diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2009-10-27 21:09:05 -0400 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2009-10-27 21:09:05 -0400 |
commit | 1c8ef60e95081ceedb31fc46178e138a17d6b458 (patch) | |
tree | 66734e73319b3e945bf3eb2f53c8e73c3872f81b | |
parent | 23eae9180b05a7bc7e1bcf59288319189bd23c36 (diff) | |
download | pfsense-packages-1c8ef60e95081ceedb31fc46178e138a17d6b458.tar.gz pfsense-packages-1c8ef60e95081ceedb31fc46178e138a17d6b458.tar.bz2 pfsense-packages-1c8ef60e95081ceedb31fc46178e138a17d6b458.zip |
Add converted snort rules from early October
-rw-r--r-- | config/apache_mod_security/apache_mod_security.xml | 15 | ||||
-rw-r--r-- | config/apache_mod_security/rules/snortmodsec-rules.txt | 2610 |
2 files changed, 2622 insertions, 3 deletions
diff --git a/config/apache_mod_security/apache_mod_security.xml b/config/apache_mod_security/apache_mod_security.xml index 57621e8d..c4196e7d 100644 --- a/config/apache_mod_security/apache_mod_security.xml +++ b/config/apache_mod_security/apache_mod_security.xml @@ -101,7 +101,11 @@ <field> <fielddescr>Site name</fielddescr> <fieldname>sitename</fieldname> - <description><![CDATA[Enter a short descriptive name for the site. (e.g. intranet)]]></description> + <description> + <![CDATA[ + Enter a short descriptive name for the site. (e.g. intranet) + ]]> + </description> <type>input</type> </field> <field> @@ -142,7 +146,11 @@ <field> <fielddescr>Preserve Proxy hostname</fielddescr> <fieldname>preserveproxyhostname</fieldname> - <description>When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address.</description> + <description> + <![CDATA[ + When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address. + ]]> + </description> <type>checkbox</type> </field> <field> @@ -152,7 +160,8 @@ <![CDATA[ Enter the primary hostname (FQDN) for this website (e.g. www.example.com)<br/> Leave blank and define the IP Address / port above for IP site proxy (i.e. not named site proxy) - ]]></description> + ]]> + </description> <size>40</size> <type>input</type> </field> diff --git a/config/apache_mod_security/rules/snortmodsec-rules.txt b/config/apache_mod_security/rules/snortmodsec-rules.txt new file mode 100644 index 00000000..0e46aa1e --- /dev/null +++ b/config/apache_mod_security/rules/snortmodsec-rules.txt @@ -0,0 +1,2610 @@ +# WEB-ATTACKS ps command attempt +SecFilterSelective THE_REQUEST "/bin/ps" + +# WEB-ATTACKS /bin/ps command attempt +SecFilterSelective THE_REQUEST "ps\x20" + +# WEB-ATTACKS wget command attempt +SecFilter "wget\x20" + +# WEB-ATTACKS uname -a command attempt +SecFilter "uname\x20-a" + +# WEB-ATTACKS /usr/bin/id command attempt +SecFilter "/usr/bin/id" + +# WEB-ATTACKS id command attempt +SecFilter "\;id" + +# WEB-ATTACKS echo command attempt +SecFilter "/bin/echo" + +# WEB-ATTACKS kill command attempt +SecFilter "/bin/kill" + +# WEB-ATTACKS chmod command attempt +SecFilter "/bin/chmod" + +# WEB-ATTACKS chgrp command attempt +SecFilter "/chgrp" + +# WEB-ATTACKS chown command attempt +SecFilter "/chown" + +# WEB-ATTACKS chsh command attempt +SecFilter "/usr/bin/chsh" + +# WEB-ATTACKS tftp command attempt +SecFilter "tftp\x20" + +# WEB-ATTACKS /usr/bin/gcc command attempt +SecFilter "/usr/bin/gcc" + +# WEB-ATTACKS gcc command attempt +SecFilter "gcc\x20-o" + +# WEB-ATTACKS /usr/bin/cc command attempt +SecFilter "/usr/bin/cc" + +# WEB-ATTACKS cc command attempt +SecFilter "cc\x20" + +# WEB-ATTACKS /usr/bin/cpp command attempt +SecFilter "/usr/bin/cpp" + +# WEB-ATTACKS cpp command attempt +SecFilter "cpp\x20" + +# WEB-ATTACKS /usr/bin/g++ command attempt +SecFilter "/usr/bin/g\+\+" + +# WEB-ATTACKS g++ command attempt +SecFilter "g\+\+\x20" + +# WEB-ATTACKS bin/python access attempt +SecFilter "bin/python" + +# WEB-ATTACKS python access attempt +SecFilter "python\x20" + +# WEB-ATTACKS bin/tclsh execution attempt +SecFilter "bin/tclsh" + +# WEB-ATTACKS tclsh execution attempt +SecFilter "tclsh8\x20" + +# WEB-ATTACKS bin/nasm command attempt +SecFilter "bin/nasm" + +# WEB-ATTACKS nasm command attempt +SecFilter "nasm\x20" + +# WEB-ATTACKS /usr/bin/perl execution attempt +SecFilter "/usr/bin/perl" + +# WEB-ATTACKS perl execution attempt +SecFilter "perl\x20" + +# WEB-ATTACKS nt admin addition attempt +SecFilter "net localgroup administrators /add" + +# WEB-ATTACKS traceroute command attempt +SecFilter "traceroute\x20" + +# WEB-ATTACKS ping command attempt +SecFilter "/bin/ping" + +# WEB-ATTACKS netcat command attempt +SecFilter "nc\x20" + +# WEB-ATTACKS nmap command attempt +SecFilter "nmap\x20" + +# WEB-ATTACKS xterm command attempt +SecFilter "/usr/X11R6/bin/xterm" + +# WEB-ATTACKS X application to remote host attempt +SecFilter "\x20-display\x20" + +# WEB-ATTACKS lsof command attempt +SecFilter "lsof\x20" + +# WEB-ATTACKS rm command attempt +SecFilter "rm\x20" + +# WEB-ATTACKS mail command attempt +SecFilter "/bin/mail" + +# WEB-ATTACKS mail command attempt +SecFilter "mail\x20" + +# WEB-ATTACKS /bin/ls command attempt +SecFilterSelective THE_REQUEST "/bin/ls" + +# WEB-ATTACKS /etc/inetd.conf access +SecFilter "/etc/inetd\.conf" log,pass + +# WEB-ATTACKS /etc/motd access +SecFilter "/etc/motd" log,pass + +# WEB-ATTACKS /etc/shadow access +SecFilter "/etc/shadow" log,pass + +# WEB-ATTACKS conf/httpd.conf attempt +SecFilter "conf/httpd\.conf" log,pass + +# WEB-ATTACKS .htgroup access +SecFilterSelective THE_REQUEST "\.htgroup" log,pass + +# WEB-CGI HyperSeek hsx.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/hsx\.cgi" chain +SecFilter "\x00" + +# WEB-CGI HyperSeek hsx.cgi access +SecFilterSelective THE_REQUEST "/hsx\.cgi" log,pass + +# WEB-CGI SWSoft ASPSeek Overflow attempt +SecFilterSelective THE_REQUEST "/s\.cgi" chain +SecFilter "tmpl=" + +# WEB-CGI webspeed access +SecFilterSelective THE_REQUEST "/wsisa\.dll/WService=" chain +SecFilter "WSMadmin" + +# WEB-CGI yabb.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/YaBB\.pl" chain +SecFilter "\.\./" + +# WEB-CGI yabb.cgi access +SecFilterSelective THE_REQUEST "/YaBB\.pl" + +# WEB-CGI /wwwboard/passwd.txt access +SecFilterSelective THE_REQUEST "/wwwboard/passwd\.txt" + +# WEB-CGI webdriver access +SecFilterSelective THE_REQUEST "/webdriver" + +# WEB-CGI whois_raw.cgi access +SecFilterSelective THE_REQUEST "/whois_raw\.cgi" + +# WEB-CGI websitepro path access +SecFilter " /HTTP/1\." + +# WEB-CGI webplus version access +SecFilterSelective THE_REQUEST "/webplus\?about" + +# WEB-CGI webplus directory traversal +SecFilterSelective THE_REQUEST "/webplus\?script" chain +SecFilter "\.\./" + +# WEB-CGI websendmail access +SecFilterSelective THE_REQUEST "/websendmail" + +# WEB-CGI dcforum.