf","etc/wicd/dhclient.conf.template.default","etc/wicd/manager-settings.conf","etc/wicd/wired-settings.conf","etc/wicd/wireless-settings.conf","var/log/ipfw.log","var/log/ipfw","var/log/ipfw/ipfw.log","var/log/ipfw.today","etc/ipfw.rules","etc/ipfw.conf","etc/firewall.rules","winnt/system32/logfiles/firewall/pfirewall.log","winnt/system32/logfiles/firewall/pfirewall.log.old","windows/system32/logfiles/firewall/pfirewall.log","windows/system32/logfiles/firewall/pfirewall.log.old","etc/clamav/clamd.conf","etc/clamav/freshclam.conf","etc/x11/xorg.conf","etc/x11/xorg.conf-vesa","etc/x11/xorg.conf-vmware","etc/x11/xorg.conf.beforevmwaretoolsinstall","etc/x11/xorg.conf.orig","etc/bluetooth/input.conf","etc/bluetooth/main.conf","etc/bluetooth/network.conf","etc/bluetooth/rfcomm.conf","proc/self/environ","proc/self/mounts","proc/self/stat","proc/self/status","proc/self/cmdline","proc/self/fd/0","proc/self/fd/1","proc/self/fd/2","proc/self/fd/3","proc/self/fd/4","proc/self/fd/5","proc/self/fd/6","proc/self/fd/7","proc/self/fd/8","proc/self/fd/9","proc/self/fd/10","proc/self/fd/11","proc/self/fd/12","proc/self/fd/13","proc/self/fd/14","proc/self/fd/15","proc/version","proc/devices","proc/cpuinfo","proc/meminfo","proc/net/tcp","proc/net/udp","etc/bash_completion.d/debconf","root/.bash_logout","root/.bash_history","root/.bash_config","root/.bashrc","etc/bash.bashrc","var/adm/syslog","var/adm/sulog","var/adm/utmp","var/adm/utmpx","var/adm/wtmp","var/adm/wtmpx","var/adm/lastlog/username","usr/spool/lp/log","var/adm/lp/lpd-errs","usr/lib/cron/log","var/adm/loginlog","var/adm/pacct","var/adm/dtmp","var/adm/acct/sum/loginlog","var/adm/x0msgs","var/adm/crash/vmcore","var/adm/crash/unix","etc/newsyslog.conf","var/adm/qacct","var/adm/ras/errlog","var/adm/ras/bootlog","var/adm/cron/log","etc/utmp","etc/security/lastlog","etc/security/failedlogin","usr/spool/mqueue/syslog","var/adm/messages","var/adm/aculogs","var/adm/aculog","var/adm/vold.log","var/adm/log/asppp.log","var/log/poplog","var/log/authlog","var/lp/logs/lpsched","var/lp/logs/lpnet","var/lp/logs/requests","var/cron/log","var/saf/_log","var/saf/port/log","var/log/news.all","var/log/news/news.all","var/log/news/news.crit","var/log/news/news.err","var/log/news/news.notice","var/log/news/suck.err","var/log/news/suck.notice","var/log/messages","var/log/messages.1","var/log/user.log","var/log/user.log.1","var/log/auth.log","var/log/pm-powersave.log","var/log/xorg.0.log","var/log/daemon.log","var/log/daemon.log.1","var/log/kern.log","var/log/kern.log.1","var/log/mail.err","var/log/mail.info","var/log/mail.warn","var/log/ufw.log","var/log/boot.log","var/log/syslog","var/log/syslog.1","tmp/access.log","etc/sensors.conf","etc/sensors3.conf","etc/host.conf","etc/pam.conf","etc/resolv.conf","etc/apt/apt.conf","etc/inetd.conf","etc/syslog.conf","etc/sysctl.conf","etc/sysctl.d/10-console-messages.conf","etc/sysctl.d/10-network-security.conf","etc/sysctl.d/10-process-security.conf","etc/sysctl.d/wine.sysctl.conf","etc/security/access.conf","etc/security/group.conf","etc/security/limits.conf","etc/security/namespace.conf","etc/security/pam_env.conf","etc/security/sepermit.conf","etc/security/time.conf","etc/ssh/sshd_config","etc/adduser.conf","etc/deluser.conf","etc/avahi/avahi-daemon.conf","etc/ca-certificates.conf","etc/ca-certificates.conf.dpkg-old","etc/casper.conf","etc/chkrootkit.conf","etc/debconf.conf","etc/dns2tcpd.conf","etc/e2fsck.conf","etc/esound/esd.conf","etc/etter.conf","etc/fuse.conf","etc/foremost.conf","etc/hdparm.conf","etc/kernel-img.conf","etc/kernel-pkg.conf","etc/ld.so.conf","etc/ltrace.conf","etc/mail/sendmail.conf","etc/manpath.config","etc/kbd/config","etc/ldap/ldap.conf","etc/logrotate.conf","etc/mtools.conf","etc/smi.conf","etc/updatedb.conf","etc/pulse/client.conf","usr/share/adduser/adduser.conf","etc/hostname","etc/networks","etc/timezone","etc/modules","etc/passwd","etc/passwd~","etc/passwd-","etc/shadow","etc/shadow~","etc/shadow-","etc/fstab","etc/motd","etc/hosts","etc/group","etc/group-","etc/alias","etc/crontab","etc/crypttab","etc/exports","etc/mtab","etc/hosts.allow","etc/hosts.deny","etc/os-release","etc/password.master","etc/profile","etc/default/grub","etc/resolvconf/update-libc.d/sendmail","etc/inittab","etc/issue","etc/issue.net","etc/login.defs","etc/sudoers","etc/sysconfig/network-scripts/ifcfg-eth0","etc/redhat-release","etc/debian_version","etc/fedora-release","etc/mandrake-release","etc/slackware-release","etc/suse-release","etc/security/group","etc/security/passwd","etc/security/user","etc/security/environ","etc/security/limits","etc/security/opasswd","boot/grub/grub.cfg","boot/grub/menu.lst","root/.ksh_history","root/.xauthority","usr/lib/security/mkuser.default","var/log/squirrelmail.log","var/log/apache2/squirrelmail.log","var/log/apache2/squirrelmail.err.log","var/lib/squirrelmail/prefs/squirrelmail.log","var/log/mail.log","etc/squirrelmail/apache.conf","etc/squirrelmail/config_local.php","etc/squirrelmail/default_pref","etc/squirrelmail/index.php","etc/squirrelmail/config_default.php","etc/squirrelmail/config.php","etc/squirrelmail/filters_setup.php","etc/squirrelmail/sqspell_config.php","etc/squirrelmail/config/config.php","etc/httpd/conf.d/squirrelmail.conf","usr/share/squirrelmail/config/config.php","private/etc/squirrelmail/config/config.php","srv/www/htdos/squirrelmail/config/config.php","var/www/squirrelmail/config/config.php","var/www/html/squirrelmail/config/config.php","var/www/html/squirrelmail-1.2.9/config/config.php","usr/share/squirrelmail/plugins/squirrel_logger/setup.php","usr/local/squirrelmail/www/readme","windows/system32/drivers/etc/hosts","windows/system32/drivers/etc/lmhosts.sam","windows/system32/drivers/etc/networks","windows/system32/drivers/etc/protocol","windows/system32/drivers/etc/services","/boot.ini","windows/debug/netsetup.log","windows/comsetup.log","windows/repair/setup.log","windows/setupact.log","windows/setupapi.log","windows/setuperr.log","windows/updspapi.log","windows/wmsetup.log","windows/windowsupdate.log","windows/odbc.ini","usr/local/psa/admin/htdocs/domains/databases/phpmyadmin/libraries/config.default.php","etc/apache2/conf.d/phpmyadmin.conf","etc/phpmyadmin/config.inc.php","etc/openldap/ldap.conf","etc/cups/acroread.conf","etc/cups/cupsd.conf","etc/cups/cupsd.conf.default","etc/cups/pdftops.conf","etc/cups/printers.conf","windows/system32/macromed/flash/flashinstall.log","windows/system32/macromed/flash/install.log","etc/cvs-cron.conf","etc/cvs-pserver.conf","etc/subversion/config","etc/modprobe.d/vmware-tools.conf","etc/updatedb.conf.beforevmwaretoolsinstall","etc/vmware-tools/config","etc/vmware-tools/tpvmlp.conf","etc/vmware-tools/vmware-tools-libraries.conf","var/log/vmware/hostd.log","var/log/vmware/hostd-1.log","wp-config.php","wp-config.bak","wp-config.old","wp-config.temp","wp-config.tmp","wp-config.txt","config.yml","config_dev.yml","config_prod.yml","config_test.yml","parameters.yml","routing.yml","security.yml","services.yml","sites/default/default.settings.php","sites/default/settings.php","sites/default/settings.local.php","app/etc/local.xml","sftp-config.json","web.config","includes/config.php","includes/configure.php","config.inc.php","localsettings.php","inc/config.php","typo3conf/localconf.php","config/app.php","config/custom.php","config/database.php","/configuration.php","/config.php","var/mail/www-data","etc/network/","etc/init/","inetpub/wwwroot/global.asa","system32/inetsrv/config/applicationhost.config","system32/inetsrv/config/administration.config","system32/inetsrv/config/redirection.config","system32/config/default","system32/config/sam","system32/config/system","system32/config/software","winnt/repair/sam._","package.json","package-lock.json","gruntfile.js","npm-debug.log","ormconfig.json","tsconfig.json","webpack.config.js","yarn.lock"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"crs-931-110","name":"Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload","tags":{"type":"rfi","crs_id":"931110","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"}],"regex":"(?:\\binclude\\s*\\([^)]*|mosConfig_absolute_path|_CONF\\[path\\]|_SERVER\\[DOCUMENT_ROOT\\]|GALLERY_BASEDIR|path\\[docroot\\]|appserv_root|config\\[root_dir\\])=(?:file|ftps?|https?)://","options":{"min_length":15}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-931-120","name":"Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)","tags":{"type":"rfi","crs_id":"931120","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"}],"regex":"^(?i:file|ftps?|https?).*?\\?+$","options":{"case_sensitive":true,"min_length":4}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-932-160","name":"Remote Command Execution: Unix Shell Code Found","tags":{"type":"command_injection","crs_id":"932160","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"list":["${cdpath}","${dirstack}","${home}","${hostname}","${ifs}","${oldpwd}","${ostype}","${path}","${pwd}","$cdpath","$dirstack","$home","$hostname","$ifs","$oldpwd","$ostype","$path","$pwd","bin/bash","bin/cat","bin/csh","bin/dash","bin/du","bin/echo","bin/grep","bin/less","bin/ls","bin/mknod","bin/more","bin/nc","bin/ps","bin/rbash","bin/sh","bin/sleep","bin/su","bin/tcsh","bin/uname","dev/fd/","dev/null","dev/stderr","dev/stdin","dev/stdout","dev/tcp/","dev/udp/","dev/zero","etc/group","etc/master.passwd","etc/passwd","etc/pwd.db","etc/shadow","etc/shells","etc/spwd.db","proc/self/","usr/bin/awk","usr/bin/base64","usr/bin/cat","usr/bin/cc","usr/bin/clang","usr/bin/clang++","usr/bin/curl","usr/bin/diff","usr/bin/env","usr/bin/fetch","usr/bin/file","usr/bin/find","usr/bin/ftp","usr/bin/gawk","usr/bin/gcc","usr/bin/head","usr/bin/hexdump","usr/bin/id","usr/bin/less","usr/bin/ln","usr/bin/mkfifo","usr/bin/more","usr/bin/nc","usr/bin/ncat","usr/bin/nice","usr/bin/nmap","usr/bin/perl","usr/bin/php","usr/bin/php5","usr/bin/php7","usr/bin/php-cgi","usr/bin/printf","usr/bin/psed","usr/bin/python","usr/bin/python2","usr/bin/python3","usr/bin/ruby","usr/bin/sed","usr/bin/socat","usr/bin/tail","usr/bin/tee","usr/bin/telnet","usr/bin/top","usr/bin/uname","usr/bin/wget","usr/bin/who","usr/bin/whoami","usr/bin/xargs","usr/bin/xxd","usr/bin/yes","usr/local/bin/bash","usr/local/bin/curl","usr/local/bin/ncat","usr/local/bin/nmap","usr/local/bin/perl","usr/local/bin/php","usr/local/bin/python","usr/local/bin/python2","usr/local/bin/python3","usr/local/bin/rbash","usr/local/bin/ruby","usr/local/bin/wget"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"crs-932-171","name":"Remote Command Execution: Shellshock (CVE-2014-6271)","tags":{"type":"command_injection","crs_id":"932171","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"^\\(\\s*\\)\\s+{","options":{"case_sensitive":true,"min_length":4}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-932-180","name":"Restricted File Upload Attempt","tags":{"type":"command_injection","crs_id":"932180","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["x-filename"]},{"address":"server.request.headers.no_cookies","key_path":["x_filename"]},{"address":"server.request.headers.no_cookies","key_path":["x-file-name"]}],"list":[".htaccess",".htdigest",".htpasswd","wp-config.php","config.yml","config_dev.yml","config_prod.yml","config_test.yml","parameters.yml","routing.yml","security.yml","services.yml","default.settings.php","settings.php","settings.local.php","local.xml",".env"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"crs-933-111","name":"PHP Injection Attack: PHP Script File Upload Found","tags":{"type":"unrestricted_file_upload","crs_id":"933111","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["x-filename"]},{"address":"server.request.headers.no_cookies","key_path":["x_filename"]},{"address":"server.request.headers.no_cookies","key_path":["x.filename"]},{"address":"server.request.headers.no_cookies","key_path":["x-file-name"]}],"regex":".*\\.(?:php\\d*|phtml)\\..*$","options":{"case_sensitive":true,"min_length":5}},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"crs-933-130","name":"PHP Injection Attack: Global Variables Found","tags":{"type":"php_code_injection","crs_id":"933130","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"list":["$globals","$http_cookie_vars","$http_env_vars","$http_get_vars","$http_post_files","$http_post_vars","$http_raw_post_data","$http_request_vars","$http_server_vars","$_cookie","$_env","$_files","$_get","$_post","$_request","$_server","$_session","$argc","$argv"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"crs-933-131","name":"PHP Injection Attack: HTTP Headers Values Found","tags":{"type":"php_code_injection","crs_id":"933131","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)","options":{"case_sensitive":true,"min_length":9}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-933-140","name":"PHP Injection Attack: I/O Stream Found","tags":{"type":"php_code_injection","crs_id":"933140","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)","options":{"min_length":8}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-933-150","name":"PHP Injection Attack: High-Risk PHP Function Name Found","tags":{"type":"php_code_injection","crs_id":"933150","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"list":["__halt_compiler","apache_child_terminate","base64_decode","bzdecompress","call_user_func","call_user_func_array","call_user_method","call_user_method_array","convert_uudecode","file_get_contents","file_put_contents","fsockopen","get_class_methods","get_class_vars","get_defined_constants","get_defined_functions","get_defined_vars","gzdecode","gzinflate","gzuncompress","include_once","invokeargs","pcntl_exec","pcntl_fork","pfsockopen","posix_getcwd","posix_getpwuid","posix_getuid","posix_uname","reflectionfunction","require_once","shell_exec","str_rot13","sys_get_temp_dir","wp_remote_fopen","wp_remote_get","wp_remote_head","wp_remote_post","wp_remote_request","wp_safe_remote_get","wp_safe_remote_head","wp_safe_remote_post","wp_safe_remote_request","zlib_decode"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"crs-933-160","name":"PHP Injection Attack: High-Risk PHP Function Call Found","tags":{"type":"php_code_injection","crs_id":"933160","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\(.*\\)","options":{"min_length":5}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-933-170","name":"PHP Injection Attack: Serialized Object Injection","tags":{"type":"php_code_injection","crs_id":"933170","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"[oOcC]:\\d+:\\\".+?\\\":\\d+:{[\\W\\w]*}","options":{"case_sensitive":true,"min_length":12}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-933-200","name":"PHP Injection Attack: Wrapper scheme detected","tags":{"type":"php_code_injection","crs_id":"933200","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://","options":{"case_sensitive":true,"min_length":6}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-934-100","name":"Node.js Injection Attack","tags":{"type":"js_code_injection","crs_id":"934100","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?:(?:_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|(?:new\\s+Function|\\beval)\\s*\\(|String\\s*\\.