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/dcforum\.cgi" chain +SecFilter "forum=\.\./\.\." + +# WEB-CGI dcforum.cgi access +SecFilterSelective THE_REQUEST "/dcforum\.cgi" + +# WEB-CGI dcboard.cgi invalid user addition attempt +SecFilterSelective THE_REQUEST "/dcboard\.cgi" chain +SecFilter "\x7cadmin" + +# WEB-CGI dcboard.cgi access +SecFilterSelective THE_REQUEST "/dcboard\.cgi" + +# WEB-CGI mmstdod.cgi access +SecFilterSelective THE_REQUEST "/mmstdod\.cgi" + +# WEB-CGI anaconda directory transversal attempt +SecFilterSelective THE_REQUEST "/apexec\.pl" chain +SecFilter "template=\.\./" + +# WEB-CGI imagemap.exe overflow attempt +SecFilterSelective THE_REQUEST "/imagemap\.exe\?" + +# WEB-CGI imagemap.exe access +SecFilterSelective THE_REQUEST "/imagemap\.exe" log,pass + +# WEB-CGI cvsweb.cgi access +SecFilterSelective THE_REQUEST "/cvsweb\.cgi" + +# WEB-CGI php.cgi access +SecFilterSelective THE_REQUEST "/php\.cgi" + +# WEB-CGI glimpse access +SecFilterSelective THE_REQUEST "/glimpse" + +# WEB-CGI htmlscript attempt +SecFilterSelective THE_REQUEST "/htmlscript\?\.\./\.\." + +# WEB-CGI htmlscript access +SecFilterSelective THE_REQUEST "/htmlscript" + +# WEB-CGI info2www access +SecFilterSelective THE_REQUEST "/info2www" + +# WEB-CGI maillist.pl access +SecFilterSelective THE_REQUEST "/maillist\.pl" + +# WEB-CGI nph-test-cgi access +SecFilterSelective THE_REQUEST "/nph-test-cgi" + +# WEB-CGI NPH-publish access +SecFilterSelective THE_REQUEST "/nph-maillist\.pl" + +# WEB-CGI NPH-publish access +SecFilterSelective THE_REQUEST "/nph-publish" + +# WEB-CGI rguest.exe access +SecFilterSelective THE_REQUEST "/rguest\.exe" + +# WEB-CGI rwwwshell.pl access +SecFilterSelective THE_REQUEST "/rwwwshell\.pl" + +# WEB-CGI test-cgi attempt +SecFilterSelective THE_REQUEST "/test-cgi/*\?*" + +# WEB-CGI test-cgi access +SecFilterSelective THE_REQUEST "/test-cgi" + +# WEB-CGI testcgi access +SecFilterSelective THE_REQUEST "/testcgi" log,pass + +# WEB-CGI test.cgi access +SecFilterSelective THE_REQUEST "/test\.cgi" log,pass + +# WEB-CGI textcounter.pl access +SecFilterSelective THE_REQUEST "/textcounter\.pl" + +# WEB-CGI uploader.exe access +SecFilterSelective THE_REQUEST "/uploader\.exe" + +# WEB-CGI webgais access +SecFilterSelective THE_REQUEST "/webgais" + +# WEB-CGI finger access +SecFilterSelective THE_REQUEST "/finger" + +# WEB-CGI perlshop.cgi access +SecFilterSelective THE_REQUEST "/perlshop\.cgi" + +# WEB-CGI pfdisplay.cgi access +SecFilterSelective THE_REQUEST "/pfdisplay\.cgi" + +# WEB-CGI aglimpse access +SecFilterSelective THE_REQUEST "/aglimpse" + +# WEB-CGI anform2 access +SecFilterSelective THE_REQUEST "/AnForm2" + +# WEB-CGI args.bat access +SecFilterSelective THE_REQUEST "/args\.bat" + +# WEB-CGI args.cmd access +SecFilterSelective THE_REQUEST "/args\.cmd" + +# WEB-CGI AT-admin.cgi access +SecFilterSelective THE_REQUEST "/AT-admin\.cgi" + +# WEB-CGI AT-generated.cgi access +SecFilterSelective THE_REQUEST "/AT-generated\.cgi" + +# WEB-CGI bnbform.cgi access +SecFilterSelective THE_REQUEST "/bnbform\.cgi" + +# WEB-CGI campas access +SecFilterSelective THE_REQUEST "/campas" + +# WEB-CGI view-source directory traversal +SecFilterSelective THE_REQUEST "/view-source" chain +SecFilter "\.\./" + +# WEB-CGI view-source access +SecFilterSelective THE_REQUEST "/view-source" + +# WEB-CGI wais.pl access +SecFilterSelective THE_REQUEST "/wais\.pl" + +# WEB-CGI wwwwais access +SecFilterSelective THE_REQUEST "/wwwwais" + +# WEB-CGI files.pl access +SecFilterSelective THE_REQUEST "/files\.pl" + +# WEB-CGI wguest.exe access +SecFilterSelective THE_REQUEST "/wguest\.exe" + +# WEB-CGI wrap access +SecFilterSelective THE_REQUEST "/wrap" + +# WEB-CGI classifieds.cgi access +SecFilterSelective THE_REQUEST "/classifieds\.cgi" + +# WEB-CGI environ.cgi access +SecFilterSelective THE_REQUEST "/environ\.cgi" + +# WEB-CGI faxsurvey attempt (full path) +SecFilterSelective THE_REQUEST "/faxsurvey\?/" + +# WEB-CGI faxsurvey arbitrary file read attempt +SecFilterSelective THE_REQUEST "/faxsurvey\?cat\x20" + +# WEB-CGI faxsurvey access +SecFilterSelective THE_REQUEST "/faxsurvey" log,pass + +# WEB-CGI filemail access +SecFilterSelective THE_REQUEST "/filemail\.pl" + +# WEB-CGI man.sh access +SecFilterSelective THE_REQUEST "/man\.sh" + +# WEB-CGI snork.bat access +SecFilterSelective THE_REQUEST "/snork\.bat" + +# WEB-CGI w3-msql access +SecFilterSelective THE_REQUEST "/w3-msql/" + +# WEB-CGI day5datacopier.cgi access +SecFilterSelective THE_REQUEST "/day5datacopier\.cgi" + +# WEB-CGI day5datanotifier.cgi access +SecFilterSelective THE_REQUEST "/day5datanotifier\.cgi" + +# WEB-CGI post-query access +SecFilterSelective THE_REQUEST "/post-query" + +# WEB-CGI visadmin.exe access +SecFilterSelective THE_REQUEST "/visadmin\.exe" + +# WEB-CGI dumpenv.pl access +SecFilterSelective THE_REQUEST "/dumpenv\.pl" + +# WEB-CGI calendar_admin.pl access +SecFilterSelective THE_REQUEST "/calendar_admin\.pl" log,pass + +# WEB-CGI calendar-admin.pl access +SecFilterSelective THE_REQUEST "/calendar-admin\.pl" log,pass + +# WEB-CGI calender.pl access +SecFilterSelective THE_REQUEST "/calender\.pl" + +# WEB-CGI calendar access +SecFilterSelective THE_REQUEST "/calendar" + +# WEB-CGI user_update_admin.pl access +SecFilterSelective THE_REQUEST "/user_update_admin\.pl" + +# WEB-CGI user_update_passwd.pl access +SecFilterSelective THE_REQUEST "/user_update_passwd\.pl" + +# WEB-CGI snorkerz.cmd access +SecFilterSelective THE_REQUEST "/snorkerz\.cmd" + +# WEB-CGI survey.cgi access +SecFilterSelective THE_REQUEST "/survey\.cgi" + +# WEB-CGI scriptalias access +SecFilterSelective THE_REQUEST "///" + +# WEB-CGI win-c-sample.exe access +SecFilterSelective THE_REQUEST "/win-c-sample\.exe" + +# WEB-CGI w3tvars.pm access +SecFilterSelective THE_REQUEST "/w3tvars\.pm" + +# WEB-CGI admin.pl access +SecFilterSelective THE_REQUEST "/admin\.pl" + +# WEB-CGI LWGate access +SecFilterSelective THE_REQUEST "/LWGate" + +# WEB-CGI archie access +SecFilterSelective THE_REQUEST "/archie" + +# WEB-CGI flexform access +SecFilterSelective THE_REQUEST "/flexform" + +# WEB-CGI formmail arbitrary command execution attempt +SecFilterSelective THE_REQUEST "/formmail" chain +SecFilter "\x0a" + +# WEB-CGI formmail access +SecFilterSelective THE_REQUEST "/formmail" log,pass + +# WEB-CGI phf arbitrary command execution attempt +SecFilterSelective THE_REQUEST "/phf" chain +SecFilter "\x0a/" + +# WEB-CGI phf access +SecFilterSelective THE_REQUEST "/phf" log,pass + +# WEB-CGI www-sql access +SecFilterSelective THE_REQUEST "/www-sql" + +# WEB-CGI wwwadmin.pl access +SecFilterSelective THE_REQUEST "/wwwadmin\.pl" + +# WEB-CGI ppdscgi.exe access +SecFilterSelective THE_REQUEST "/ppdscgi\.exe" + +# WEB-CGI sendform.cgi access +SecFilterSelective THE_REQUEST "/sendform\.cgi" + +# WEB-CGI upload.pl access +SecFilterSelective THE_REQUEST "/upload\.pl" + +# WEB-CGI AnyForm2 access +SecFilterSelective THE_REQUEST "/AnyForm2" + +# WEB-CGI MachineInfo access +SecFilterSelective THE_REQUEST "/MachineInfo" + +# WEB-CGI bb-hist.sh attempt +SecFilterSelective THE_REQUEST "/bb-hist\.sh\?HISTFILE=\.\./\.\." + +# WEB-CGI bb-hist.sh access +SecFilterSelective THE_REQUEST "/bb-hist\.sh" + +# WEB-CGI bb-histlog.sh access +SecFilterSelective THE_REQUEST "/bb-histlog\.sh" + +# WEB-CGI bb-histsvc.sh access +SecFilterSelective THE_REQUEST "/bb-histsvc\.sh" + +# WEB-CGI bb-hostscv.sh attempt +SecFilterSelective THE_REQUEST "/bb-hostsvc\.sh\?HOSTSVC\?\.\./\.\." + +# WEB-CGI bb-hostscv.sh access +SecFilterSelective THE_REQUEST "/bb-hostsvc\.sh" log,pass + +# WEB-CGI bb-rep.sh access +SecFilterSelective THE_REQUEST "/bb-rep\.sh" + +# WEB-CGI bb-replog.sh access +SecFilterSelective THE_REQUEST "/bb-replog\.sh" + +# WEB-CGI redirect access +SecFilterSelective THE_REQUEST "/redirect" + +# WEB-CGI wayboard attempt +SecFilterSelective THE_REQUEST "/way-board/way-board\.cgi" chain +SecFilter "\.\./\.\." + +# WEB-CGI way-board access +SecFilterSelective THE_REQUEST "/way-board" log,pass + +# WEB-CGI pals-cgi arbitrary file access attempt +SecFilterSelective THE_REQUEST "/pals-cgi" chain +SecFilter "documentName=" + +# WEB-CGI pals-cgi access +SecFilterSelective THE_REQUEST "/pals-cgi" + +# WEB-CGI commerce.cgi arbitrary file access attempt +SecFilterSelective THE_REQUEST "/commerce\.cgi" chain +SecFilter "/\.\./" + +# WEB-CGI commerce.cgi access +SecFilterSelective THE_REQUEST "/commerce\.cgi" + +# WEB-CGI Amaya templates sendtemp.pl directory traversal attempt +SecFilterSelective THE_REQUEST "/sendtemp\.pl" chain +SecFilter "templ=" + +# WEB-CGI Amaya templates sendtemp.pl access +SecFilterSelective THE_REQUEST "/sendtemp\.pl" log,pass + +# WEB-CGI webspirs.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/webspirs\.cgi" chain +SecFilter "\.\./\.\./" + +# WEB-CGI webspirs.cgi access +SecFilterSelective THE_REQUEST "/webspirs\.cgi" + +# WEB-CGI tstisapi.dll access +SecFilterSelective THE_REQUEST "tstisapi\.dll" + +# WEB-CGI sendmessage.cgi access +SecFilterSelective THE_REQUEST "/sendmessage\.cgi" + +# WEB-CGI lastlines.cgi access +SecFilterSelective THE_REQUEST "/lastlines\.cgi" + +# WEB-CGI zml.cgi attempt +SecFilterSelective THE_REQUEST "/zml\.cgi" chain +SecFilter "file=\.\./" log,pass + +# WEB-CGI zml.cgi access +SecFilterSelective THE_REQUEST "/zml\.cgi" log,pass + +# WEB-CGI AHG search.cgi access +SecFilterSelective THE_REQUEST "/publisher/search\.cgi" chain +SecFilter "template=" log,pass + +# WEB-CGI agora.cgi attempt +SecFilterSelective THE_REQUEST "/store/agora\.cgi\?cart_id=<SCRIPT>" + +# WEB-CGI agora.cgi access +SecFilterSelective THE_REQUEST "/store/agora\.cgi" log,pass + +# WEB-CGI rksh access +SecFilterSelective THE_REQUEST "/rksh" + +# WEB-CGI bash access +SecFilterSelective THE_REQUEST "/bash" log,pass + +# WEB-CGI perl.exe command attempt +SecFilterSelective THE_REQUEST "/perl\.exe\?" + +# WEB-CGI perl.exe access +SecFilterSelective THE_REQUEST "/perl\.exe" + +# WEB-CGI perl command attempt +SecFilterSelective THE_REQUEST "/perl\?" + +# WEB-CGI zsh access +SecFilterSelective THE_REQUEST "/zsh" + +# WEB-CGI csh access +SecFilterSelective THE_REQUEST "/csh" + +# WEB-CGI tcsh access +SecFilterSelective THE_REQUEST "/tcsh" + +# WEB-CGI rsh access +SecFilterSelective THE_REQUEST "/rsh" + +# WEB-CGI ksh access +SecFilterSelective THE_REQUEST "/ksh" + +# WEB-CGI auktion.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/auktion\.cgi" chain +SecFilter "menue=\.\./\.\./" + +# WEB-CGI auktion.cgi access +SecFilterSelective THE_REQUEST "/auktion\.cgi" log,pass + +# WEB-CGI cgiforum.pl attempt +SecFilterSelective THE_REQUEST "/cgiforum\.pl\?thesection=\.\./\.\." + +# WEB-CGI cgiforum.pl access +SecFilterSelective THE_REQUEST "/cgiforum\.pl" log,pass + +# WEB-CGI directorypro.cgi attempt +SecFilterSelective THE_REQUEST "/directorypro\.cgi" chain +SecFilter "\.\./\.\." + +# WEB-CGI directorypro.cgi access +SecFilterSelective THE_REQUEST "/directorypro\.cgi" log,pass + +# WEB-CGI Web Shopper shopper.cgi attempt +SecFilterSelective THE_REQUEST "/shopper\.cgi" chain +SecFilter "newpage=\.\./" + +# WEB-CGI Web Shopper shopper.cgi access +SecFilterSelective THE_REQUEST "/shopper\.cgi" + +# WEB-CGI listrec.pl access +SecFilterSelective THE_REQUEST "/listrec\.pl" + +# WEB-CGI mailnews.cgi access +SecFilterSelective THE_REQUEST "/mailnews\.cgi" + +# WEB-CGI book.cgi access +SecFilterSelective THE_REQUEST "/book\.cgi" log,pass + +# WEB-CGI newsdesk.cgi access +SecFilterSelective THE_REQUEST "/newsdesk\.cgi" + +# WEB-CGI cal_make.pl directory traversal attempt +SecFilterSelective THE_REQUEST "/cal_make\.pl" chain +SecFilter "p0=\.\./\.\./" + +# WEB-CGI cal_make.pl access +SecFilterSelective THE_REQUEST "/cal_make\.pl" log,pass + +# WEB-CGI mailit.pl access +SecFilterSelective THE_REQUEST "/mailit\.pl" + +# WEB-CGI sdbsearch.cgi access +SecFilterSelective THE_REQUEST "/sdbsearch\.cgi" + +# WEB-CGI swc access +SecFilterSelective THE_REQUEST "/swc" + +# WEB-CGI ttawebtop.cgi arbitrary file attempt +SecFilterSelective THE_REQUEST "/ttawebtop\.cgi" chain +SecFilter "pg=\.\./" + +# WEB-CGI ttawebtop.cgi access +SecFilterSelective THE_REQUEST "/ttawebtop\.cgi" + +# WEB-CGI upload.cgi access +SecFilterSelective THE_REQUEST "/upload\.cgi" + +# WEB-CGI view_source access +SecFilterSelective THE_REQUEST "/view_source" + +# WEB-CGI ustorekeeper.pl directory traversal attempt +SecFilterSelective THE_REQUEST "/ustorekeeper\.pl" chain +SecFilter "file=\.\./\.\./" + +# WEB-CGI ustorekeeper.pl access +SecFilterSelective THE_REQUEST "/ustorekeeper\.pl" log,pass + +# WEB-CGI icat access +SecFilterSelective THE_REQUEST "/icat" log,pass + +# WEB-CGI Bugzilla doeditvotes.cgi access +SecFilterSelective THE_REQUEST "/doeditvotes\.cgi" log,pass + +# WEB-CGI htsearch arbitrary configuration file attempt +SecFilterSelective THE_REQUEST "/htsearch\?-c" + +# WEB-CGI htsearch arbitrary file read attempt +SecFilterSelective THE_REQUEST "/htsearch\?exclude=`" + +# WEB-CGI htsearch access +SecFilterSelective THE_REQUEST "/htsearch" log,pass + +# WEB-CGI a1stats a1disp3.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/a1disp3\.cgi\?/\.\./\.