\\s*fromCharCode|function\\s*\\(\\s*\\)\\s*{|this\\.constructor)|module\\.exports\\s*=)","options":{"case_sensitive":true,"min_length":5}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-941-100","name":"XSS Attack Detected via libinjection","tags":{"type":"xss","crs_id":"941100","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies","key_path":["user-agent"]},{"address":"server.request.headers.no_cookies","key_path":["referer"]},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}]},"operator":"is_xss"}],"transformers":["removeNulls"]},{"id":"crs-941-110","name":"XSS Filter - Category 1: Script Tag Vector","tags":{"type":"xss","crs_id":"941110","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies","key_path":["user-agent"]},{"address":"server.request.headers.no_cookies","key_path":["referer"]},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"<script[^>]*>[\\s\\S]*?","options":{"min_length":8}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-120","name":"XSS Filter - Category 2: Event Handler Vector","tags":{"type":"xss","crs_id":"941120","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies","key_path":["user-agent"]},{"address":"server.request.headers.no_cookies","key_path":["referer"]},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on[a-zA-Z]{3,25}[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]","options":{"min_length":8}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-140","name":"XSS Filter - Category 4: Javascript URI Vector","tags":{"type":"xss","crs_id":"941140","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies","key_path":["user-agent"]},{"address":"server.request.headers.no_cookies","key_path":["referer"]},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\\(javascript","options":{"min_length":18}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-180","name":"Node-Validator Deny List Keywords","tags":{"type":"xss","crs_id":"941180","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"list":["document.cookie","document.write",".parentnode",".innerhtml","window.location","-moz-binding","<![cdata["]},"operator":"phrase_match"}],"transformers":["removeNulls","lowercase"]},{"id":"crs-941-200","name":"IE XSS Filters - Attack Detected via vmlframe tag","tags":{"type":"xss","crs_id":"941200","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:<.*[:]?vmlframe.*?[\\s/+]*?src[\\s/+]*=)","options":{"case_sensitive":true,"min_length":13}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-210","name":"IE XSS Filters - Obfuscated Attack Detected via javascript injection","tags":{"type":"xss","crs_id":"941210","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)","options":{"case_sensitive":true,"min_length":12}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-220","name":"IE XSS Filters - Obfuscated Attack Detected via vbscript injection","tags":{"type":"xss","crs_id":"941220","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)","options":{"case_sensitive":true,"min_length":10}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-230","name":"IE XSS Filters - Attack Detected via embed tag","tags":{"type":"xss","crs_id":"941230","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"<EMBED[\\s/+].*?(?:src|type).*?=","options":{"min_length":11}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-240","name":"IE XSS Filters - Attack Detected via import tag","tags":{"type":"xss","crs_id":"941240","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"<[?]?import[\\s/+\\S]*?implementation[\\s/+]*?=","options":{"case_sensitive":true,"min_length":22}},"operator":"match_regex"}],"transformers":["lowercase","removeNulls"]},{"id":"crs-941-270","name":"IE XSS Filters - Attack Detected via link tag","tags":{"type":"xss","crs_id":"941270","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"<LINK[\\s/+].*?href[\\s/+]*=","options":{"min_length":11}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-280","name":"IE XSS Filters - Attack Detected via base tag","tags":{"type":"xss","crs_id":"941280","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"<BASE[\\s/+].*?href[\\s/+]*=","options":{"min_length":11}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-290","name":"IE XSS Filters - Attack Detected via applet tag","tags":{"type":"xss","crs_id":"941290","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"<APPLET[\\s/+>]","options":{"min_length":8}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-300","name":"IE XSS Filters - Attack Detected via object tag","tags":{"type":"xss","crs_id":"941300","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"<OBJECT[\\s/+].*?(?:type|codetype|classid|code|data)[\\s/+]*=","options":{"min_length":13}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-350","name":"UTF-7 Encoding IE XSS - Attack Detected","tags":{"type":"xss","crs_id":"941350","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"\\+ADw-.*(?:\\+AD4-|>)|<.*\\+AD4-","options":{"case_sensitive":true,"min_length":6}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-941-360","name":"JSFuck / Hieroglyphy obfuscation detected","tags":{"type":"xss","crs_id":"941360","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"![!+ ]\\[\\]","options":{"case_sensitive":true,"min_length":4}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-100","name":"SQL Injection Attack Detected via libinjection","tags":{"type":"sql_injection","crs_id":"942100","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}]},"operator":"is_sqli"}],"transformers":["removeNulls"]},{"id":"crs-942-140","name":"SQL Injection Attack: Common DB Names Detected","tags":{"type":"sql_injection","crs_id":"942140","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"\\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)|db)|aster\\.\\.sysdatabases|ysql\\.db)|pg_(?:catalog|toast)|information_schema|northwind|tempdb)\\b|s(?:(?:ys(?:\\.database_name|aux)|qlite(?:_temp)?_master)\\b|chema(?:_name\\b|\\W*\\())|d(?:atabas|b_nam)e\\W*\\()","options":{"min_length":4}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-160","name":"Detects blind sqli tests using sleep() or benchmark()","tags":{"type":"sql_injection","crs_id":"942160","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))","options":{"case_sensitive":true,"min_length":7}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-190","name":"Detects MSSQL code execution and information gathering attempts","tags":{"type":"sql_injection","crs_id":"942190","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?:\\b(?:(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|u(?:nion(?:[\\w(?:\\s]*?select| select @)|ser\\s*?\\([^\\)]*?)|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|into[\\s+]+(?:dump|out)file\\s*?[\\\"'`]|from\\W+information_schema\\W|exec(?:ute)?\\s+master\\.)|[\\\"'`](?:;?\\s*?(?:union\\b\\s*?(?:(?:distin|sele)ct|all)|having|select)\\b\\s*?[^\\s]|\\s*?!\\s*?[\\\"'`\\w])|\\s*?exec(?:ute)?.*?\\Wxp_cmdshell|\\Wiif\\s*?\\()","options":{"min_length":3}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-220","name":"Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the \\\"magic number\\\" crash","tags":{"type":"sql_injection","crs_id":"942220","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$","options":{"case_sensitive":true,"min_length":5}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-240","name":"Detects MySQL charset switch and MSSQL DoS attempts","tags":{"type":"sql_injection","crs_id":"942240","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?:[\\\"'`](?:;*?\\s*?waitfor\\s+(?:delay|time)\\s+[\\\"'`]|;.*?:\\s*?goto)|alter\\s*?\\w+.*?cha(?:racte)?r\\s+set\\s+\\w+)","options":{"min_length":7}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-250","name":"Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections","tags":{"type":"sql_injection","crs_id":"942250","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:merge.*?using\\s*?\\(|execute\\s*?immediate\\s*?[\\\"'`]|match\\s*?[\\w(?:),+-]+\\s*?against\\s*?\\()","options":{"case_sensitive":true,"min_length":11}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-270","name":"Looking for basic sql injection. Common attack string for mysql, oracle and others","tags":{"type":"sql_injection","crs_id":"942270","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"union.*?select.*?from","options":{"min_length":15}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-280","name":"Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts","tags":{"type":"sql_injection","crs_id":"942280","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?:;\\s*?shutdown\\s*?(?:[#;{]|\\/\\*|--)|waitfor\\s*?delay\\s?[\\\"'`]+\\s?\\d|select\\s*?pg_sleep)","options":{"min_length":10}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"type":"nosql_injection","crs_id":"942290","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","options":{"case_sensitive":true,"min_length":5}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-360","name":"Detects concatenated basic SQL injection and SQLLFI attempts","tags":{"type":"sql_injection","crs_id":"942360","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)\\b|(?:(?:(?:trunc|cre)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\\s+\\w+|u(?:nion\\s*(?:(?:distin|sele)ct|all)\\b|pdate\\s+\\w+))|\\b(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|end\\s*?\\);)|[\\\"'`\\w]\\s+as\\b\\s*[\\\"'`\\w]+\\s*\\bfrom|[\\s(?:]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)","options":{"min_length":5}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-500","name":"MySQL in-line comment detected","tags":{"type":"sql_injection","crs_id":"942500","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:/\\*[!+](?:[\\w\\s=_\\-(?:)]+)?\\*/)","options":{"case_sensitive":true,"min_length":5}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-943-100","name":"Possible Session Fixation Attack: Setting Cookie Values in HTML","tags":{"type":"http_protocol_violation","crs_id":"943100","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"}],"regex":"(?i:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)","options":{"case_sensitive":true,"min_length":15}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-944-100","name":"Remote Command Execution: Suspicious Java class detected","tags":{"type":"java_code_injection","crs_id":"944100","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"java\\.lang\\.(?:runtime|processbuilder)","options":{"case_sensitive":true,"min_length":17}},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"crs-944-110","name":"Remote Command Execution: Java process spawn (CVE-2017-9805)","tags":{"type":"java_code_injection","crs_id":"944110","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"(?:runtime|processbuilder)","options":{"case_sensitive":true,"min_length":7}},"operator":"match_regex"},{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"(?:unmarshaller|base64data|java\\.)","options":{"case_sensitive":true,"min_length":5}},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"crs-944-130","name":"Suspicious Java class detected","tags":{"type":"java_code_injection","crs_id":"944130","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"list":["com.opensymphony.xwork2","com.sun.org.apache","java.io.bufferedinputstream","java.io.bufferedreader","java.io.bytearrayinputstream","java.io.bytearrayoutputstream","java.io.chararrayreader","java.io.datainputstream","java.io.file","java.io.fileoutputstream","java.io.filepermission","java.io.filewriter","java.io.filterinputstream","java.io.filteroutputstream","java.io.filterreader","java.io.inputstream","java.io.inputstreamreader","java.io.linenumberreader","java.io.objectoutputstream","java.io.outputstream","java.io.pipedoutputstream","java.io.pipedreader","java.io.printstream","java.io.pushbackinputstream","java.io.reader","java.io.stringreader","java.lang.class","java.lang.integer","java.lang.number","java.lang.object","java.lang.process","java.lang.processbuilder","java.lang.reflect","java.lang.runtime","java.lang.string","java.lang.stringbuilder","java.lang.system","javax.script.scriptenginemanager","org.apache.commons","org.apache.struts","org.apache.struts2","org.omg.corba","java.beans.xmldecode"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"phrase_match","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"list":["/wordpress/","/etc/","/login.php","/install.php","/administrator","/admin.php","/wp-config","/phpmyadmin","/fckeditor","/mysql","/manager/html",".htaccess","/config.php","/configuration","/cgi-bin/php","/search.php","/tinymce","/tiny_mce","/settings.php","../../..","/install/","/download.php","/webdav","/forum.php","/user.php","/style.php","/jmx-console","/modules.php","/include.php","/default.asp","/help.php","/database.yml","/database.yml.pgsql","/database.yml.sqlite3","/database.yml.sqlite","/database.yml.mysql",".%2e/","/view.php","/header.php","/search.asp","%5c%5c","/server/php/","/invoker/jmxinvokerservlet","/phpmyadmin/index.php","/data/admin/allowurl.txt","/verify.php","/misc/ajax.js","/.idea","/module.php","/backup.rar","/backup.tar","/backup.zip","/backup.7z","/backup.gz","/backup.tgz","/backup.tar.gz","waitfor%20delay","/calendar.php","/news.php","/dompdf.php","))))))))))))))))","/web.config","tree.php","/cgi-bin-sdb/printenv","/comments.php","/detail.asp","/license.txt","/admin.asp","/auth.php","/list.php","/content.php","/mod.php","/mini.php","/install.pgsql","/install.mysql","/install.sqlite","/install.sqlite3","/install.txt","/install.md","/doku.php","/main.asp","/myadmin","/force-download.php","/iisprotect/admin","/.gitignore","/print.php","/common.php","/mainfile.php","/functions.php","/scripts/setup.php","/faq.php","/op/op.login.php","/home.php","/includes/hnmain.inc.php3","/preview.php","/dump.rar","/dump.tar","/dump.zip","/dump.7z","/dump.gz","/dump.tgz","/dump.tar.gz","/thumbnail.php","/sendcard.php","/global.asax","/directory.php","/footer.php","/error.asp","/forum.asp","/save.php","/htmlsax3.php","/adm/krgourl.php","/includes/converter.inc.php","/nucleus/libs/pluginadmin.php","/base_qry_common.php","/fileadmin","/bitrix/admin/","/adm.php","/util/barcode.php","/action.php","/rss.asp","/downloads.php","/page.php","/snarf_ajax.php","/fck/editor","/sendmail.php","/detail.php","/iframe.php","/swfupload.swf","/jenkins/login","/phpmyadmin/main.php","/phpmyadmin/scripts/setup.php","/user/index.php","/checkout.php","/process.php","/ks_inc/ajax.js","/export.php","/register.php","/cart.php","/console.php","/friend.php","/readmsg.php","/install.asp","/dagent/downloadreport.asp","/system/index.php","/core/changelog.txt","/js/util.js","/interna.php","/gallery.php","/links.php","/data/admin/ver.txt","/language/zh-cn.xml","/productdetails.asp","/admin/template/article_more/config.htm","/components/com_moofaq/includes/file_includer.php","/licence.txt","/rss.xsl","/vtigerservice.php","/mysql/main.php","/passwiki.php","/scr/soustab.php","/global.php","/email.php","/user.asp","/msd","/products.php","/cultbooking.php","/cron.php","/static/js/admincp.js","/comment.php","/maintainers","/modules/plain/adminpart/addplain.php","/wp-content/plugins/ungallery/source_vuln.php","/upgrade.txt","/category.php","/index_logged.php","/members.asp","/script/html.js","/images/ad.js","/awstats/awstats.pl","/includes/esqueletos/skel_null.php","/modules/profile/user.php","/window_top.php","/openbrowser.php","/thread.php","tinfoil_xss","/includes/include.php","/urheber.php","/header.inc.php","/mysqldumper","/display.php","/website.php","/stats.php","/assets/plugins/mp3_id/mp3_id.php","/siteminderagent/forms/smpwservices.fcc"]}}],"transformers":["lowercase"]},{"id":"nfd-000-002","name":"Detect failed attempt to fetch readme files","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"readme\\.