\./" + +# WEB-CGI a1stats a1disp3.cgi access +SecFilterSelective THE_REQUEST "/a1disp3\.cgi" log,pass + +# WEB-CGI a1stats access +SecFilterSelective THE_REQUEST "/a1stats/" log,pass + +# WEB-CGI admentor admin.asp access +SecFilterSelective THE_REQUEST "/admentor/admin/admin\.asp" log,pass + +# WEB-CGI alchemy http server PRN arbitrary command execution attempt +SecFilterSelective THE_REQUEST "/PRN/\.\./\.\./" log,pass + +# WEB-CGI alchemy http server NUL arbitrary command execution attempt +SecFilterSelective THE_REQUEST "/NUL/\.\./\.\./" log,pass + +# WEB-CGI alibaba.pl access +SecFilterSelective THE_REQUEST "/alibaba\.pl" log,pass + +# WEB-CGI AltaVista Intranet Search directory traversal attempt +SecFilterSelective THE_REQUEST "/query\?mss=\.\." + +# WEB-CGI test.bat access +SecFilterSelective THE_REQUEST "/test\.bat" log,pass + +# WEB-CGI input.bat access +SecFilterSelective THE_REQUEST "/input\.bat" log,pass + +# WEB-CGI input2.bat access +SecFilterSelective THE_REQUEST "/input2\.bat" log,pass + +# WEB-CGI envout.bat access +SecFilterSelective THE_REQUEST "/envout\.bat" log,pass + +# WEB-CGI echo.bat arbitrary command execution attempt +SecFilterSelective THE_REQUEST "/echo\.bat" chain +SecFilter "&" + +# WEB-CGI echo.bat access +SecFilterSelective THE_REQUEST "/echo\.bat" log,pass + +# WEB-CGI hello.bat arbitrary command execution attempt +SecFilterSelective THE_REQUEST "/hello\.bat" chain +SecFilter "&" + +# WEB-CGI hello.bat access +SecFilterSelective THE_REQUEST "/hello\.bat" log,pass + +# WEB-CGI tst.bat access +SecFilterSelective THE_REQUEST "/tst\.bat" log,pass + +# WEB-CGI /cgi-bin/ls access +SecFilterSelective THE_REQUEST "/cgi-bin/ls" log,pass + +# WEB-CGI cgimail access +SecFilterSelective THE_REQUEST "/cgimail" log,pass + +# WEB-CGI cgiwrap access +SecFilterSelective THE_REQUEST "/cgiwrap" log,pass + +# WEB-CGI csSearch.cgi arbitrary command execution attempt +SecFilterSelective THE_REQUEST "/csSearch\.cgi" chain +SecFilter "`" + +# WEB-CGI csSearch.cgi access +SecFilterSelective THE_REQUEST "/csSearch\.cgi" log,pass + +# WEB-CGI /cart/cart.cgi access +SecFilterSelective THE_REQUEST "/cart/cart\.cgi" log,pass + +# WEB-CGI dbman db.cgi access +SecFilterSelective THE_REQUEST "/dbman/db\.cgi" log,pass + +# WEB-CGI DCShop access +SecFilterSelective THE_REQUEST "/dcshop" log,pass + +# WEB-CGI DCShop orders.txt access +SecFilterSelective THE_REQUEST "/orders/orders\.txt" log,pass + +# WEB-CGI DCShop auth_user_file.txt access +SecFilterSelective THE_REQUEST "/auth_data/auth_user_file\.txt" log,pass + +# WEB-CGI eshop.pl arbitrary commane execution attempt +SecFilterSelective THE_REQUEST "/eshop\.pl\?seite=\;" + +# WEB-CGI eshop.pl access +SecFilterSelective THE_REQUEST "/eshop\.pl" log,pass + +# WEB-CGI loadpage.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/loadpage\.cgi" chain +SecFilter "file=\.\./" + +# WEB-CGI loadpage.cgi access +SecFilterSelective THE_REQUEST "/loadpage\.cgi" log,pass + +# WEB-CGI faqmanager.cgi arbitrary file access attempt +SecFilterSelective THE_REQUEST "\x00" + +# WEB-CGI faqmanager.cgi access +SecFilterSelective THE_REQUEST "/faqmanager\.cgi" log,pass + +# WEB-CGI /fcgi-bin/echo.exe access +SecFilterSelective THE_REQUEST "/fcgi-bin/echo\.exe" log,pass + +# WEB-CGI FormHandler.cgi directory traversal attempt attempt +SecFilterSelective THE_REQUEST "/FormHandler\.cgi" chain +SecFilter "/\.\./" + +# WEB-CGI FormHandler.cgi external site redirection attempt +SecFilterSelective THE_REQUEST "/FormHandler\.cgi" chain +SecFilter "redirect=http" + +# WEB-CGI FormHandler.cgi access +SecFilterSelective THE_REQUEST "/FormHandler\.cgi" log,pass + +# WEB-CGI guestbook.cgi access +SecFilterSelective THE_REQUEST "/guestbook\.cgi" log,pass + +# WEB-CGI Home Free search.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/search\.cgi" chain +SecFilter "letter=\.\./\.\." + +# WEB-CGI search.cgi access +SecFilterSelective THE_REQUEST "/search\.cgi" log,pass + +# WEB-CGI enivorn.pl access +SecFilterSelective THE_REQUEST "/enivron\.pl" log,pass + +# WEB-CGI campus attempt +SecFilterSelective THE_REQUEST "/campus\?\x0a" + +# WEB-CGI campus access +SecFilterSelective THE_REQUEST "/campus" log,pass + +# WEB-CGI cart32.exe access +SecFilterSelective THE_REQUEST "/cart32\.exe" log,pass + +# WEB-CGI pfdispaly.cgi arbitrary command execution attempt +SecFilterSelective THE_REQUEST "/pfdispaly\.cgi\?'" + +# WEB-CGI pfdispaly.cgi access +SecFilterSelective THE_REQUEST "/pfdispaly\.cgi" log,pass + +# WEB-CGI pagelog.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/pagelog\.cgi" chain +SecFilter "name=\.\./" log,pass + +# WEB-CGI pagelog.cgi access +SecFilterSelective THE_REQUEST "/pagelog\.cgi" log,pass + +# WEB-CGI ad.cgi access +SecFilterSelective THE_REQUEST "/ad\.cgi" log,pass + +# WEB-CGI bbs_forum.cgi access +SecFilterSelective THE_REQUEST "/bbs_forum\.cgi" log,pass + +# WEB-CGI bsguest.cgi access +SecFilterSelective THE_REQUEST "/bsguest\.cgi" log,pass + +# WEB-CGI bslist.cgi access +SecFilterSelective THE_REQUEST "/bslist\.cgi" log,pass + +# WEB-CGI cgforum.cgi access +SecFilterSelective THE_REQUEST "/cgforum\.cgi" log,pass + +# WEB-CGI newdesk access +SecFilterSelective THE_REQUEST "/newdesk" log,pass + +# WEB-CGI register.cgi access +SecFilterSelective THE_REQUEST "/register\.cgi" log,pass + +# WEB-CGI gbook.cgi access +SecFilterSelective THE_REQUEST "/gbook\.cgi" log,pass + +# WEB-CGI simplestguest.cgi access +SecFilterSelective THE_REQUEST "/simplestguest\.cgi" log,pass + +# WEB-CGI statusconfig.pl access +SecFilterSelective THE_REQUEST "/statusconfig\.pl" log,pass + +# WEB-CGI talkback.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/talkbalk\.cgi" chain +SecFilter "article=\.\./\.\./" + +# WEB-CGI talkback.cgi access +SecFilterSelective THE_REQUEST "/talkbalk\.cgi" log,pass + +# WEB-CGI adcycle access +SecFilterSelective THE_REQUEST "/adcycle" log,pass + +# WEB-CGI MachineInfo access +SecFilterSelective THE_REQUEST "/MachineInfo" log,pass + +# WEB-CGI emumail.cgi NULL attempt +SecFilterSelective THE_REQUEST "/emumail\.cgi" chain +SecFilter "\x00" log,pass + +# WEB-CGI emumail.cgi access +SecFilterSelective THE_REQUEST "/emumail\.cgi" log,pass + +# WEB-CGI document.d2w access +SecFilterSelective THE_REQUEST "/document\.d2w" log,pass + +# WEB-CGI db2www access +SecFilterSelective THE_REQUEST "/db2www" log,pass + +# WEB-CGI /cgi-bin/ access +SecFilterSelective THE_REQUEST "/cgi-bin/" chain +SecFilter "/cgi-bin/ HTTP" + +# WEB-CGI /cgi-dos/ access +SecFilterSelective THE_REQUEST "/cgi-dos/" chain +SecFilter "/cgi-dos/ HTTP" + +# WEB-CGI technote main.cgi file directory traversal attempt +SecFilterSelective THE_REQUEST "/technote/main\.cgi" chain +SecFilter "\.