[\\.a-z0-9]+$","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"nfd-000-003","name":"Detect failed attempt to fetch Java EE resource files","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"^(?:.*web\\-inf)(?:.*web\\.xml).*$","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"nfd-000-004","name":"Detect failed attempt to fetch code files","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"\\.(java|pyc?|rb|class)\\b","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"nfd-000-005","name":"Detect failed attempt to fetch source code archives","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"\\.(sql|log|ndb|gz|zip|tar\\.gz|tar|regVV|reg|conf|bz2|ini|db|war|bat|inc|btr|server|ds|conf|config|admin|master|sln|bak)\\b(?:[^.]|$)","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"nfd-000-006","name":"Detect failed attempt to fetch sensitive files","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"\\.(cgi|bat|dll|exe|key|cert|crt|pem|der|pkcs|pkcs|pkcs[0-9]*|nsf|jsa|war|java|class|vb|vba|so|git|svn|hg|cvs)([^a-zA-Z0-9_]|$)","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"nfd-000-007","name":"Detect failed attempt to fetch archives","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"/[\\d\\-_]*\\.(rar|tar|zip|7z|gz|tgz|tar.gz)","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"nfd-000-008","name":"Detect failed attempt to trigger incorrect application behavior","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"(/(administrator/components/com.*\\.php|response\\.write\\(.+\\))|select\\(.+\\)from|\\(.*sleep\\(.+\\)|(%[a-zA-Z0-9]{2}[a-zA-Z]{0,1})+\\))","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"nfd-000-009","name":"Detect failed attempt to leak the structure of the application","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"/(login\\.rol|LICENSE|[\\w-]+\\.(plx|pwd))$","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"sqr-000-001","name":"SSRF: Try to access the credential manager of the main cloud services","tags":{"type":"ssrf","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i)^\\W*((http|ftp)s?://)?\\W*((::f{4}:)?(169|(0x)?0*a9|0+251)\\.?(254|(0x)?0*fe|0+376)[0-9a-fx\\.:]+|metadata\\.google\\.internal|metadata\\.goog)\\W*/","options":{"min_length":4}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"sqr-000-002","name":"Server-side Javascript injection: Try to detect obvious JS injection","tags":{"type":"js_code_injection","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"require\\(['\"][\\w\\.]+['\"]\\)|process\\.\\w+\\([\\w\\.]*\\)|\\.toString\\(\\)","options":{"min_length":4}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"sqr-000-007","name":"NoSQL: Detect common exploitation strategy","tags":{"type":"nosql_injection","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies"}],"regex":"\\$(eq|ne|lte?|gte?|n?in)\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"sqr-000-008","name":"Windows: Detect attempts to exfiltrate .ini files","tags":{"type":"command_injection","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"(?i)[&|]\\s*type\\s+%\\w+%\\\\+\\w+\\.ini\\s*[&|]"},"operator":"match_regex"}],"transformers":[]},{"id":"sqr-000-009","name":"Linux: Detect attempts to exfiltrate passwd files","tags":{"type":"command_injection","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"(?i)[&|]\\s*cat\\s+\\/etc\\/[\\w\\.\\/]*passwd\\s*[&|]"},"operator":"match_regex"}],"transformers":[]},{"id":"sqr-000-010","name":"Windows: Detect attempts to timeout a shell","tags":{"type":"command_injection","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"(?i)[&|]\\s*timeout\\s+/t\\s+\\d+\\s*[&|]"},"operator":"match_regex"}],"transformers":[]},{"id":"sqr-000-011","name":"SSRF: Try to access internal OMI service (CVE-2021-38647)","tags":{"type":"ssrf","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"http(s?):\\/\\/([A-Za-z0-9\\.\\-\\_]+|\\[[A-Fa-f0-9\\:]+\\]|):5986\\/wsman","options":{"min_length":4}},"operator":"match_regex"}],"transformers":[]},{"id":"sqr-000-012","name":"SSRF: Detect SSRF attempt on internal service","tags":{"type":"ssrf","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10}|localhost)(:[0-9]{1,5})?(\\/.*|)$"},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"sqr-000-013","name":"SSRF: Detect SSRF attempts using IPv6 or octal/hexdecimal obfuscation","tags":{"type":"ssrf","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/.*)?$"},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"sqr-000-014","name":"SSRF: Detect SSRF domain redirection bypass","tags":{"type":"ssrf","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"^(http|https):\\/\\/(.*burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io)"},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"sqr-000-015","name":"SSRF: Detect SSRF attempt using non HTTP protocol","tags":{"type":"ssrf","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"^(jar:)?((file|netdoc):\\/\\/[\\\\\\/]+|(dict|gopher|ldap|sftp|tftp):\\/\\/.*:[0-9]{1,5})"},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"sqr-000-017","name":"JNDI: Attempt to exploit log4j CVE-2021-44228","tags":{"type":"java_code_injection","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.uri.raw"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"\\${[^j]*j[^n]*n[^d]*d[^i]*i[^:]*:[^}]*}"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-0xx","name":"Joomla exploitation tool","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"JDatabaseDriverMysqli"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-10x","name":"Nessus","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)^Nessus(/|([ :]+SOAP))"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-12x","name":"Arachni","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"^Arachni\\/v"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-13x","name":"Jorgee","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bJorgee\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-14x","name":"Probely","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bProbely\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-15x","name":"Metis","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bmetis\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-16x","name":"SQL power injector","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"sql power injector"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-18x","name":"N-Stealth","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bn-stealth\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-19x","name":"Brutus","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bbrutus\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-1xx","name":"Shellshock exploitation tool","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"\\(\\) \\{ :; *\\}"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-20x","name":"Netsparker","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)(<script>netsparker\\(0x0|ns:netsparker.*=vuln)"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-22x","name":"JAASCois","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bjaascois\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-23x","name":"PMAFind","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bpmafind\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-25x","name":"Webtrends","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"webtrends security analyzer"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-26x","name":"Nsauditor","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bnsauditor\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-27x","name":"Paros","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)Mozilla/.* Paros/"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-28x","name":"DirBuster","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bdirbuster\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-29x","name":"Pangolin","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bpangolin\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-2xx","name":"Qualys","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bqualys\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-30x","name":"SQLNinja","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bsqlninja\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-31x","name":"Nikto","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"\\(Nikto/[\\d\\.]+\\)"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-32x","name":"WebInspect","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bwebinspect\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-33x","name":"BlackWidow","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bblack\\s?widow\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-34x","name":"Grendel-Scan","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bgrendel-scan\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-35x","name":"Havij","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bhavij\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-36x","name":"w3af","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bw3af\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-37x","name":"Nmap","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"nmap (nse|scripting engine)"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-39x","name":"Nessus Scripted","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)^'?[a-z0-9]+\\.nasl'?$"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-3xx","name":"Evil Scanner","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bevilScanner\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-40x","name":"WebFuck","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bWebFuck\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-41x","name":"Acunetix","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"md5\\(acunetix_wvs_security_test\\)"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-42x","name":"OpenVAS","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)OpenVAS\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-43x","name":"Spider-Pig","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"Powered by Spider-Pig by tinfoilsecurity\\.com"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-44x","name":"Zgrab","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"Mozilla/\\d+.\\d+ zgrab"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-45x","name":"Zmeu","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bZmEu\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-46x","name":"Crowdstrike","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bcrowdstrike\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-47x","name":"GoogleSecurityScanner","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bGoogleSecurityScanner\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-48x","name":"Commix","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"^commix\\/"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-49x","name":"Gobuster","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"^gobuster\\/"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-4xx","name":"CGIchk","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bcgichk\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-51x","name":"FFUF","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)^Fuzz Faster U Fool\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-52x","name":"Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)^Nuclei\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-53x","name":"Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bTsunamiSecurityScanner\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-54x","name":"Nimbostratus is a vulnerability scanner that scan websites unprompted","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bnimbostratus-bot\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-5xx","name":"Blind Sql Injection Brute Forcer","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bbsqlbf\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-6xx","name":"Suspicious user agent","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"mozilla/4\\.0 \\(compatible(; msie 6\\.0; win32)?\\)"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-7xx","name":"SQLmap","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"^sqlmap/"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-9xx","name":"Skipfish","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)mozilla/5\\.0 sf/"},"operator":"match_regex"}],"transformers":[]}]}
|
|
1
|
+
{"version":"2.1","rules":[{"id":"crs-913-110","name":"Found request header associated with Acunetix security scanner","tags":{"type":"security_scanner","crs_id":"913110","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies"}],"list":["acunetix-product","(acunetix web vulnerability scanner","acunetix-scanning-agreement","acunetix-user-agreement"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"crs-913-120","name":"Found request filename/argument associated with security scanner","tags":{"type":"security_scanner","crs_id":"913120","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"}],"list":["/.adsensepostnottherenonobook","/<invalid>hello.html","/actsensepostnottherenonotive","/acunetix-wvs-test-for-some-inexistent-file","/antidisestablishmentarianism","/appscan_fingerprint/mac_address","/arachni-","/cybercop","/nessus_is_probing_you_","/nessustest","/netsparker-","/rfiinc.txt","/thereisnowaythat-you-canbethere","/w3af/remotefileinclude.html","appscan_fingerprint","w00tw00t.at.isc.sans.dfind","w00tw00t.at.blackhats.romanian.anti-sec"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"crs-920-260","name":"Unicode Full/Half Width Abuse Attack Attempt","tags":{"type":"http_protocol_violation","crs_id":"920260","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"\\%u[fF]{2}[0-9a-fA-F]{2}","options":{"case_sensitive":true,"min_length":6}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-921-110","name":"HTTP Request Smuggling Attack","tags":{"type":"http_protocol_violation","crs_id":"921110","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"}],"regex":"(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+[^\\s]+\\s+http/\\d","options":{"case_sensitive":true,"min_length":12}},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"crs-921-140","name":"HTTP Header Injection Attack via headers","tags":{"type":"http_protocol_violation","crs_id":"921140","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies"}],"regex":"[\\n\\r]","options":{"case_sensitive":true,"min_length":1}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-921-160","name":"HTTP Header Injection Attack via payload (CR/LF and header-name detected)","tags":{"type":"http_protocol_violation","crs_id":"921160","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.path_params"}],"regex":"[\\n\\r]+(?:\\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\s*:","options":{"case_sensitive":true,"min_length":3}},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"crs-930-100","name":"Obfuscated Path Traversal Attack (/../)","tags":{"type":"lfi","crs_id":"930100","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.uri.raw"},{"address":"server.request.headers.no_cookies"}],"regex":"(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2}(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|/))","options":{"min_length":4}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-930-110","name":"Simple Path Traversal Attack (/../)","tags":{"type":"lfi","crs_id":"930110","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.uri.raw"},{"address":"server.request.headers.no_cookies"}],"regex":"(?:(?:^|[\\\\/])\\.\\.[\\\\/]|[\\\\/]\\.\\.(?:[\\\\/]|$))","options":{"case_sensitive":true,"min_length":3}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-930-120","name":"OS File Access Attempt","tags":{"type":"lfi","crs_id":"930120","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"list":[".htaccess",".htdigest",".htpasswd",".addressbook",".aptitude/config",".bash_config",".bash_history",".bash_logout",".bash_profile",".bashrc",".cache/notify-osd.log",".config/odesk/odesk team.conf",".cshrc",".dockerignore",".drush/",".eslintignore",".fbcindex",".forward",".git",".gitattributes",".gitconfig",".gnupg/",".hplip/hplip.conf",".ksh_history",".lesshst",".lftp/",".lhistory",".lldb-history",".local/share/mc/",".lynx_cookies",".my.cnf",".mysql_history",".nano_history",".node_repl_history",".pearrc",".php_history",".pinerc",".pki/",".proclog",".procmailrc",".psql_history",".python_history",".rediscli_history",".rhistory",".rhosts",".sh_history",".sqlite_history",".ssh/authorized_keys",".ssh/config",".ssh/id_dsa",".ssh/id_dsa.pub",".ssh/id_rsa",".ssh/id_rsa.pub",".ssh/identity",".ssh/identity.pub",".ssh/known_hosts",".subversion/auth",".subversion/config",".subversion/servers",".tconn/tconn.conf",".tcshrc",".vidalia/vidalia.conf",".viminfo",".vimrc",".www_acl",".wwwacl",".xauthority",".zhistory",".zshrc",".zsh_history",".nsconfig","etc/redis.conf","etc/redis-sentinel.conf","etc/php.ini","bin/php.ini","etc/httpd/php.ini","usr/lib/php.ini","usr/lib/php/php.ini","usr/local/etc/php.ini","usr/local/lib/php.ini","usr/local/php/lib/php.ini","usr/local/php4/lib/php.ini","usr/local/php5/lib/php.ini","usr/local/apache/conf/php.ini","etc/php4.4/fcgi/php.ini","etc/php4/apache/php.ini","etc/php4/apache2/php.ini","etc/php5/apache/php.ini","etc/php5/apache2/php.ini","etc/php/php.ini","etc/php/php4/php.ini","etc/php/apache/php.ini","etc/php/apache2/php.ini","web/conf/php.ini","usr/local/zend/etc/php.ini","opt/xampp/etc/php.ini","var/local/www/conf/php.ini","etc/php/cgi/php.ini","etc/php4/cgi/php.ini","etc/php5/cgi/php.ini","home2/bin/stable/apache/php.ini","home/bin/stable/apache/php.ini","etc/httpd/conf.d/php.conf","php5/php.ini","php4/php.ini","php/php.ini","windows/php.ini","winnt/php.ini","apache/php/php.ini","xampp/apache/bin/php.ini","netserver/bin/stable/apache/php.ini","volumes/macintosh_hd1/usr/local/php/lib/php.ini","etc/mono/1.0/machine.config","etc/mono/2.0/machine.config","etc/mono/2.0/web.config","etc/mono/config","usr/local/cpanel/logs/stats_log","usr/local/cpanel/logs/access_log","usr/local/cpanel/logs/error_log","usr/local/cpanel/logs/license_log","usr/local/cpanel/logs/login_log","var/cpanel/cpanel.config","var/log/sw-cp-server/error_log","usr/local/psa/admin/logs/httpsd_access_log","usr/local/psa/admin/logs/panel.log","var/log/sso/sso.log","usr/local/psa/admin/conf/php.ini","etc/sw-cp-server/applications.d/plesk.conf","usr/local/psa/admin/conf/site_isolation_settings.ini","usr/local/sb/config","etc/sw-cp-server/applications.d/00-sso-cpserver.conf","etc/sso/sso_config.ini","etc/mysql/conf.d/old_passwords.cnf","var/log/mysql/mysql-bin.log","var/log/mysql/mysql-bin.index","var/log/mysql/data/mysql-bin.index","var/log/mysql.log","var/log/mysql.err","var/log/mysqlderror.log","var/log/mysql/mysql.log","var/log/mysql/mysql-slow.log","var/log/mysql-bin.index","var/log/data/mysql-bin.index","var/mysql.log","var/mysql-bin.index","var/data/mysql-bin.index","program files/mysql/mysql server 5.0/data/{host}.err","program files/mysql/mysql server 5.0/data/mysql.log","program files/mysql/mysql server 5.0/data/mysql.err","program files/mysql/mysql server 5.0/data/mysql-bin.log","program files/mysql/mysql server 5.0/data/mysql-bin.index","program files/mysql/data/{host}.err","program files/mysql/data/mysql.log","program files/mysql/data/mysql.err","program files/mysql/data/mysql-bin.log","program files/mysql/data/mysql-bin.index","mysql/data/{host}.err","mysql/data/mysql.log","mysql/data/mysql.err","mysql/data/mysql-bin.log","mysql/data/mysql-bin.index","usr/local/mysql/data/mysql.log","usr/local/mysql/data/mysql.err","usr/local/mysql/data/mysql-bin.log","usr/local/mysql/data/mysql-slow.log","usr/local/mysql/data/mysqlderror.log","usr/local/mysql/data/{host}.err","usr/local/mysql/data/mysql-bin.index","var/lib/mysql/my.cnf","etc/mysql/my.cnf","etc/my.cnf","program files/mysql/mysql server 5.0/my.ini","program files/mysql/mysql server 5.0/my.cnf","program files/mysql/my.ini","program files/mysql/my.cnf","mysql/my.ini","mysql/my.cnf","mysql/bin/my.ini","var/postgresql/log/postgresql.log","var/log/postgresql/postgresql.log","var/log/postgres/pg_backup.log","var/log/postgres/postgres.log","var/log/postgresql.log","var/log/pgsql/pgsql.log","var/log/postgresql/postgresql-8.1-main.log","var/log/postgresql/postgresql-8.3-main.log","var/log/postgresql/postgresql-8.4-main.log","var/log/postgresql/postgresql-9.0-main.log","var/log/postgresql/postgresql-9.1-main.log","var/log/pgsql8.log","var/log/postgresql/postgres.log","var/log/pgsql_log","var/log/postgresql/main.log","var/log/cron/var/log/postgres.log","usr/internet/pgsql/data/postmaster.log","usr/local/pgsql/data/postgresql.log","usr/local/pgsql/data/pg_log","postgresql/log/pgadmin.log","var/lib/pgsql/data/postgresql.conf","var/postgresql/db/postgresql.conf","var/nm2/postgresql.conf","usr/local/pgsql/data/postgresql.conf","usr/local/pgsql/data/pg_hba.conf","usr/internet/pgsql/data/pg_hba.conf","usr/local/pgsql/data/passwd","usr/local/pgsql/bin/pg_passwd","etc/postgresql/postgresql.conf","etc/postgresql/pg_hba.conf","home/postgres/data/postgresql.conf","home/postgres/data/pg_version","home/postgres/data/pg_ident.conf","home/postgres/data/pg_hba.conf","program files/postgresql/8.3/data/pg_hba.conf","program files/postgresql/8.3/data/pg_ident.conf","program files/postgresql/8.3/data/postgresql.conf","program files/postgresql/8.4/data/pg_hba.conf","program files/postgresql/8.4/data/pg_ident.conf","program files/postgresql/8.4/data/postgresql.conf","program files/postgresql/9.0/data/pg_hba.conf","program files/postgresql/9.0/data/pg_ident.conf","program files/postgresql/9.0/data/postgresql.conf","program files/postgresql/9.1/data/pg_hba.conf","program files/postgresql/9.1/data/pg_ident.conf","program files/postgresql/9.1/data/postgresql.conf","wamp/logs/access.log","wamp/logs/apache_error.log","wamp/logs/genquery.log","wamp/logs/mysql.log","wamp/logs/slowquery.log","wamp/bin/apache/apache2.2.22/logs/access.log","wamp/bin/apache/apache2.2.22/logs/error.log","wamp/bin/apache/apache2.2.21/logs/access.log","wamp/bin/apache/apache2.2.21/logs/error.log","wamp/bin/mysql/mysql5.5.24/data/mysql-bin.index","wamp/bin/mysql/mysql5.5.16/data/mysql-bin.index","wamp/bin/apache/apache2.2.21/conf/httpd.conf","wamp/bin/apache/apache2.2.22/conf/httpd.conf","wamp/bin/apache/apache2.2.21/wampserver.conf","wamp/bin/apache/apache2.2.22/wampserver.conf","wamp/bin/apache/apache2.2.22/conf/wampserver.conf","wamp/bin/mysql/mysql5.5.24/my.ini","wamp/bin/mysql/mysql5.5.24/wampserver.conf","wamp/bin/mysql/mysql5.5.16/my.ini","wamp/bin/mysql/mysql5.5.16/wampserver.conf","wamp/bin/php/php5.3.8/php.ini","wamp/bin/php/php5.4.3/php.ini","xampp/apache/logs/access.log","xampp/apache/logs/error.log","xampp/mysql/data/mysql-bin.index","xampp/mysql/data/mysql.err","xampp/mysql/data/{host}.err","xampp/sendmail/sendmail.log","xampp/apache/conf/httpd.conf","xampp/filezillaftp/filezilla server.xml","xampp/mercurymail/mercury.ini","xampp/php/php.ini","xampp/phpmyadmin/config.inc.php","xampp/sendmail/sendmail.ini","xampp/webalizer/webalizer.conf","opt/lampp/etc/httpd.conf","xampp/htdocs/aca.txt","xampp/htdocs/admin.php","xampp/htdocs/leer.txt","usr/local/apache/logs/audit_log","usr/local/apache2/logs/audit_log","logs/security_debug_log","logs/security_log","usr/local/apache/conf/modsec.conf","usr/local/apache2/conf/modsec.conf","winnt/system32/logfiles/msftpsvc","winnt/system32/logfiles/msftpsvc1","winnt/system32/logfiles/msftpsvc2","windows/system32/logfiles/msftpsvc","windows/system32/logfiles/msftpsvc1","windows/system32/logfiles/msftpsvc2","etc/logrotate.d/proftpd","www/logs/proftpd.system.log","var/log/proftpd","var/log/proftpd/xferlog.legacy","var/log/proftpd.access_log","var/log/proftpd.xferlog","etc/pam.d/proftpd","etc/proftp.conf","etc/protpd/proftpd.conf","etc/vhcs2/proftpd/proftpd.conf","etc/proftpd/modules.conf","var/log/vsftpd.log","etc/vsftpd.chroot_list","etc/logrotate.d/vsftpd.log","etc/vsftpd/vsftpd.conf","etc/vsftpd.conf","etc/chrootusers","var/log/xferlog","var/adm/log/xferlog","etc/wu-ftpd/ftpaccess","etc/wu-ftpd/ftphosts","etc/wu-ftpd/ftpusers","var/log/pure-ftpd/pure-ftpd.log","logs/pure-ftpd.log","var/log/pureftpd.log","usr/sbin/pure-config.pl","usr/etc/pure-ftpd.conf","etc/pure-ftpd/pure-ftpd.conf","usr/local/etc/pure-ftpd.conf","usr/local/etc/pureftpd.pdb","usr/local/pureftpd/etc/pureftpd.pdb","usr/local/pureftpd/sbin/pure-config.pl","usr/local/pureftpd/etc/pure-ftpd.conf","etc/pure-ftpd.conf","etc/pure-ftpd/pure-ftpd.pdb","etc/pureftpd.pdb","etc/pureftpd.passwd","etc/pure-ftpd/pureftpd.pdb","usr/ports/ftp/pure-ftpd/pure-ftpd.conf","usr/ports/ftp/pure-ftpd/pureftpd.pdb","usr/ports/ftp/pure-ftpd/pureftpd.passwd","usr/ports/net/pure-ftpd/pure-ftpd.conf","usr/ports/net/pure-ftpd/pureftpd.pdb","usr/ports/net/pure-ftpd/pureftpd.passwd","usr/pkgsrc/net/pureftpd/pure-ftpd.conf","usr/pkgsrc/net/pureftpd/pureftpd.pdb","usr/pkgsrc/net/pureftpd/pureftpd.passwd","usr/ports/contrib/pure-ftpd/pure-ftpd.conf","usr/ports/contrib/pure-ftpd/pureftpd.pdb","usr/ports/contrib/pure-ftpd/pureftpd.passwd","var/log/muddleftpd","usr/sbin/mudlogd","etc/muddleftpd/mudlog","etc/muddleftpd.com","etc/muddleftpd/mudlogd.conf","etc/muddleftpd/muddleftpd.conf","var/log/muddleftpd.conf","usr/sbin/mudpasswd","etc/muddleftpd/muddleftpd.passwd","etc/muddleftpd/passwd","var/log/ftp-proxy/ftp-proxy.log","var/log/ftp-proxy","var/log/ftplog","etc/logrotate.d/ftp","etc/ftpchroot","etc/ftphosts","etc/ftpusers","var/log/exim_mainlog","var/log/exim/mainlog","var/log/maillog","var/log/exim_paniclog","var/log/exim/paniclog","var/log/exim/rejectlog","var/log/exim_rejectlog","winnt/system32/logfiles/smtpsvc","winnt/system32/logfiles/smtpsvc1","winnt/system32/logfiles/smtpsvc2","winnt/system32/logfiles/smtpsvc3","winnt/system32/logfiles/smtpsvc4","winnt/system32/logfiles/smtpsvc5","windows/system32/logfiles/smtpsvc","windows/system32/logfiles/smtpsvc1","windows/system32/logfiles/smtpsvc2","windows/system32/logfiles/smtpsvc3","windows/system32/logfiles/smtpsvc4","windows/system32/logfiles/smtpsvc5","etc/osxhttpd/osxhttpd.conf","system/library/webobjects/adaptors/apache2.2/apache.conf","etc/apache2/sites-available/default","etc/apache2/sites-available/default-ssl","etc/apache2/sites-enabled/000-default","etc/apache2/sites-enabled/default","etc/apache2/apache2.conf","etc/apache2/ports.conf","usr/local/etc/apache/httpd.conf","usr/pkg/etc/httpd/httpd.conf","usr/pkg/etc/httpd/httpd-default.conf","usr/pkg/etc/httpd/httpd-vhosts.conf","etc/httpd/mod_php.conf","etc/httpd/extra/httpd-ssl.conf","etc/rc.d/rc.httpd","usr/local/apache/conf/httpd.conf.default","usr/local/apache/conf/access.conf","usr/local/apache22/conf/httpd.conf","usr/local/apache22/httpd.conf","usr/local/etc/apache22/conf/httpd.conf","usr/local/apps/apache22/conf/httpd.conf","etc/apache22/conf/httpd.conf","etc/apache22/httpd.conf","opt/apache22/conf/httpd.conf","usr/local/etc/apache2/vhosts.conf","usr/local/apache/conf/vhosts.conf","usr/local/apache2/conf/vhosts.conf","usr/local/apache/conf/vhosts-custom.conf","usr/local/apache2/conf/vhosts-custom.conf","etc/apache/default-server.conf","etc/apache2/default-server.conf","usr/local/apache2/conf/extra/httpd-ssl.conf","usr/local/apache2/conf/ssl.conf","etc/httpd/conf.d","usr/local/etc/apache22/httpd.conf","usr/local/etc/apache2/httpd.conf","etc/apache2/httpd2.conf","etc/apache2/ssl-global.conf","etc/apache2/vhosts.d/00_default_vhost.conf","apache/conf/httpd.conf","etc/apache/httpd.conf","etc/httpd/conf","http/httpd.conf","usr/local/apache1.3/conf/httpd.conf","usr/local/etc/httpd/conf","var/apache/conf/httpd.conf","var/www/conf","www/apache/conf/httpd.conf","www/conf/httpd.conf","etc/init.d","etc/apache/access.conf","etc/rc.conf","www/logs/freebsddiary-error.log","www/logs/freebsddiary-access_log","library/webserver/documents/index.html","library/webserver/documents/index.htm","library/webserver/documents/default.html","library/webserver/documents/default.htm","library/webserver/documents/index.php","library/webserver/documents/default.php","var/log/webmin/miniserv.log","usr/local/etc/webmin/miniserv.conf","etc/webmin/miniserv.conf","usr/local/etc/webmin/miniserv.users","etc/webmin/miniserv.users","winnt/system32/logfiles/w3svc/inetsvn1.log","winnt/system32/logfiles/w3svc1/inetsvn1.log","winnt/system32/logfiles/w3svc2/inetsvn1.log","winnt/system32/logfiles/w3svc3/inetsvn1.log","windows/system32/logfiles/w3svc/inetsvn1.log","windows/system32/logfiles/w3svc1/inetsvn1.log","windows/system32/logfiles/w3svc2/inetsvn1.log","windows/system32/logfiles/w3svc3/inetsvn1.log","var/log/httpd/access_log","var/log/httpd/error_log","apache/logs/error.log","apache/logs/access.log","apache2/logs/error.log","apache2/logs/access.log","logs/error.log","logs/access.log","etc/httpd/logs/access_log","etc/httpd/logs/access.log","etc/httpd/logs/error_log","etc/httpd/logs/error.log","usr/local/apache/logs/access_log","usr/local/apache/logs/access.log","usr/local/apache/logs/error_log","usr/local/apache/logs/error.log","usr/local/apache2/logs/access_log","usr/local/apache2/logs/access.log","usr/local/apache2/logs/error_log","usr/local/apache2/logs/error.log","var/www/logs/access_log","var/www/logs/access.log","var/www/logs/error_log","var/www/logs/error.log","var/log/httpd/access.log","var/log/httpd/error.log","var/log/apache/access_log","var/log/apache/access.log","var/log/apache/error_log","var/log/apache/error.log","var/log/apache2/access_log","var/log/apache2/access.log","var/log/apache2/error_log","var/log/apache2/error.log","var/log/access_log","var/log/access.log","var/log/error_log","var/log/error.log","opt/lampp/logs/access_log","opt/lampp/logs/error_log","opt/xampp/logs/access_log","opt/xampp/logs/error_log","opt/lampp/logs/access.log","opt/lampp/logs/error.log","opt/xampp/logs/access.log","opt/xampp/logs/error.log","program