\./\.\./" + +# WEB-CGI technote print.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/technote/print\.cgi" chain +SecFilter "\x00" + +# WEB-CGI eXtropia webstore directory traversal +SecFilterSelective THE_REQUEST "/web_store\.cgi" chain +SecFilter "page=\.\./" + +# WEB-CGI eXtropia webstore access +SecFilterSelective THE_REQUEST "/web_store\.cgi" log,pass + +# WEB-CGI shopping cart directory traversal +SecFilterSelective THE_REQUEST "/shop\.cgi" chain +SecFilter "page=\.\./" + +# WEB-CGI Allaire Pro Web Shell attempt +SecFilterSelective THE_REQUEST "/authenticate\.cgi\?PASSWORD" chain +SecFilter "config\.ini" + +# WEB-CGI Armada Style Master Index directory traversal +SecFilterSelective THE_REQUEST "/search\.cgi\?keys" chain +SecFilter "catigory=\.\./" + +# WEB-CGI cached_feed.cgi moreover shopping cart directory traversal +SecFilterSelective THE_REQUEST "/cached_feed\.cgi" chain +SecFilter "\.\./" + +# WEB-CGI cached_feed.cgi moreover shopping cart access +SecFilterSelective THE_REQUEST "/cached_feed\.cgi" log,pass + +# WEB-CGI Talentsoft Web+ exploit attempt +SecFilterSelective THE_REQUEST "/webplus\.cgi\?Script=/webplus/webping/webping\.wml" + +# WEB-CGI Poll-it access +SecFilterSelective THE_REQUEST "/pollit/Poll_It_SSI_v2\.0\.cgi" log,pass + +# WEB-CGI count.cgi access +SecFilterSelective THE_REQUEST "/count\.cgi" log,pass + +# WEB-CGI webdist.cgi arbitrary command attempt +SecFilterSelective THE_REQUEST "/webdist\.cgi" chain +SecFilter "distloc=\;" + +# WEB-CGI webdist.cgi access +SecFilterSelective THE_REQUEST "/webdist\.cgi" log,pass + +# WEB-CGI bigconf.cgi access +SecFilterSelective THE_REQUEST "/bigconf\.cgi" log,pass + +# WEB-CGI /cgi-bin/jj access +SecFilterSelective THE_REQUEST "/cgi-bin/jj" log,pass + +# WEB-CGI bizdbsearch attempt +SecFilterSelective THE_REQUEST "/bizdb1-search\.cgi" chain +SecFilter "mail" + +# WEB-CGI bizdbsearch access +SecFilterSelective THE_REQUEST "/bizdb1-search\.cgi" log,pass + +# WEB-CGI sojourn.cgi File attempt +SecFilterSelective THE_REQUEST "/sojourn\.cgi\?cat=" chain +SecFilter "\x00" + +# WEB-CGI sojourn.cgi access +SecFilterSelective THE_REQUEST "/sojourn\.cgi" log,pass + +# WEB-CGI SGI InfoSearch fname attempt +SecFilterSelective THE_REQUEST "/infosrch\.cgi\?" chain +SecFilter "fname=" + +# WEB-CGI SGI InfoSearch fname access +SecFilterSelective THE_REQUEST "/infosrch\.cgi" log,pass + +# WEB-CGI ax-admin.cgi access +SecFilterSelective THE_REQUEST "/ax-admin\.cgi" log,pass + +# WEB-CGI axs.cgi access +SecFilterSelective THE_REQUEST "/axs\.cgi" log,pass + +# WEB-CGI cachemgr.cgi access +SecFilterSelective THE_REQUEST "/cachemgr\.cgi" log,pass + +# WEB-CGI responder.cgi access +SecFilterSelective THE_REQUEST "/responder\.cgi" log,pass + +# WEB-CGI web-map.cgi access +SecFilterSelective THE_REQUEST "/web-map\.cgi" log,pass + +# WEB-CGI ministats admin access +SecFilterSelective THE_REQUEST "/ministats/admin\.cgi" log,pass + +# WEB-CGI dfire.cgi access +SecFilterSelective THE_REQUEST "/dfire\.cgi" log,pass + +# WEB-CGI txt2html.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/txt2html\.cgi" chain +SecFilter "/\.\./\.\./\.\./\.\./" + +# WEB-CGI txt2html.cgi access +SecFilterSelective THE_REQUEST "/txt2html\.cgi" log,pass + +# WEB-CGI store.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/store\.cgi" chain +SecFilter "\.\./" + +# WEB-CGI store.cgi access +SecFilterSelective THE_REQUEST "/store\.cgi" log,pass + +# WEB-CGI SIX webboard generate.cgi attempt +SecFilterSelective THE_REQUEST "/generate\.cgi" chain +SecFilter "content=\.\./" + +# WEB-CGI SIX webboard generate.cgi access +SecFilterSelective THE_REQUEST "/generate\.cgi" log,pass + +# WEB-CGI spin_client.cgi access +SecFilterSelective THE_REQUEST "/spin_client\.cgi" log,pass + +# WEB-CGI csPassword.cgi access +SecFilterSelective THE_REQUEST "/csPassword\.cgi" log,pass + +# WEB-CGI csPassword password.cgi.tmp access +SecFilterSelective THE_REQUEST "/password\.cgi\.tmp" log,pass + +# WEB-CGI Nortel Contivity cgiproc DOS attempt +SecFilterSelective THE_REQUEST "/cgiproc\?Nocfile=" + +# WEB-CGI Nortel Contivity cgiproc DOS attempt +SecFilterSelective THE_REQUEST "/cgiproc\?\$" + +# WEB-CGI Nortel Contivity cgiproc access +SecFilterSelective THE_REQUEST "/cgiproc" log,pass + +# WEB-CGI Oracle reports CGI access +SecFilterSelective THE_REQUEST "/rwcgi60" chain +SecFilter "setauth=" log,pass + +# WEB-CGI alienform.cgi access +SecFilterSelective THE_REQUEST "/alienform\.cgi" log,pass + +# WEB-CGI AlienForm af.cgi access +SecFilterSelective THE_REQUEST "/af\.cgi" log,pass + +# WEB-CGI story.pl arbitrary file read attempt +SecFilterSelective THE_REQUEST "/story\.pl" chain +SecFilter "next=\.\./" + +# WEB-CGI story.pl access +SecFilterSelective THE_REQUEST "/story\.pl" + +# WEB-CGI siteUserMod.cgi access +SecFilterSelective THE_REQUEST "/\.cobalt/siteUserMod/siteUserMod\.cgi" log,pass + +# WEB-CGI cgicso access +SecFilterSelective THE_REQUEST "/cgicso" log,pass + +# WEB-CGI nph-publish.cgi access +SecFilterSelective THE_REQUEST "/nph-publish\.cgi" log,pass + +# WEB-CGI printenv access +SecFilterSelective THE_REQUEST "/printenv" log,pass + +# WEB-CGI sdbsearch.cgi access +SecFilterSelective THE_REQUEST "/sdbsearch\.cgi" log,pass + +# WEB-CGI rpc-nlog.pl access +SecFilterSelective THE_REQUEST "/rpc-nlog\.pl" log,pass + +# WEB-CGI rpc-smb.pl access +SecFilterSelective THE_REQUEST "/rpc-smb\.pl" log,pass + +# WEB-CGI cart.cgi access +SecFilterSelective THE_REQUEST "/cart\.cgi" log,pass + +# WEB-CGI vpasswd.cgi access +SecFilterSelective THE_REQUEST "/vpasswd\.cgi" log,pass + +# WEB-CGI alya.cgi access +SecFilterSelective THE_REQUEST "/alya\.cgi" log,pass + +# WEB-CGI viralator.cgi access +SecFilterSelective THE_REQUEST "/viralator\.cgi" log,pass + +# WEB-CGI smartsearch.cgi access +SecFilterSelective THE_REQUEST "/smartsearch\.cgi" log,pass + +# WEB-CGI mrtg.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/mrtg\.cgi" chain +SecFilter "cfg=/\.