files/apache group/apache/logs/access.log","program files/apache group/apache/logs/error.log","program files/apache software foundation/apache2.2/logs/error.log","program files/apache software foundation/apache2.2/logs/access.log","opt/apache/apache.conf","opt/apache/conf/apache.conf","opt/apache2/apache.conf","opt/apache2/conf/apache.conf","opt/httpd/apache.conf","opt/httpd/conf/apache.conf","etc/httpd/apache.conf","etc/apache2/apache.conf","etc/httpd/conf/apache.conf","usr/local/apache/apache.conf","usr/local/apache/conf/apache.conf","usr/local/apache2/apache.conf","usr/local/apache2/conf/apache.conf","usr/local/php/apache.conf.php","usr/local/php4/apache.conf.php","usr/local/php5/apache.conf.php","usr/local/php/apache.conf","usr/local/php4/apache.conf","usr/local/php5/apache.conf","private/etc/httpd/apache.conf","opt/apache/apache2.conf","opt/apache/conf/apache2.conf","opt/apache2/apache2.conf","opt/apache2/conf/apache2.conf","opt/httpd/apache2.conf","opt/httpd/conf/apache2.conf","etc/httpd/apache2.conf","etc/httpd/conf/apache2.conf","usr/local/apache/apache2.conf","usr/local/apache/conf/apache2.conf","usr/local/apache2/apache2.conf","usr/local/apache2/conf/apache2.conf","usr/local/php/apache2.conf.php","usr/local/php4/apache2.conf.php","usr/local/php5/apache2.conf.php","usr/local/php/apache2.conf","usr/local/php4/apache2.conf","usr/local/php5/apache2.conf","private/etc/httpd/apache2.conf","usr/local/apache/conf/httpd.conf","usr/local/apache2/conf/httpd.conf","etc/httpd/conf/httpd.conf","etc/apache/apache.conf","etc/apache/conf/httpd.conf","etc/apache2/httpd.conf","usr/apache2/conf/httpd.conf","usr/apache/conf/httpd.conf","usr/local/etc/apache/conf/httpd.conf","usr/local/apache/httpd.conf","usr/local/apache2/httpd.conf","usr/local/httpd/conf/httpd.conf","usr/local/etc/apache2/conf/httpd.conf","usr/local/etc/httpd/conf/httpd.conf","usr/local/apps/apache2/conf/httpd.conf","usr/local/apps/apache/conf/httpd.conf","usr/local/php/httpd.conf.php","usr/local/php4/httpd.conf.php","usr/local/php5/httpd.conf.php","usr/local/php/httpd.conf","usr/local/php4/httpd.conf","usr/local/php5/httpd.conf","etc/apache2/conf/httpd.conf","etc/http/conf/httpd.conf","etc/httpd/httpd.conf","etc/http/httpd.conf","etc/httpd.conf","opt/apache/conf/httpd.conf","opt/apache2/conf/httpd.conf","var/www/conf/httpd.conf","private/etc/httpd/httpd.conf","private/etc/httpd/httpd.conf.default","etc/apache2/vhosts.d/default_vhost.include","etc/apache2/conf.d/charset","etc/apache2/conf.d/security","etc/apache2/envvars","etc/apache2/mods-available/autoindex.conf","etc/apache2/mods-available/deflate.conf","etc/apache2/mods-available/dir.conf","etc/apache2/mods-available/mem_cache.conf","etc/apache2/mods-available/mime.conf","etc/apache2/mods-available/proxy.conf","etc/apache2/mods-available/setenvif.conf","etc/apache2/mods-available/ssl.conf","etc/apache2/mods-enabled/alias.conf","etc/apache2/mods-enabled/deflate.conf","etc/apache2/mods-enabled/dir.conf","etc/apache2/mods-enabled/mime.conf","etc/apache2/mods-enabled/negotiation.conf","etc/apache2/mods-enabled/php5.conf","etc/apache2/mods-enabled/status.conf","program files/apache group/apache/conf/httpd.conf","program files/apache group/apache2/conf/httpd.conf","program files/xampp/apache/conf/apache.conf","program files/xampp/apache/conf/apache2.conf","program files/xampp/apache/conf/httpd.conf","program files/apache group/apache/apache.conf","program files/apache group/apache/conf/apache.conf","program files/apache group/apache2/conf/apache.conf","program files/apache group/apache/apache2.conf","program files/apache group/apache/conf/apache2.conf","program files/apache group/apache2/conf/apache2.conf","program files/apache software foundation/apache2.2/conf/httpd.conf","volumes/macintosh_hd1/opt/httpd/conf/httpd.conf","volumes/macintosh_hd1/opt/apache/conf/httpd.conf","volumes/macintosh_hd1/opt/apache2/conf/httpd.conf","volumes/macintosh_hd1/usr/local/php/httpd.conf.php","volumes/macintosh_hd1/usr/local/php4/httpd.conf.php","volumes/macintosh_hd1/usr/local/php5/httpd.conf.php","volumes/webbackup/opt/apache2/conf/httpd.conf","volumes/webbackup/private/etc/httpd/httpd.conf","volumes/webbackup/private/etc/httpd/httpd.conf.default","usr/local/etc/apache/vhosts.conf","usr/local/jakarta/tomcat/conf/jakarta.conf","usr/local/jakarta/tomcat/conf/server.xml","usr/local/jakarta/tomcat/conf/context.xml","usr/local/jakarta/tomcat/conf/workers.properties","usr/local/jakarta/tomcat/conf/logging.properties","usr/local/jakarta/dist/tomcat/conf/jakarta.conf","usr/local/jakarta/dist/tomcat/conf/server.xml","usr/local/jakarta/dist/tomcat/conf/context.xml","usr/local/jakarta/dist/tomcat/conf/workers.properties","usr/local/jakarta/dist/tomcat/conf/logging.properties","usr/share/tomcat6/conf/server.xml","usr/share/tomcat6/conf/context.xml","usr/share/tomcat6/conf/workers.properties","usr/share/tomcat6/conf/logging.properties","var/log/tomcat6/catalina.out","var/cpanel/tomcat.options","usr/local/jakarta/tomcat/logs/catalina.out","usr/local/jakarta/tomcat/logs/catalina.err","opt/tomcat/logs/catalina.out","opt/tomcat/logs/catalina.err","usr/share/logs/catalina.out","usr/share/logs/catalina.err","usr/share/tomcat/logs/catalina.out","usr/share/tomcat/logs/catalina.err","usr/share/tomcat6/logs/catalina.out","usr/share/tomcat6/logs/catalina.err","usr/local/apache/logs/mod_jk.log","usr/local/jakarta/tomcat/logs/mod_jk.log","usr/local/jakarta/dist/tomcat/logs/mod_jk.log","opt/[jboss]/server/default/conf/jboss-minimal.xml","opt/[jboss]/server/default/conf/jboss-service.xml","opt/[jboss]/server/default/conf/jndi.properties","opt/[jboss]/server/default/conf/log4j.xml","opt/[jboss]/server/default/conf/login-config.xml","opt/[jboss]/server/default/conf/standardjaws.xml","opt/[jboss]/server/default/conf/standardjboss.xml","opt/[jboss]/server/default/conf/server.log.properties","opt/[jboss]/server/default/deploy/jboss-logging.xml","usr/local/[jboss]/server/default/conf/jboss-minimal.xml","usr/local/[jboss]/server/default/conf/jboss-service.xml","usr/local/[jboss]/server/default/conf/jndi.properties","usr/local/[jboss]/server/default/conf/log4j.xml","usr/local/[jboss]/server/default/conf/login-config.xml","usr/local/[jboss]/server/default/conf/standardjaws.xml","usr/local/[jboss]/server/default/conf/standardjboss.xml","usr/local/[jboss]/server/default/conf/server.log.properties","usr/local/[jboss]/server/default/deploy/jboss-logging.xml","private/tmp/[jboss]/server/default/conf/jboss-minimal.xml","private/tmp/[jboss]/server/default/conf/jboss-service.xml","private/tmp/[jboss]/server/default/conf/jndi.properties","private/tmp/[jboss]/server/default/conf/log4j.xml","private/tmp/[jboss]/server/default/conf/login-config.xml","private/tmp/[jboss]/server/default/conf/standardjaws.xml","private/tmp/[jboss]/server/default/conf/standardjboss.xml","private/tmp/[jboss]/server/default/conf/server.log.properties","private/tmp/[jboss]/server/default/deploy/jboss-logging.xml","tmp/[jboss]/server/default/conf/jboss-minimal.xml","tmp/[jboss]/server/default/conf/jboss-service.xml","tmp/[jboss]/server/default/conf/jndi.properties","tmp/[jboss]/server/default/conf/log4j.xml","tmp/[jboss]/server/default/conf/login-config.xml","tmp/[jboss]/server/default/conf/standardjaws.xml","tmp/[jboss]/server/default/conf/standardjboss.xml","tmp/[jboss]/server/default/conf/server.log.properties","tmp/[jboss]/server/default/deploy/jboss-logging.xml","program files/[jboss]/server/default/conf/jboss-minimal.xml","program files/[jboss]/server/default/conf/jboss-service.xml","program files/[jboss]/server/default/conf/jndi.properties","program files/[jboss]/server/default/conf/log4j.xml","program files/[jboss]/server/default/conf/login-config.xml","program files/[jboss]/server/default/conf/standardjaws.xml","program files/[jboss]/server/default/conf/standardjboss.xml","program files/[jboss]/server/default/conf/server.log.properties","program files/[jboss]/server/default/deploy/jboss-logging.xml","[jboss]/server/default/conf/jboss-minimal.xml","[jboss]/server/default/conf/jboss-service.xml","[jboss]/server/default/conf/jndi.properties","[jboss]/server/default/conf/log4j.xml","[jboss]/server/default/conf/login-config.xml","[jboss]/server/default/conf/standardjaws.xml","[jboss]/server/default/conf/standardjboss.xml","[jboss]/server/default/conf/server.log.properties","[jboss]/server/default/deploy/jboss-logging.xml","opt/[jboss]/server/default/log/server.log","opt/[jboss]/server/default/log/boot.log","usr/local/[jboss]/server/default/log/server.log","usr/local/[jboss]/server/default/log/boot.log","private/tmp/[jboss]/server/default/log/server.log","private/tmp/[jboss]/server/default/log/boot.log","tmp/[jboss]/server/default/log/server.log","tmp/[jboss]/server/default/log/boot.log","program files/[jboss]/server/default/log/server.log","program files/[jboss]/server/default/log/boot.log","[jboss]/server/default/log/server.log","[jboss]/server/default/log/boot.log","var/log/lighttpd.error.log","var/log/lighttpd.access.log","var/lighttpd.log","var/logs/access.log","var/log/lighttpd/","var/log/lighttpd/error.log","var/log/lighttpd/access.www.log","var/log/lighttpd/error.www.log","var/log/lighttpd/access.log","usr/local/apache2/logs/lighttpd.error.log","usr/local/apache2/logs/lighttpd.log","usr/local/apache/logs/lighttpd.error.log","usr/local/apache/logs/lighttpd.log","usr/local/lighttpd/log/lighttpd.error.log","usr/local/lighttpd/log/access.log","var/log/lighttpd/{domain}/access.log","var/log/lighttpd/{domain}/error.log","usr/home/user/var/log/lighttpd.error.log","usr/home/user/var/log/apache.log","home/user/lighttpd/lighttpd.conf","usr/home/user/lighttpd/lighttpd.conf","etc/lighttpd/lighthttpd.conf","usr/local/etc/lighttpd.conf","usr/local/lighttpd/conf/lighttpd.conf","usr/local/etc/lighttpd.conf.new","var/www/.lighttpdpassword","var/log/nginx/access_log","var/log/nginx/error_log","var/log/nginx/access.log","var/log/nginx/error.log","var/log/nginx.access_log","var/log/nginx.error_log","logs/access_log","logs/error_log","etc/nginx/nginx.conf","usr/local/etc/nginx/nginx.conf","usr/local/nginx/conf/nginx.conf","usr/local/zeus/web/global.cfg","usr/local/zeus/web/log/errors","opt/lsws/conf/httpd_conf.xml","usr/local/lsws/conf/httpd_conf.xml","opt/lsws/logs/error.log","opt/lsws/logs/access.log","usr/local/lsws/logs/error.log","usr/local/logs/access.log","usr/local/samba/lib/log.user","usr/local/logs/samba.log","var/log/samba/log.smbd","var/log/samba/log.nmbd","var/log/samba.log","var/log/samba.log1","var/log/samba.log2","var/log/log.smb","etc/samba/netlogon","etc/smbpasswd","etc/smb.conf","etc/samba/dhcp.conf","etc/samba/smb.conf","etc/samba/samba.conf","etc/samba/smb.conf.user","etc/samba/smbpasswd","etc/samba/smbusers","etc/samba/private/smbpasswd","usr/local/etc/smb.conf","usr/local/samba/lib/smb.conf.user","etc/dhcp3/dhclient.conf","etc/dhcp3/dhcpd.conf","etc/dhcp/dhclient.conf","program files/vidalia bundle/polipo/polipo.conf","etc/tor/tor-tsocks.conf","etc/stunnel/stunnel.conf","etc/tsocks.conf","etc/tinyproxy/tinyproxy.conf","etc/miredo-server.conf","etc/miredo.conf","etc/miredo/miredo-server.conf","etc/miredo/miredo.conf","etc/wicd/dhclient.conf.template.default","etc/wicd/manager-settings.conf","etc/wicd/wired-settings.conf","etc/wicd/wireless-settings.conf","var/log/ipfw.log","var/log/ipfw","var/log/ipfw/ipfw.log","var/log/ipfw.today","etc/ipfw.rules","etc/ipfw.conf","etc/firewall.rules","winnt/system32/logfiles/firewall/pfirewall.log","winnt/system32/logfiles/firewall/pfirewall.log.old","windows/system32/logfiles/firewall/pfirewall.log","windows/system32/logfiles/firewall/pfirewall.log.old","etc/clamav/clamd.conf","etc/clamav/freshclam.conf","etc/x11/xorg.conf","etc/x11/xorg.conf-vesa","etc/x11/xorg.conf-vmware","etc/x11/xorg.conf.beforevmwaretoolsinstall","etc/x11/xorg.conf.orig","etc/bluetooth/input.conf","etc/bluetooth/main.conf","etc/bluetooth/network.conf","etc/bluetooth/rfcomm.conf","proc/self/environ","proc/self/mounts","proc/self/stat","proc/self/status","proc/self/cmdline","proc/self/fd/0","proc/self/fd/1","proc/self/fd/2","proc/self/fd/3","proc/self/fd/4","proc/self/fd/5","proc/self/fd/6","proc/self/fd/7","proc/self/fd/8","proc/self/fd/9","proc/self/fd/10","proc/self/fd/11","proc/self/fd/12","proc/self/fd/13","proc/self/fd/14","proc/self/fd/15","proc/version","proc/devices","proc/cpuinfo","proc/meminfo","proc/net/tcp","proc/net/udp","etc/bash_completion.d/debconf","root/.bash_logout","root/.bash_history","root/.bash_config","root/.bashrc","etc/bash.bashrc","var/adm/syslog","var/adm/sulog","var/adm/utmp","var/adm/utmpx","var/adm/wtmp","var/adm/wtmpx","var/adm/lastlog/username","usr/spool/lp/log","var/adm/lp/lpd-errs","usr/lib/cron/log","var/adm/loginlog","var/adm/pacct","var/adm/dtmp","var/adm/acct/sum/loginlog","var/adm/x0msgs","var/adm/crash/vmcore","var/adm/crash/unix","etc/newsyslog.conf","var/adm/qacct","var/adm/ras/errlog","var/adm/ras/bootlog","var/adm/cron/log","etc/utmp","etc/security/lastlog","etc/security/failedlogin","usr/spool/mqueue/syslog","var/adm/messages","var/adm/aculogs","var/adm/aculog","var/adm/vold.log","var/adm/log/asppp.log","var/log/poplog","var/log/authlog","var/lp/logs/lpsched","var/lp/logs/lpnet","var/lp/logs/requests","var/cron/log","var/saf/_log","var/saf/port/log","var/log/news.all","var/log/news/news.all","var/log/news/news.crit","var/log/news/news.err","var/log/news/news.notice","var/log/news/suck.err","var/log/news/suck.notice","var/log/messages","var/log/messages.1","var/log/user.log","var/log/user.log.1","var/log/auth.log","var/log/pm-powersave.log","var/log/xorg.0.log","var/log/daemon.log","var/log/daemon.log.1","var/log/kern.log","var/log/kern.log.1","var/log/mail.err","var/log/mail.info","var/log/mail.warn","var/log/ufw.log","var/log/boot.log","var/log/syslog","var/log/syslog.1","tmp/access.log","etc/sensors.conf","etc/sensors3.conf","etc/host.conf","etc/pam.conf","etc/resolv.conf","etc/apt/apt.conf","etc/inetd.conf","etc/syslog.conf","etc/sysctl.conf","etc/sysctl.d/10-console-messages.conf","etc/sysctl.d/10-network-security.conf","etc/sysctl.d/10-process-security.conf","etc/sysctl.d/wine.sysctl.conf","etc/security/access.conf","etc/security/group.conf","etc/security/limits.conf","etc/security/namespace.conf","etc/security/pam_env.conf","etc/security/sepermit.conf","etc/security/time.conf","etc/ssh/sshd_config","etc/adduser.conf","etc/deluser.conf","etc/avahi/avahi-daemon.conf","etc/ca-certificates.conf","etc/ca-certificates.conf.dpkg-old","etc/casper.conf","etc/chkrootkit.conf","etc/debconf.conf","etc/dns2tcpd.conf","etc/e2fsck.conf","etc/esound/esd.conf","etc/etter.conf","etc/fuse.conf","etc/foremost.conf","etc/hdparm.conf","etc/kernel-img.conf","etc/kernel-pkg.conf","etc/ld.so.conf","etc/ltrace.conf","etc/mail/sendmail.conf","etc/manpath.config","etc/kbd/config","etc/ldap/ldap.conf","etc/logrotate.conf","etc/mtools.conf","etc/smi.conf","etc/updatedb.conf","etc/pulse/client.conf","usr/share/adduser/adduser.conf","etc/hostname","etc/networks","etc/timezone","etc/modules","etc/passwd","etc/passwd~","etc/passwd-","etc/shadow","etc/shadow~","etc/shadow-","etc/fstab","etc/motd","etc/hosts","etc/group","etc/group-","etc/alias","etc/crontab","etc/crypttab","etc/exports","etc/mtab","etc/hosts.allow","etc/hosts.deny","etc/os-release","etc/password.master","etc/profile","etc/default/grub","etc/resolvconf/update-libc.d/sendmail","etc/inittab","etc/issue","etc/issue.net","etc/login.defs","etc/sudoers","etc/sysconfig/network-scripts/ifcfg-eth0","etc/redhat-release","etc/debian_version","etc/fedora-release","etc/mandrake-release","etc/slackware-release","etc/suse-release","etc/security/group","etc/security/passwd","etc/security/user","etc/security/environ","etc/security/limits","etc/security/opasswd","boot/grub/grub.cfg","boot/grub/menu.lst","root/.ksh_history","root/.xauthority","usr/lib/security/mkuser.default","var/log/squirrelmail.log","var/log/apache2/squirrelmail.log","var/log/apache2/squirrelmail.err.log","var/lib/squirrelmail/prefs/squirrelmail.log","var/log/mail.log","etc/squirrelmail/apache.conf","etc/squirrelmail/config_local.php","etc/squirrelmail/default_pref","etc/squirrelmail/index.php","etc/squirrelmail/config_default.php","etc/squirrelmail/config.php","etc/squirrelmail/filters_setup.php","etc/squirrelmail/sqspell_config.php","etc/squirrelmail/config/config.php","etc/httpd/conf.d/squirrelmail.conf","usr/share/squirrelmail/config/config.php","private/etc/squirrelmail/config/config.php","srv/www/htdos/squirrelmail/config/config.php","var/www/squirrelmail/config/config.php","var/www/html/squirrelmail/config/config.php","var/www/html/squirrelmail-1.2.9/config/config.php","usr/share/squirrelmail/plugins/squirrel_logger/setup.php","usr/local/squirrelmail/www/readme","windows/system32/drivers/etc/hosts","windows/system32/drivers/etc/lmhosts.sam","windows/system32/drivers/etc/networks","windows/system32/drivers/etc/protocol","windows/system32/drivers/etc/services","/boot.ini","windows/debug/netsetup.log","windows/comsetup.log","windows/repair/setup.log","windows/setupact.log","windows/setupapi.log","windows/setuperr.log","windows/updspapi.log","windows/wmsetup.log","windows/windowsupdate.log","windows/odbc.ini","usr/local/psa/admin/htdocs/domains/databases/phpmyadmin/libraries/config.default.php","etc/apache2/conf.d/phpmyadmin.conf","etc/phpmyadmin/config.inc.php","etc/openldap/ldap.conf","etc/cups/acroread.conf","etc/cups/cupsd.conf","etc/cups/cupsd.conf.default","etc/cups/pdftops.conf","etc/cups/printers.conf","windows/system32/macromed/flash/flashinstall.log","windows/system32/macromed/flash/install.log","etc/cvs-cron.conf","etc/cvs-pserver.conf","etc/subversion/config","etc/modprobe.d/vmware-tools.conf","etc/updatedb.conf.beforevmwaretoolsinstall","etc/vmware-tools/config","etc/vmware-tools/tpvmlp.conf","etc/vmware-tools/vmware-tools-libraries.conf","var/log/vmware/hostd.log","var/log/vmware/hostd-1.log","wp-config.php","wp-config.bak","wp-config.old","wp-config.temp","wp-config.tmp","wp-config.txt","config.yml","config_dev.yml","config_prod.yml","config_test.yml","parameters.yml","routing.yml","security.yml","services.yml","sites/default/default.settings.php","sites/default/settings.php","sites/default/settings.local.php","app/etc/local.xml","sftp-config.json","web.config","includes/config.php","includes/configure.php","config.inc.php","localsettings.php","inc/config.php","typo3conf/localconf.php","config/app.php","config/custom.php","config/database.php","/configuration.php","/config.php","var/mail/www-data","etc/network/","etc/init/","inetpub/wwwroot/global.asa","system32/inetsrv/config/applicationhost.config","system32/inetsrv/config/administration.config","system32/inetsrv/config/redirection.config","system32/config/default","system32/config/sam","system32/config/system","system32/config/software","winnt/repair/sam._","package.json","package-lock.json","gruntfile.js","npm-debug.log","ormconfig.json","tsconfig.json","webpack.config.js","yarn.lock"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"crs-931-110","name":"Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload","tags":{"type":"rfi","crs_id":"931110","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"}],"regex":"(?:\\binclude\\s*\\([^)]*|mosConfig_absolute_path|_CONF\\[path\\]|_SERVER\\[DOCUMENT_ROOT\\]|GALLERY_BASEDIR|path\\[docroot\\]|appserv_root|config\\[root_dir\\])=(?:file|ftps?|https?)://","options":{"min_length":15}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-931-120","name":"Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)","tags":{"type":"rfi","crs_id":"931120","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"}],"regex":"^(?i:file|ftps?|https?).*?\\?+$","options":{"case_sensitive":true,"min_length":4}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-932-160","name":"Remote Command Execution: Unix Shell Code Found","tags":{"type":"command_injection","crs_id":"932160","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"list":["${cdpath}","${dirstack}","${home}","${hostname}","${ifs}","${oldpwd}","${ostype}","${path}","${pwd}","$cdpath","$dirstack","$home","$hostname","$ifs","$oldpwd","$ostype","$path","$pwd","bin/bash","bin/cat","bin/csh","bin/dash","bin/du","bin/echo","bin/grep","bin/less","bin/ls","bin/mknod","bin/more","bin/nc","bin/ps","bin/rbash","bin/sh","bin/sleep","bin/su","bin/tcsh","bin/uname","dev/fd/","dev/null","dev/stderr","dev/stdin","dev/stdout","dev/tcp/","dev/udp/","dev/zero","etc/group","etc/master.passwd","etc/passwd","etc/pwd.db","etc/shadow","etc/shells","etc/spwd.db","proc/self/","usr/bin/awk","usr/bin/base64","usr/bin/cat","usr/bin/cc","usr/bin/clang","usr/bin/clang++","usr/bin/curl","usr/bin/diff","usr/bin/env","usr/bin/fetch","usr/bin/file","usr/bin/find","usr/bin/ftp","usr/bin/gawk","usr/bin/gcc","usr/bin/head","usr/bin/hexdump","usr/bin/id","usr/bin/less","usr/bin/ln","usr/bin/mkfifo","usr/bin/more","usr/bin/nc","usr/bin/ncat","usr/bin/nice","usr/bin/nmap","usr/bin/perl","usr/bin/php","usr/bin/php5","usr/bin/php7","usr/bin/php-cgi","usr/bin/printf","usr/bin/psed","usr/bin/python","usr/bin/python2","usr/bin/python3","usr/bin/ruby","usr/bin/sed","usr/bin/socat","usr/bin/tail","usr/bin/tee","usr/bin/telnet","usr/bin/top","usr/bin/uname","usr/bin/wget","usr/bin/who","usr/bin/whoami","usr/bin/xargs","usr/bin/xxd","usr/bin/yes","usr/local/bin/bash","usr/local/bin/curl","usr/local/bin/ncat","usr/local/bin/nmap","usr/local/bin/perl","usr/local/bin/php","usr/local/bin/python","usr/local/bin/python2","usr/local/bin/python3","usr/local/bin/rbash","usr/local/bin/ruby","usr/local/bin/wget"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"crs-932-171","name":"Remote Command Execution: Shellshock (CVE-2014-6271)","tags":{"type":"command_injection","crs_id":"932171","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"^\\(\\s*\\)\\s+{","options":{"case_sensitive":true,"min_length":4}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-932-180","name":"Restricted File Upload Attempt","tags":{"type":"command_injection","crs_id":"932180","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["x-filename"]},{"address":"server.request.headers.no_cookies","key_path":["x_filename"]},{"address":"server.request.headers.no_cookies","key_path":["x-file-name"]}],"list":[".htaccess",".htdigest",".htpasswd","wp-config.php","config.yml","config_dev.yml","config_prod.yml","config_test.yml","parameters.yml","routing.yml","security.yml","services.yml","default.settings.php","settings.php","settings.local.php","local.xml",".env"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"crs-933-111","name":"PHP Injection Attack: PHP Script File Upload Found","tags":{"type":"unrestricted_file_upload","crs_id":"933111","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["x-filename"]},{"address":"server.request.headers.no_cookies","key_path":["x_filename"]},{"address":"server.request.headers.no_cookies","key_path":["x.filename"]},{"address":"server.request.headers.no_cookies","key_path":["x-file-name"]}],"regex":".*\\.(?:php\\d*|phtml)\\..*$","options":{"case_sensitive":true,"min_length":5}},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"crs-933-130","name":"PHP Injection Attack: Global Variables Found","tags":{"type":"php_code_injection","crs_id":"933130","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"list":["$globals","$http_cookie_vars","$http_env_vars","$http_get_vars","$http_post_files","$http_post_vars","$http_raw_post_data","$http_request_vars","$http_server_vars","$_cookie","$_env","$_files","$_get","$_post","$_request","$_server","$_session","$argc","$argv"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"crs-933-131","name":"PHP Injection Attack: HTTP Headers Values Found","tags":{"type":"php_code_injection","crs_id":"933131","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)","options":{"case_sensitive":true,"min_length":9}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-933-140","name":"PHP Injection Attack: I/O Stream Found","tags":{"type":"php_code_injection","crs_id":"933140","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)","options":{"min_length":8}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-933-150","name":"PHP Injection Attack: High-Risk PHP Function Name Found","tags":{"type":"php_code_injection","crs_id":"933150","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"list":["__halt_compiler","apache_child_terminate","base64_decode","bzdecompress","call_user_func","call_user_func_array","call_user_method","call_user_method_array","convert_uudecode","file_get_contents","file_put_contents","fsockopen","get_class_methods","get_class_vars","get_defined_constants","get_defined_functions","get_defined_vars","gzdecode","gzinflate","gzuncompress","include_once","invokeargs","pcntl_exec","pcntl_fork","pfsockopen","posix_getcwd","posix_getpwuid","posix_getuid","posix_uname","reflectionfunction","require_once","shell_exec","str_rot13","sys_get_temp_dir","wp_remote_fopen","wp_remote_get","wp_remote_head","wp_remote_post","wp_remote_request","wp_safe_remote_get","wp_safe_remote_head","wp_safe_remote_post","wp_safe_remote_request","zlib_decode"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"crs-933-160","name":"PHP Injection Attack: High-Risk PHP Function Call Found","tags":{"type":"php_code_injection","crs_id":"933160","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\(.*\\)","options":{"min_length":5}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-933-170","name":"PHP Injection Attack: Serialized Object Injection","tags":{"type":"php_code_injection","crs_id":"933170","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"[oOcC]:\\d+:\\\".+?\\\":\\d+:{[\\W\\w]*}","options":{"case_sensitive":true,"min_length":12}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-933-200","name":"PHP Injection Attack: Wrapper scheme detected","tags":{"type":"php_code_injection","crs_id":"933200","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://","options":{"case_sensitive":true,"min_length":6}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-934-100","name":"Node.js Injection Attack","tags":{"type":"js_code_injection","crs_id":"934100","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?:(?:_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|(?:new\\s+Function|\\beval)\\s*\\(|String\\s*\\.\\s*fromCharCode|function\\s*\\(\\s*\\)\\s*{|this\\.constructor)|module\\.exports\\s*=)","options":{"case_sensitive":true,"min_length":5}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-941-100","name":"XSS Attack Detected via libinjection","tags":{"type":"xss","crs_id":"941100","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies","key_path":["user-agent"]},{"address":"server.request.headers.no_cookies","key_path":["referer"]},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}]},"operator":"is_xss"}],"transformers":["removeNulls"]},{"id":"crs-941-110","name":"XSS Filter - Category 1: Script Tag Vector","tags":{"type":"xss","crs_id":"941110","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies","key_path":["user-agent"]},{"address":"server.request.headers.no_cookies","key_path":["referer"]},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"<script[^>]*>[\\s\\S]*?","options":{"min_length":8}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-120","name":"XSS Filter - Category 2: Event Handler Vector","tags":{"type":"xss","crs_id":"941120","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies","key_path":["user-agent"]},{"address":"server.request.headers.no_cookies","key_path":["referer"]},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on[a-zA-Z]{3,25}[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]","options":{"min_length":8}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-140","name":"XSS Filter - Category 4: Javascript URI Vector","tags":{"type":"xss","crs_id":"941140","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies","key_path":["user-agent"]},{"address":"server.request.headers.no_cookies","key_path":["referer"]},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\\(javascript","options":{"min_length":18}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-180","name":"Node-Validator Deny List Keywords","tags":{"type":"xss","crs_id":"941180","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"list":["document.cookie","document.write",".parentnode",".innerhtml","window.location","-moz-binding","<![cdata["]},"operator":"phrase_match"}],"transformers":["removeNulls","lowercase"]},{"id":"crs-941-200","name":"IE XSS Filters - Attack Detected via vmlframe tag","tags":{"type":"xss","crs_id":"941200","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:<.*[:]?vmlframe.*?[\\s/+]*?src[\\s/+]*=)","options":{"case_sensitive":true,"min_length":13}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-210","name":"IE XSS Filters - Obfuscated Attack Detected via javascript injection","tags":{"type":"xss","crs_id":"941210","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)","options":{"case_sensitive":true,"min_length":12}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-220","name":"IE XSS Filters - Obfuscated Attack Detected via vbscript injection","tags":{"type":"xss","crs_id":"941220","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)","options":{"case_sensitive":true,"min_length":10}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-230","name":"IE XSS Filters - Attack Detected via embed tag","tags":{"type":"xss","crs_id":"941230","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"<EMBED[\\s/+].*?(?:src|type).*?=","options":{"min_length":11}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-240","name":"IE XSS Filters - Attack Detected via import tag","tags":{"type":"xss","crs_id":"941240","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"<[?]?import[\\s/+\\S]*?implementation[\\s/+]*?=","options":{"case_sensitive":true,"min_length":22}},"operator":"match_regex"}],"transformers":["lowercase","removeNulls"]},{"id":"crs-941-270","name":"IE XSS Filters - Attack Detected via link tag","tags":{"type":"xss","crs_id":"941270","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"<LINK[\\s/+].*?href[\\s/+]*=","options":{"min_length":11}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-280","name":"IE XSS Filters - Attack Detected via base tag","tags":{"type":"xss","crs_id":"941280","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"<BASE[\\s/+].*?href[\\s/+]*=","options":{"min_length":11}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-290","name":"IE XSS Filters - Attack Detected via applet tag","tags":{"type":"xss","crs_id":"941290","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"<APPLET[\\s/+>]","options":{"min_length":8}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-300","name":"IE XSS Filters - Attack Detected via object tag","tags":{"type":"xss","crs_id":"941300","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"<OBJECT[\\s/+].*?(?:type|codetype|classid|code|data)[\\s/+]*=","options":{"min_length":13}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"crs-941-350","name":"UTF-7 Encoding IE XSS - Attack Detected","tags":{"type":"xss","crs_id":"941350","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"\\+ADw-.*(?:\\+AD4-|>)|<.*\\+AD4-","options":{"case_sensitive":true,"min_length":6}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-941-360","name":"JSFuck / Hieroglyphy obfuscation detected","tags":{"type":"xss","crs_id":"941360","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"![!+ ]\\[\\]","options":{"case_sensitive":true,"min_length":4}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-100","name":"SQL Injection Attack Detected via libinjection","tags":{"type":"sql_injection","crs_id":"942100","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}]},"operator":"is_sqli"}],"transformers":["removeNulls"]},{"id":"crs-942-140","name":"SQL Injection Attack: Common DB Names Detected","tags":{"type":"sql_injection","crs_id":"942140","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"\\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)|db)|aster\\.\\.sysdatabases|ysql\\.db)|pg_(?:catalog|toast)|information_schema|northwind|tempdb)\\b|s(?:(?:ys(?:\\.database_name|aux)|qlite(?:_temp)?_master)\\b|chema(?:_name\\b|\\W*\\())|d(?:atabas|b_nam)e\\W*\\()","options":{"min_length":4}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-160","name":"Detects blind sqli tests using sleep() or benchmark()","tags":{"type":"sql_injection","crs_id":"942160","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))","options":{"case_sensitive":true,"min_length":7}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-190","name":"Detects MSSQL code execution and information gathering attempts","tags":{"type":"sql_injection","crs_id":"942190","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?:\\b(?:(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|u(?:nion(?:[\\w(?:\\s]*?select| select @)|ser\\s*?\\([^\\)]*?)|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|into[\\s+]+(?:dump|out)file\\s*?[\\\"'`]|from\\W+information_schema\\W|exec(?:ute)?\\s+master\\.)|[\\\"'`](?:;?\\s*?(?:union\\b\\s*?(?:(?:distin|sele)ct|all)|having|select)\\b\\s*?[^\\s]|\\s*?!\\s*?[\\\"'`\\w])|\\s*?exec(?:ute)?.*?\\Wxp_cmdshell|\\Wiif\\s*?\\()","options":{"min_length":3}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-220","name":"Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the \\\"magic number\\\" crash","tags":{"type":"sql_injection","crs_id":"942220","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$","options":{"case_sensitive":true,"min_length":5}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-240","name":"Detects MySQL charset switch and MSSQL DoS attempts","tags":{"type":"sql_injection","crs_id":"942240","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?:[\\\"'`](?:;*?\\s*?waitfor\\s+(?:delay|time)\\s+[\\\"'`]|;.*?:\\s*?goto)|alter\\s*?\\w+.*?cha(?:racte)?r\\s+set\\s+\\w+)","options":{"min_length":7}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-250","name":"Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections","tags":{"type":"sql_injection","crs_id":"942250","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:merge.*?using\\s*?\\(|execute\\s*?immediate\\s*?[\\\"'`]|match\\s*?[\\w(?:),+-]+\\s*?against\\s*?\\()","options":{"case_sensitive":true,"min_length":11}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-270","name":"Looking for basic sql injection. Common attack string for mysql, oracle and others","tags":{"type":"sql_injection","crs_id":"942270","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"union.*?select.*?from","options":{"min_length":15}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-280","name":"Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts","tags":{"type":"sql_injection","crs_id":"942280","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?:;\\s*?shutdown\\s*?(?:[#;{]|\\/\\*|--)|waitfor\\s*?delay\\s?[\\\"'`]+\\s?\\d|select\\s*?pg_sleep)","options":{"min_length":10}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"type":"nosql_injection","crs_id":"942290","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","options":{"case_sensitive":true,"min_length":5}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-360","name":"Detects concatenated basic SQL injection and SQLLFI attempts","tags":{"type":"sql_injection","crs_id":"942360","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)\\b|(?:(?:(?:trunc|cre)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\\s+\\w+|u(?:nion\\s*(?:(?:distin|sele)ct|all)\\b|pdate\\s+\\w+))|\\b(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|end\\s*?\\);)|[\\\"'`\\w]\\s+as\\b\\s*[\\\"'`\\w]+\\s*\\bfrom|[\\s(?:]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)","options":{"min_length":5}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-942-500","name":"MySQL in-line comment detected","tags":{"type":"sql_injection","crs_id":"942500","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i:/\\*[!+](?:[\\w\\s=_\\-(?:)]+)?\\*/)","options":{"case_sensitive":true,"min_length":5}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-943-100","name":"Possible Session Fixation Attack: Setting Cookie Values in HTML","tags":{"type":"http_protocol_violation","crs_id":"943100","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.cookies"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"}],"regex":"(?i:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)","options":{"case_sensitive":true,"min_length":15}},"operator":"match_regex"}],"transformers":[]},{"id":"crs-944-100","name":"Remote Command Execution: Suspicious Java class detected","tags":{"type":"java_code_injection","crs_id":"944100","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"java\\.lang\\.(?:runtime|processbuilder)","options":{"case_sensitive":true,"min_length":17}},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"crs-944-110","name":"Remote Command Execution: Java process spawn (CVE-2017-9805)","tags":{"type":"java_code_injection","crs_id":"944110","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"(?:runtime|processbuilder)","options":{"case_sensitive":true,"min_length":7}},"operator":"match_regex"},{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"(?:unmarshaller|base64data|java\\.)","options":{"case_sensitive":true,"min_length":5}},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"crs-944-130","name":"Suspicious Java class detected","tags":{"type":"java_code_injection","crs_id":"944130","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.cookies"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"list":["com.opensymphony.xwork2","com.sun.org.apache","java.io.bufferedinputstream","java.io.bufferedreader","java.io.bytearrayinputstream","java.io.bytearrayoutputstream","java.io.chararrayreader","java.io.datainputstream","java.io.file","java.io.fileoutputstream","java.io.filepermission","java.io.filewriter","java.io.filterinputstream","java.io.filteroutputstream","java.io.filterreader","java.io.inputstream","java.io.inputstreamreader","java.io.linenumberreader","java.io.objectoutputstream","java.io.outputstream","java.io.pipedoutputstream","java.io.pipedreader","java.io.printstream","java.io.pushbackinputstream","java.io.reader","java.io.stringreader","java.lang.class","java.lang.integer","java.lang.number","java.lang.object","java.lang.process","java.lang.processbuilder","java.lang.reflect","java.lang.runtime","java.lang.string","java.lang.stringbuilder","java.lang.system","javax.script.scriptenginemanager","org.apache.commons","org.apache.struts","org.apache.struts2","org.omg.corba","java.beans.xmldecode"]},"operator":"phrase_match"}],"transformers":["lowercase"]},{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"phrase_match","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"list":["/wordpress/","/etc/","/login.php","/install.php","/administrator","/admin.php","/wp-config","/phpmyadmin","/fckeditor","/mysql","/manager/html",".htaccess","/config.php","/configuration","/cgi-bin/php","/search.php","/tinymce","/tiny_mce","/settings.php","../../..","/install/","/download.php","/webdav","/forum.php","/user.php","/style.php","/jmx-console","/modules.php","/include.php","/default.asp","/help.php","/database.yml","/database.yml.pgsql","/database.yml.sqlite3","/database.yml.sqlite","/database.yml.mysql",".%2e/","/view.php","/header.php","/search.asp","%5c%5c","/server/php/","/invoker/jmxinvokerservlet","/phpmyadmin/index.php","/data/admin/allowurl.txt","/verify.php","/misc/ajax.js","/.idea","/module.php","/backup.rar","/backup.tar","/backup.zip","/backup.7z","/backup.gz","/backup.tgz","/backup.tar.gz","waitfor%20delay","/calendar.php","/news.php","/dompdf.php","))))))))))))))))","/web.config","tree.php","/cgi-bin-sdb/printenv","/comments.php","/detail.asp","/license.txt","/admin.asp","/auth.php","/list.php","/content.php","/mod.php","/mini.php","/install.pgsql","/install.mysql","/install.sqlite","/install.sqlite3","/install.txt","/install.md","/doku.php","/main.asp","/myadmin","/force-download.php","/iisprotect/admin","/.gitignore","/print.php","/common.php","/mainfile.php","/functions.php","/scripts/setup.php","/faq.php","/op/op.login.php","/home.php","/includes/hnmain.inc.php3","/preview.php","/dump.rar","/dump.tar","/dump.zip","/dump.7z","/dump.gz","/dump.tgz","/dump.tar.gz","/thumbnail.php","/sendcard.php","/global.asax","/directory.php","/footer.php","/error.asp","/forum.asp","/save.php","/htmlsax3.php","/adm/krgourl.php","/includes/converter.inc.php","/nucleus/libs/pluginadmin.php","/base_qry_common.php","/fileadmin","/bitrix/admin/","/adm.php","/util/barcode.php","/action.php","/rss.asp","/downloads.php","/page.php","/snarf_ajax.php","/fck/editor","/sendmail.php","/detail.php","/iframe.php","/swfupload.swf","/jenkins/login","/phpmyadmin/main.php","/phpmyadmin/scripts/setup.php","/user/index.php","/checkout.php","/process.php","/ks_inc/ajax.js","/export.php","/register.php","/cart.php","/console.php","/friend.php","/readmsg.php","/install.asp","/dagent/downloadreport.asp","/system/index.php","/core/changelog.txt","/js/util.js","/interna.php","/gallery.php","/links.php","/data/admin/ver.txt","/language/zh-cn.xml","/productdetails.asp","/admin/template/article_more/config.htm","/components/com_moofaq/includes/file_includer.php","/licence.txt","/rss.xsl","/vtigerservice.php","/mysql/main.php","/passwiki.php","/scr/soustab.php","/global.php","/email.php","/user.asp","/msd","/products.php","/cultbooking.php","/cron.php","/static/js/admincp.js","/comment.php","/maintainers","/modules/plain/adminpart/addplain.php","/wp-content/plugins/ungallery/source_vuln.php","/upgrade.txt","/category.php","/index_logged.php","/members.asp","/script/html.js","/images/ad.js","/awstats/awstats.pl","/includes/esqueletos/skel_null.php","/modules/profile/user.php","/window_top.php","/openbrowser.php","/thread.php","tinfoil_xss","/includes/include.php","/urheber.php","/header.inc.php","/mysqldumper","/display.php","/website.php","/stats.php","/assets/plugins/mp3_id/mp3_id.php","/siteminderagent/forms/smpwservices.fcc"]}}],"transformers":["lowercase"]},{"id":"nfd-000-002","name":"Detect failed attempt to fetch readme files","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"readme\\.[\\.a-z0-9]+$","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"nfd-000-003","name":"Detect failed attempt to fetch Java EE resource files","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"^(?:.*web\\-inf)(?:.*web\\.xml).*$","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"nfd-000-004","name":"Detect failed attempt to fetch code files","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"\\.(java|pyc?|rb|class)\\b","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"nfd-000-005","name":"Detect failed attempt to fetch source code archives","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"\\.(sql|log|ndb|gz|zip|tar\\.gz|tar|regVV|reg|conf|bz2|ini|db|war|bat|inc|btr|server|ds|conf|config|admin|master|sln|bak)\\b(?:[^.]|$)","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"nfd-000-006","name":"Detect failed attempt to fetch sensitive files","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"\\.(cgi|bat|dll|exe|key|cert|crt|pem|der|pkcs|pkcs|pkcs[0-9]*|nsf|jsa|war|java|class|vb|vba|so|git|svn|hg|cvs)([^a-zA-Z0-9_]|$)","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"nfd-000-007","name":"Detect failed attempt to fetch archives","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"/[\\d\\-_]*\\.(rar|tar|zip|7z|gz|tgz|tar.gz)","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"nfd-000-008","name":"Detect failed attempt to trigger incorrect application behavior","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"(/(administrator/components/com.*\\.php|response\\.write\\(.+\\))|select\\(.+\\)from|\\(.*sleep\\(.+\\)|(%[a-zA-Z0-9]{2}[a-zA-Z]{0,1})+\\))","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"nfd-000-009","name":"Detect failed attempt to leak the structure of the application","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"operator":"match_regex","parameters":{"inputs":[{"address":"server.response.status"}],"regex":"^404$","options":{"case_sensitive":true}}},{"operator":"match_regex","parameters":{"inputs":[{"address":"server.request.uri.raw"}],"regex":"/(login\\.rol|LICENSE|[\\w-]+\\.(plx|pwd))$","options":{"case_sensitive":false}}}],"transformers":[]},{"id":"sqr-000-001","name":"SSRF: Try to access the credential manager of the main cloud services","tags":{"type":"ssrf","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"(?i)^\\W*((http|ftp)s?://)?\\W*((::f{4}:)?(169|(0x)?0*a9|0+251)\\.?(254|(0x)?0*fe|0+376)[0-9a-fx\\.:]+|metadata\\.google\\.internal|metadata\\.goog)\\W*/","options":{"min_length":4}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"sqr-000-002","name":"Server-side Javascript injection: Try to detect obvious JS injection","tags":{"type":"js_code_injection","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"require\\(['\"][\\w\\.]+['\"]\\)|process\\.\\w+\\([\\w\\.]*\\)|\\.toString\\(\\)","options":{"min_length":4}},"operator":"match_regex"}],"transformers":["removeNulls"]},{"id":"sqr-000-007","name":"NoSQL: Detect common exploitation strategy","tags":{"type":"nosql_injection","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies"}],"regex":"\\$(eq|ne|lte?|gte?|n?in)\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"sqr-000-008","name":"Windows: Detect attempts to exfiltrate .ini files","tags":{"type":"command_injection","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"(?i)[&|]\\s*type\\s+%\\w+%\\\\+\\w+\\.ini\\s*[&|]"},"operator":"match_regex"}],"transformers":[]},{"id":"sqr-000-009","name":"Linux: Detect attempts to exfiltrate passwd files","tags":{"type":"command_injection","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"(?i)[&|]\\s*cat\\s+\\/etc\\/[\\w\\.\\/]*passwd\\s*[&|]"},"operator":"match_regex"}],"transformers":[]},{"id":"sqr-000-010","name":"Windows: Detect attempts to timeout a shell","tags":{"type":"command_injection","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"(?i)[&|]\\s*timeout\\s+/t\\s+\\d+\\s*[&|]"},"operator":"match_regex"}],"transformers":[]},{"id":"sqr-000-011","name":"SSRF: Try to access internal OMI service (CVE-2021-38647)","tags":{"type":"ssrf","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"http(s?):\\/\\/([A-Za-z0-9\\.\\-\\_]+|\\[[A-Fa-f0-9\\:]+\\]|):5986\\/wsman","options":{"min_length":4}},"operator":"match_regex"}],"transformers":[]},{"id":"sqr-000-012","name":"SSRF: Detect SSRF attempt on internal service","tags":{"type":"ssrf","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10}|localhost)(:[0-9]{1,5})?(\\/.*|)$"},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"sqr-000-013","name":"SSRF: Detect SSRF attempts using IPv6 or octal/hexdecimal obfuscation","tags":{"type":"ssrf","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"grpc.server.request.message"}],"regex":"^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/.*)?$"},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"sqr-000-014","name":"SSRF: Detect SSRF domain redirection bypass","tags":{"type":"ssrf","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"^(http|https):\\/\\/(.*burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io)"},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"sqr-000-015","name":"SSRF: Detect SSRF attempt using non HTTP protocol","tags":{"type":"ssrf","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"^(jar:)?((file|netdoc):\\/\\/[\\\\\\/]+|(dict|gopher|ldap|sftp|tftp):\\/\\/.*:[0-9]{1,5})"},"operator":"match_regex"}],"transformers":["lowercase"]},{"id":"sqr-000-017","name":"JNDI: Attempt to exploit log4j CVE-2021-44228","tags":{"type":"java_code_injection","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.uri.raw"},{"address":"server.request.query"},{"address":"server.request.body"},{"address":"server.request.path_params"},{"address":"server.request.headers.no_cookies"},{"address":"grpc.server.request.message"}],"regex":"\\${[^j]*j[^n]*n[^d]*d[^i]*i[^:]*:[^}]*}"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-0xx","name":"Joomla exploitation tool","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"JDatabaseDriverMysqli"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-10x","name":"Nessus","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)^Nessus(/|([ :]+SOAP))"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-12x","name":"Arachni","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"^Arachni\\/v"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-13x","name":"Jorgee","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bJorgee\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-14x","name":"Probely","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bProbely\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-15x","name":"Metis","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bmetis\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-16x","name":"SQL power injector","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"sql power injector"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-18x","name":"N-Stealth","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bn-stealth\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-19x","name":"Brutus","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bbrutus\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-1xx","name":"Shellshock exploitation tool","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"\\(\\) \\{ :; *\\}"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-20x","name":"Netsparker","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)(<script>netsparker\\(0x0|ns:netsparker.*=vuln)"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-22x","name":"JAASCois","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bjaascois\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-23x","name":"PMAFind","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bpmafind\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-25x","name":"Webtrends","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"webtrends security analyzer"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-26x","name":"Nsauditor","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bnsauditor\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-27x","name":"Paros","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)Mozilla/.* Paros/"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-28x","name":"DirBuster","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bdirbuster\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-29x","name":"Pangolin","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bpangolin\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-2xx","name":"Qualys","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bqualys\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-30x","name":"SQLNinja","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bsqlninja\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-31x","name":"Nikto","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"\\(Nikto/[\\d\\.]+\\)"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-32x","name":"WebInspect","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bwebinspect\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-33x","name":"BlackWidow","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bblack\\s?widow\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-34x","name":"Grendel-Scan","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bgrendel-scan\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-35x","name":"Havij","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bhavij\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-36x","name":"w3af","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bw3af\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-37x","name":"Nmap","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"nmap (nse|scripting engine)"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-39x","name":"Nessus Scripted","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)^'?[a-z0-9]+\\.nasl'?$"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-3xx","name":"Evil Scanner","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bevilScanner\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-40x","name":"WebFuck","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bWebFuck\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-41x","name":"Acunetix","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"md5\\(acunetix_wvs_security_test\\)"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-42x","name":"OpenVAS","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)OpenVAS\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-43x","name":"Spider-Pig","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"Powered by Spider-Pig by tinfoilsecurity\\.com"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-44x","name":"Zgrab","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"Mozilla/\\d+.\\d+ zgrab"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-45x","name":"Zmeu","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bZmEu\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-46x","name":"Crowdstrike","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bcrowdstrike\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-47x","name":"GoogleSecurityScanner","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bGoogleSecurityScanner\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-48x","name":"Commix","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"^commix\\/"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-49x","name":"Gobuster","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"^gobuster\\/"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-4xx","name":"CGIchk","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bcgichk\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-51x","name":"FFUF","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)^Fuzz Faster U Fool\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-52x","name":"Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)^Nuclei\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-53x","name":"Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bTsunamiSecurityScanner\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-54x","name":"Nimbostratus is a vulnerability scanner that scan websites unprompted","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bnimbostratus-bot\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-55x","name":"Datadog test scanner: user-agent","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"^dd-test-scanner-log$"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-5xx","name":"Blind Sql Injection Brute Forcer","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)\\bbsqlbf\\b"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-6xx","name":"Suspicious user agent","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"mozilla/4\\.0 \\(compatible(; msie 6\\.0; win32)?\\)"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-7xx","name":"SQLmap","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"^sqlmap/"},"operator":"match_regex"}],"transformers":[]},{"id":"ua0-600-9xx","name":"Skipfish","tags":{"type":"security_scanner","category":"attack_attempt"},"conditions":[{"parameters":{"inputs":[{"address":"server.request.headers.no_cookies","key_path":["user-agent"]}],"regex":"(?i)mozilla/5\\.0 sf/"},"operator":"match_regex"}],"transformers":[]}]}
|
|
@@ -1,6 +1,10 @@
|
|
|
1
1
|
'use strict'
|
|
2
2
|
|
|
3
3
|
const addresses = require('./addresses')
|
|
4
|
+
const Limiter = require('../rate_limiter')
|
|
5
|
+
|
|
6
|
+
// default limiter, configurable with setRateLimit()
|
|
7
|
+
let limiter = new Limiter(100)
|
|
4
8
|
|
|
5
9
|
const REQUEST_HEADERS_PASSLIST = [
|
|
6
10
|
'accept',
|
|
@@ -85,8 +89,11 @@ function reportAttack (attackData, store) {
|
|
|
85
89
|
const currentTags = topSpan.context()._tags
|
|
86
90
|
|
|
87
91
|
const newTags = {
|
|
88
|
-
'appsec.event': true
|
|
89
|
-
|
|
92
|
+
'appsec.event': 'true'
|
|
93
|
+
}
|
|
94
|
+
|
|
95
|
+
if (limiter.isAllowed()) {
|
|
96
|
+
newTags['manual.keep'] = 'true' // TODO: figure out how to keep appsec traces with sampling revamp
|
|
90
97
|
}
|
|
91
98
|
|
|
92
99
|
// TODO: maybe add this to format.js later (to take decision as late as possible)
|
|
@@ -136,11 +143,16 @@ function finishAttacks (req, context) {
|
|
|
136
143
|
topSpan.addTags(newTags)
|
|
137
144
|
}
|
|
138
145
|
|
|
146
|
+
function setRateLimit (rateLimit) {
|
|
147
|
+
limiter = new Limiter(rateLimit)
|
|
148
|
+
}
|
|
149
|
+
|
|
139
150
|
module.exports = {
|
|
140
151
|
resolveHTTPRequest,
|
|
141
152
|
resolveHTTPResponse,
|
|
142
153
|
filterHeaders,
|
|
143
154
|
formatHeaderName,
|
|
144
155
|
reportAttack,
|
|
145
|
-
finishAttacks
|
|
156
|
+
finishAttacks,
|
|
157
|
+
setRateLimit
|
|
146
158
|
}
|
|
@@ -134,6 +134,11 @@ class Config {
|
|
|
134
134
|
process.env.DD_APPSEC_RULES,
|
|
135
135
|
path.join(__dirname, 'appsec', 'recommended.json')
|
|
136
136
|
)
|
|
137
|
+
const DD_APPSEC_TRACE_RATE_LIMIT = coalesce(
|
|
138
|
+
appsec.rateLimit,
|
|
139
|
+
process.env.DD_APPSEC_TRACE_RATE_LIMIT,
|
|
140
|
+
100
|
|
141
|
+
)
|
|
137
142
|
|
|
138
143
|
const sampler = (options.experimental && options.experimental.sampler) || {}
|
|
139
144
|
const ingestion = options.ingestion || {}
|
|
@@ -198,7 +203,8 @@ class Config {
|
|
|
198
203
|
this.protocolVersion = DD_TRACE_AGENT_PROTOCOL_VERSION
|
|
199
204
|
this.appsec = {
|
|
200
205
|
enabled: isTrue(DD_APPSEC_ENABLED),
|
|
201
|
-
rules: DD_APPSEC_RULES
|
|
206
|
+
rules: DD_APPSEC_RULES,
|
|
207
|
+
rateLimit: DD_APPSEC_TRACE_RATE_LIMIT
|
|
202
208
|
}
|
|
203
209
|
|
|
204
210
|
tagger.add(this.tags, {
|