\./" + +# WEB-CGI overflow.cgi access +SecFilterSelective THE_REQUEST "/overflow\.cgi" log,pass + +# WEB-CGI way-board.cgi access +SecFilterSelective THE_REQUEST "/way-board\.cgi" log,pass + +# WEB-CGI process_bug.cgi access +SecFilterSelective THE_REQUEST "/process_bug\.cgi" log,pass + +# WEB-CGI enter_bug.cgi arbitrary command attempt +SecFilterSelective THE_REQUEST "/enter_bug\.cgi" chain +SecFilter "\;" + +# WEB-CGI enter_bug.cgi access +SecFilterSelective THE_REQUEST "/enter_bug\.cgi" log,pass + +# WEB-CGI parse_xml.cgi access +SecFilterSelective THE_REQUEST "/parse_xml\.cgi" log,pass + +# WEB-CGI streaming server parse_xml.cgi access +SecFilter "/parse_xml\.cgi" log,pass + +# WEB-CGI album.pl access +SecFilter "/album\.pl" log,pass + +# WEB-CGI chipcfg.cgi access +SecFilterSelective THE_REQUEST "/chipcfg\.cgi" log,pass + +# WEB-CGI ikonboard.cgi access +SecFilterSelective THE_REQUEST "/ikonboard\.cgi" log,pass + +# WEB-CGI swsrv.cgi access +SecFilterSelective THE_REQUEST "/srsrv\.cgi" log,pass + +# WEB-CLIENT Outlook EML access +SecFilterSelective THE_REQUEST "\.eml" + +# WEB-CLIENT XMLHttpRequest attempt +SecFilter "file\://" + +# WEB-CLIENT readme.eml download attempt +SecFilterSelective THE_REQUEST "/readme\.eml" + +# WEB-CLIENT readme.eml autoload attempt +SecFilter "window\.open\(\"readme\.eml\"" + +# WEB-CLIENT Javascript document.domain attempt +SecFilter "document\.domain\(" + +# WEB-CLIENT Javascript URL host spoofing attempt +SecFilter "javascript\://" + +# WEB-COLDFUSION cfcache.map access +SecFilterSelective THE_REQUEST "/cfcache\.map" + +# WEB-COLDFUSION exampleapp application.cfm +SecFilterSelective THE_REQUEST "/cfdocs/exampleapp/email/application\.cfm" + +# WEB-COLDFUSION application.cfm access +SecFilterSelective THE_REQUEST "/cfdocs/exampleapp/publish/admin/application\.cfm" + +# WEB-COLDFUSION getfile.cfm access +SecFilterSelective THE_REQUEST "/cfdocs/exampleapp/email/getfile\.cfm" + +# WEB-COLDFUSION addcontent.cfm access +SecFilterSelective THE_REQUEST "/cfdocs/exampleapp/publish/admin/addcontent\.cfm" + +# WEB-COLDFUSION administrator access +SecFilterSelective THE_REQUEST "/cfide/administrator/index\.cfm" + +# WEB-COLDFUSION datasource username attempt +SecFilter "CF_SETDATASOURCEUSERNAME\(\)" + +# WEB-COLDFUSION fileexists.cfm access +SecFilterSelective THE_REQUEST "/cfdocs/snippets/fileexists\.cfm" + +# WEB-COLDFUSION exprcalc access +SecFilterSelective THE_REQUEST "/cfdocs/expeval/exprcalc\.cfm" + +# WEB-COLDFUSION parks access +SecFilterSelective THE_REQUEST "/cfdocs/examples/parks/detail\.cfm" + +# WEB-COLDFUSION cfappman access +SecFilterSelective THE_REQUEST "/cfappman/index\.cfm" + +# WEB-COLDFUSION beaninfo access +SecFilterSelective THE_REQUEST "/cfdocs/examples/cvbeans/beaninfo\.cfm" + +# WEB-COLDFUSION evaluate.cfm access +SecFilterSelective THE_REQUEST "/cfdocs/snippets/evaluate\.cfm" + +# WEB-COLDFUSION getodbcdsn access +SecFilter "CFUSION_GETODBCDSN\(\)" + +# WEB-COLDFUSION db connections flush attempt +SecFilter "CFUSION_DBCONNECTIONS_FLUSH\(\)" + +# WEB-COLDFUSION expeval access +SecFilterSelective THE_REQUEST "/cfdocs/expeval/" + +# WEB-COLDFUSION datasource passwordattempt +SecFilter "CF_SETDATASOURCEPASSWORD\(\)" + +# WEB-COLDFUSION datasource attempt +SecFilter "CF_ISCOLDFUSIONDATASOURCE\(\)" + +# WEB-COLDFUSION admin encrypt attempt +SecFilter "CFUSION_ENCRYPT\(\)" + +# WEB-COLDFUSION displayfile access +SecFilterSelective THE_REQUEST "/cfdocs/expeval/displayopenedfile\.cfm" + +# WEB-COLDFUSION getodbcin attempt +SecFilter "CFUSION_GETODBCINI\(\)" + +# WEB-COLDFUSION admin decrypt attempt +SecFilter "CFUSION_DECRYPT\(\)" + +# WEB-COLDFUSION mainframeset access +SecFilterSelective THE_REQUEST "/cfdocs/examples/mainframeset\.cfm" + +# WEB-COLDFUSION set odbc ini attempt +SecFilter "CFUSION_SETODBCINI\(\)" + +# WEB-COLDFUSION settings refresh attempt +SecFilter "CFUSION_SETTINGS_REFRESH\(\)" + +# WEB-COLDFUSION exampleapp access +SecFilterSelective THE_REQUEST "/cfdocs/exampleapp/" + +# WEB-COLDFUSION CFUSION_VERIFYMAIL access +SecFilter "CFUSION_VERIFYMAIL\(\)" + +# WEB-COLDFUSION snippets attempt +SecFilterSelective THE_REQUEST "/cfdocs/snippets/" + +# WEB-COLDFUSION cfmlsyntaxcheck.cfm access +SecFilterSelective THE_REQUEST "/cfdocs/cfmlsyntaxcheck\.cfm" + +# WEB-COLDFUSION application.cfm access +SecFilterSelective THE_REQUEST "/application\.cfm" + +# WEB-COLDFUSION onrequestend.cfm access +SecFilterSelective THE_REQUEST "/onrequestend\.cfm" + +# WEB-COLDFUSION startstop DOS access +SecFilterSelective THE_REQUEST "/cfide/administrator/startstop\.html" + +# WEB-COLDFUSION gettempdirectory.cfm access +SecFilterSelective THE_REQUEST "/cfdocs/snippets/gettempdirectory\.cfm" + +# WEB-COLDFUSION sendmail.cfm access +SecFilterSelective THE_REQUEST "/sendmail\.cfm" + +# WEB-COLDFUSION ?Mode=debug attempt +SecFilterSelective THE_REQUEST "Mode=debug" log,pass + +# WEB-FRONTPAGE rad fp30reg.dll access +SecFilterSelective THE_REQUEST "/fp30reg\.dll" log,pass + +# WEB-FRONTPAGE frontpage rad fp4areg.dll access +SecFilterSelective THE_REQUEST "/fp4areg\.dll" log,pass + +# WEB-FRONTPAGE _vti_rpc access +SecFilterSelective THE_REQUEST "/_vti_rpc" log,pass + +# WEB-FRONTPAGE posting +SecFilterSelective THE_REQUEST "/author\.dll" chain +SecFilter "POST" log,pass + +# WEB-FRONTPAGE shtml.dll access +SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.dll" log,pass + +# WEB-FRONTPAGE contents.htm access +SecFilterSelective THE_REQUEST "/admcgi/contents\.htm" log,pass + +# WEB-FRONTPAGE orders.htm access +SecFilterSelective THE_REQUEST "/_private/orders\.htm" log,pass + +# WEB-FRONTPAGE fpsrvadm.exe access +SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" log,pass + +# WEB-FRONTPAGE fpremadm.exe access +SecFilterSelective THE_REQUEST "/fpremadm\.exe" log,pass + +# WEB-FRONTPAGE fpadmin.htm access +SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" log,pass + +# WEB-FRONTPAGE fpadmcgi.exe access +SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" log,pass + +# WEB-FRONTPAGE orders.txt access +SecFilterSelective THE_REQUEST "/_private/orders\.txt" log,pass + +# WEB-FRONTPAGE form_results access +SecFilterSelective THE_REQUEST "/_private/form_results\.txt" log,pass + +# WEB-FRONTPAGE registrations.htm access +SecFilterSelective THE_REQUEST "/_private/registrations\.htm" log,pass + +# WEB-FRONTPAGE cfgwiz.exe access +SecFilterSelective THE_REQUEST "/cfgwiz\.exe" log,pass + +# WEB-FRONTPAGE authors.pwd access +SecFilterSelective THE_REQUEST "/authors\.pwd" log,pass + +# WEB-FRONTPAGE author.exe access +SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" log,pass + +# WEB-FRONTPAGE administrators.pwd access +SecFilterSelective THE_REQUEST "/administrators\.pwd" log,pass + +# WEB-FRONTPAGE form_results.htm access +SecFilterSelective THE_REQUEST "/_private/form_results\.htm" log,pass + +# WEB-FRONTPAGE access.cnf access +SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" log,pass + +# WEB-FRONTPAGE register.txt access +SecFilterSelective THE_REQUEST "/_private/register\.txt" log,pass + +# WEB-FRONTPAGE registrations.txt access +SecFilterSelective THE_REQUEST "/_private/registrations\.txt" log,pass + +# WEB-FRONTPAGE service.cnf access +SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" log,pass + +# WEB-FRONTPAGE service.pwd +SecFilterSelective THE_REQUEST "/service\.pwd" log,pass + +# WEB-FRONTPAGE service.stp access +SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" log,pass + +# WEB-FRONTPAGE services.cnf access +SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" log,pass + +# WEB-FRONTPAGE shtml.exe access +SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" log,pass + +# WEB-FRONTPAGE svcacl.cnf access +SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" log,pass + +# WEB-FRONTPAGE users.pwd access +SecFilterSelective THE_REQUEST "/users\.pwd" log,pass + +# WEB-FRONTPAGE writeto.cnf access +SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" log,pass + +# WEB-FRONTPAGE dvwssr.dll access +SecFilterSelective THE_REQUEST "/dvwssr\.dll" log,pass + +# WEB-FRONTPAGE register.htm access +SecFilterSelective THE_REQUEST "/_private/register\.htm" log,pass + +# WEB-FRONTPAGE /_vti_bin/ access +SecFilterSelective THE_REQUEST "/_vti_bin/" log,pass + +# WEB-IIS MDAC Content-Type overflow attempt +SecFilterSelective THE_REQUEST "/msadcs\.dll" chain +SecFilter "Content-Type\:" + +# WEB-IIS repost.asp access +SecFilterSelective THE_REQUEST "/scripts/repost\.asp" log,pass + +# WEB-IIS .htr Transfer-Encoding\: chunked +SecFilterSelective THE_REQUEST "\.htr" chain +SecFilter "chunked" + +# WEB-IIS .asp Transfer-Encoding\: chunked +SecFilterSelective THE_REQUEST "\.asp" chain +SecFilter "chunked" + +# WEB-IIS /StoreCSVS/InstantOrder.asmx request +SecFilterSelective THE_REQUEST "/StoreCSVS/InstantOrder\.asmx" log,pass + +# WEB-IIS users.xml access +SecFilterSelective THE_REQUEST "/users\.xml" log,pass + +# WEB-IIS as_web.exe access +SecFilterSelective THE_REQUEST "/as_web\.exe" log,pass + +# WEB-IIS as_web4.exe access +SecFilterSelective THE_REQUEST "/as_web4\.exe" log,pass + +# WEB-IIS NewsPro administration authentication attempt +SecFilter "logged,true" log,pass + +# WEB-IIS pbserver access +SecFilterSelective THE_REQUEST "/pbserver/pbserver\.dll" log,pass + +# WEB-IIS trace.axd access +SecFilterSelective THE_REQUEST "/trace\.axd" log,pass + +# WEB-IIS /isapi/tstisapi.dll access +SecFilterSelective THE_REQUEST "/isapi/tstisapi\.dll" log,pass + +# WEB-IIS mkilog.exe access +SecFilterSelective THE_REQUEST "/mkilog\.exe" log,pass + +# WEB-IIS ctss.idc access +SecFilterSelective THE_REQUEST "/ctss\.idc" log,pass + +# WEB-IIS /iisadmpwd/aexp2.htr access +SecFilterSelective THE_REQUEST "/iisadmpwd/aexp2\.htr" log,pass + +# WEB-IIS WebDAV file lock attempt +SecFilter "LOCK " log,pass + +# WEB-IIS ISAPI .printer access +SecFilterSelective THE_REQUEST "\.printer" log,pass + +# WEB-IIS ISAPI .ida attempt +SecFilterSelective THE_REQUEST "\.ida\?" + +# WEB-IIS ISAPI .ida access +SecFilterSelective THE_REQUEST "\.ida" log,pass + +# WEB-IIS ISAPI .idq attempt +SecFilterSelective THE_REQUEST "\.idq\?" + +# WEB-IIS ISAPI .idq access +SecFilterSelective THE_REQUEST "\.idq" log,pass + +# WEB-IIS %2E-asp access +SecFilterSelective THE_REQUEST "\x2e\.asp" log,pass + +# WEB-IIS *.idc attempt +SecFilterSelective THE_REQUEST "/*\.idc" + +# WEB-IIS .bat? access +SecFilterSelective THE_REQUEST "\.bat\?" log,pass + +# WEB-IIS .cnf access +SecFilterSelective THE_REQUEST "\.cnf" log,pass + +# WEB-IIS ASP contents view +SecFilter "&CiHiliteType=Full" + +# WEB-IIS ASP contents view +SecFilterSelective THE_REQUEST "\.htw\?CiWebHitsFile" + +# WEB-IIS CGImail.exe access +SecFilterSelective THE_REQUEST "/scripts/CGImail\.exe" log,pass + +# WEB-IIS unicode directory traversal attempt +SecFilter "/\.\.\xc0\xaf\.\./" + +# WEB-IIS unicode directory traversal attempt +SecFilter "/\.\.\xc1\x1c\.\./" + +# WEB-IIS unicode directory traversal attempt +SecFilter "/\.\.\xc1\x9c\.\./" + +# WEB-IIS unicode directory traversal attempt +SecFilter "/\.\.\x255c\.\." + +# WEB-IIS MSProxy access +SecFilterSelective THE_REQUEST "/scripts/proxy/w3proxy\.dll" log,pass + +# WEB-IIS +.htr code fragment attempt +SecFilterSelective THE_REQUEST "\+\.htr" + +# WEB-IIS .htr access +SecFilterSelective THE_REQUEST "\.htr" log,pass + +# WEB-IIS SAM Attempt +SecFilter "sam\._" + +# WEB-IIS Unicode2.pl script (File permission canonicalization) +SecFilterSelective THE_REQUEST "/sensepost\.exe" log,pass + +# WEB-IIS _vti_inf access +SecFilterSelective THE_REQUEST "_vti_inf\.html" log,pass + +# WEB-IIS achg.htr access +SecFilterSelective THE_REQUEST "/iisadmpwd/achg\.htr" log,pass + +# WEB-IIS /scripts/iisadmin/default.htm access +SecFilterSelective THE_REQUEST "/scripts/iisadmin/default\.htm" + +# WEB-IIS ism.dll access +SecFilterSelective THE_REQUEST "/scripts/iisadmin/ism\.dll\?http/dir" + +# WEB-IIS anot.htr access +SecFilterSelective THE_REQUEST "/iisadmpwd/anot" log,pass + +# WEB-IIS asp-dot attempt +SecFilterSelective THE_REQUEST "\.asp\." + +# WEB-IIS asp-srch attempt +SecFilterSelective THE_REQUEST "#filename=*\.asp" + +# WEB-IIS bdir.htr access +SecFilterSelective THE_REQUEST "/bdir\.htr" log,pass + +# WEB-IIS cmd32.exe access +SecFilter "cmd32\.exe" + +# WEB-IIS cmd.exe access +SecFilter "cmd\.exe" + +# WEB-IIS cmd? access +SecFilter "\.cmd\?&" + +# WEB-IIS cross-site scripting attempt +SecFilterSelective THE_REQUEST "/Form_JScript\.asp" + +# WEB-IIS cross-site scripting attempt +SecFilterSelective THE_REQUEST "/Form_VBScript\.asp" + +# WEB-IIS directory listing +SecFilterSelective THE_REQUEST "/ServerVariables_Jscript\.asp" + +# WEB-IIS exec-src access +SecFilter "#filename=*\.exe" log,pass + +# WEB-IIS fpcount attempt +SecFilterSelective THE_REQUEST "/fpcount\.exe" chain +SecFilter "Digits=" + +# WEB-IIS fpcount access +SecFilterSelective THE_REQUEST "/fpcount\.exe" log,pass + +# WEB-IIS getdrvs.exe access +SecFilterSelective THE_REQUEST "/scripts/tools/getdrvs\.exe" log,pass + +# WEB-IIS global.asa access +SecFilterSelective THE_REQUEST "/global\.asa" log,pass + +# WEB-IIS idc-srch attempt +SecFilter "#filename=*\.idc" + +# WEB-IIS iisadmpwd attempt +SecFilterSelective THE_REQUEST "/iisadmpwd/aexp" + +# WEB-IIS index server file source code attempt +SecFilterSelective THE_REQUEST "\?CiWebHitsFile=/" chain +SecFilter "&CiRestriction=none&CiHiliteType=Full" + +# WEB-IIS ism.dll attempt +SecFilterSelective THE_REQUEST "\x20\x20\x20\x20\x20\.htr" + +# WEB-IIS jet vba access +SecFilterSelective THE_REQUEST "/advworks/equipment/catalog_type\.asp" log,pass + +# WEB-IIS msadcs.dll access +SecFilterSelective THE_REQUEST "/msadcs\.dll" log,pass + +# WEB-IIS newdsn.exe access +SecFilterSelective THE_REQUEST "/scripts/tools/newdsn\.exe" log,pass + +# WEB-IIS perl access +SecFilterSelective THE_REQUEST "/scripts/perl" log,pass + +# WEB-IIS perl-browse0a attempt +SecFilterSelective THE_REQUEST "\x0a\.pl" + +# WEB-IIS perl-browse20 attempt +SecFilterSelective THE_REQUEST "\x20\.pl" + +# WEB-IIS search97.vts access +SecFilterSelective THE_REQUEST "/search97\.vts" log,pass + +# WEB-IIS showcode.asp access +SecFilterSelective THE_REQUEST "/showcode\.asp" log,pass + +# WEB-IIS site server config access +SecFilterSelective THE_REQUEST "/adsamples/config/site\.csc" log,pass + +# WEB-IIS srch.htm access +SecFilterSelective THE_REQUEST "/samples/isapi/srch\.htm" log,pass + +# WEB-IIS srchadm access +SecFilterSelective THE_REQUEST "/srchadm" log,pass + +# WEB-IIS uploadn.asp access +SecFilterSelective THE_REQUEST "/scripts/uploadn\.asp" log,pass + +# WEB-IIS viewcode.asp access +SecFilterSelective THE_REQUEST "/viewcode\.asp" log,pass + +# WEB-IIS webhits access +SecFilterSelective THE_REQUEST "\.htw" log,pass + +# WEB-IIS doctodep.btr access +SecFilterSelective THE_REQUEST "doctodep\.btr" log,pass + +# WEB-IIS site/iisamples access +SecFilterSelective THE_REQUEST "/site/iisamples" log,pass + +# WEB-IIS CodeRed v2 root.exe access +SecFilterSelective THE_REQUEST "/root\.exe" + +# WEB-IIS /scripts/samples/ access +SecFilterSelective THE_REQUEST "/scripts/samples/" + +# WEB-IIS /msadc/samples/ access +SecFilterSelective THE_REQUEST "/msadc/samples/" + +# WEB-IIS iissamples access +SecFilterSelective THE_REQUEST "/iissamples/" + +# WEB-IIS multiple decode attempt +SecFilterSelective THE_REQUEST "\.\." + +# WEB-IIS iisadmin access +SecFilterSelective THE_REQUEST "/iisadmin" + +# WEB-IIS msdac access +SecFilterSelective THE_REQUEST "/msdac/" log,pass + +# WEB-IIS _mem_bin access +SecFilterSelective THE_REQUEST "/_mem_bin/" log,pass + +# WEB-IIS htimage.exe access +SecFilterSelective THE_REQUEST "/htimage\.exe" log,pass + +# WEB-IIS MS Site Server default login attempt +SecFilterSelective THE_REQUEST "/SiteServer/Admin/knowledge/persmbr/" chain +SecFilter "Authorization\: Basic TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=" + +# WEB-IIS MS Site Server admin attempt +SecFilterSelective THE_REQUEST "/Site Server/Admin/knowledge/persmbr/" + +# WEB-IIS postinfo.asp access +SecFilterSelective THE_REQUEST "/scripts/postinfo\.asp" log,pass + +# WEB-IIS /exchange/root.asp attempt +SecFilterSelective THE_REQUEST "/exchange/root\.asp\?acs=anon" + +# WEB-IIS /exchange/root.asp access +SecFilterSelective THE_REQUEST "/exchange/root\.asp" log,pass + +# WEB-IIS Battleaxe Forum login.asp access +SecFilterSelective THE_REQUEST "myaccount/login\.asp" log,pass + +# WEB-IIS nsiislog.dll access +SecFilterSelective THE_REQUEST "/nsiislog\.dll" log,pass + +# WEB-IIS IISProtect siteadmin.asp access +SecFilterSelective THE_REQUEST "/iisprotect/admin/SiteAdmin\.asp" log,pass + +# WEB-IIS IISProtect globaladmin.asp access +SecFilterSelective THE_REQUEST "/iisprotect/admin/GlobalAdmin\.asp" log,pass + +# WEB-IIS IISProtect access +SecFilterSelective THE_REQUEST "/iisprotect/admin/" log,pass + +# WEB-IIS Synchrologic Email Accelerator userid list access attempt +SecFilterSelective THE_REQUEST "/en/admin/aggregate\.asp" log,pass + +# WEB-IIS MS BizTalk server access +SecFilterSelective THE_REQUEST "/biztalkhttpreceive\.dll" log,pass + +# WEB-IIS register.asp access +SecFilterSelective THE_REQUEST "/register\.asp" log,pass + +# WEB-MISC cross site scripting attempt +SecFilter "<SCRIPT>" + +# WEB-MISC cross site scripting \(img src=javascript\) attempt +SecFilter "img src=javascript" + +# WEB-MISC Cisco IOS HTTP configuration attempt +SecFilterSelective THE_REQUEST "/exec/" + +# WEB-MISC Netscape Enterprise DOS +SecFilter "REVLOG / " + +# WEB-MISC Netscape Enterprise directory listing attempt +SecFilter "INDEX " + +# WEB-MISC iPlanet GETPROPERTIES attempt +SecFilter "GETPROPERTIES" + +# WEB-MISC weblogic view source attempt +SecFilterSelective THE_REQUEST "\.js\x70" + +# WEB-MISC Tomcat directory traversal attempt +SecFilterSelective THE_REQUEST "\x00\.jsp" + +# WEB-MISC Tomcat view source attempt +SecFilterSelective THE_REQUEST "\x252ejsp" + +# WEB-MISC ftp attempt +SecFilter "ftp\.exe" log,pass + +# WEB-MISC xp_enumdsn attempt +SecFilter "xp_enumdsn" + +# WEB-MISC xp_filelist attempt +SecFilter "xp_filelist" + +# WEB-MISC xp_availablemedia attempt +SecFilter "xp_availablemedia" + +# WEB-MISC xp_cmdshell attempt +SecFilter "xp_cmdshell" + +# WEB-MISC nc.exe attempt +SecFilter "nc\.exe" log,pass + +# WEB-MISC wsh attempt +SecFilter "wsh\.exe" log,pass + +# WEB-MISC rcmd attempt +SecFilter "rcmd\.exe" log,pass + +# WEB-MISC telnet attempt +SecFilter "telnet\.exe" log,pass + +# WEB-MISC net attempt +SecFilter "net\.exe" log,pass + +# WEB-MISC tftp attempt +SecFilter "tftp\.exe" log,pass + +# WEB-MISC xp_regread attempt +SecFilter "xp_regread" log,pass + +# WEB-MISC xp_regwrite attempt +SecFilter "xp_regwrite" log,pass + +# WEB-MISC xp_regdeletekey attempt +SecFilter "xp_regdeletekey" log,pass + +# WEB-MISC WebDAV search access +SecFilter "SEARCH " log,pass + +# WEB-MISC .htpasswd access +SecFilter "\.htpasswd" + +# WEB-MISC Lotus Domino directory traversal +SecFilterSelective THE_REQUEST "\.\./" + +# WEB-MISC queryhit.htm access +SecFilterSelective THE_REQUEST "/samples/search/queryhit\.htm" log,pass + +# WEB-MISC counter.exe access +SecFilterSelective THE_REQUEST "/scripts/counter\.exe" log,pass + +# WEB-MISC WebDAV propfind access +SecFilter "xmlns\:a=\"DAV\">" log,pass + +# WEB-MISC unify eWave ServletExec upload +SecFilterSelective THE_REQUEST "/servlet/com\.unify\.servletexec\.UploadServlet" + +# WEB-MISC Netscape Servers suite DOS +SecFilterSelective THE_REQUEST "/dsgw/bin/search\?context=" + +# WEB-MISC amazon 1-click cookie theft +SecFilter "ref\x3Cscript\x20language\x3D\x22Javascript" + +# WEB-MISC unify eWave ServletExec DOS +SecFilterSelective THE_REQUEST "/servlet/ServletExec" log,pass + +# WEB-MISC Allaire JRUN DOS attempt +SecFilterSelective THE_REQUEST "servlet/\.\.\.\.\.\.\." + +# WEB-MISC ICQ Webfront HTTP DOS +SecFilterSelective THE_REQUEST "\?\?\?\?\?\?\?\?\?\?" + +# WEB-MISC Talentsoft Web+ Source Code view access +SecFilterSelective THE_REQUEST "/webplus\.exe\?script=test\.wml" + +# WEB-MISC Talentsoft Web+ internal IP Address access +SecFilterSelective THE_REQUEST "/webplus\.exe\?about" log,pass + +# WEB-MISC SmartWin CyberOffice Shopping Cart access +SecFilterSelective THE_REQUEST "_private/shopping_cart\.mdb" + +# WEB-MISC cybercop scan +SecFilterSelective THE_REQUEST "/cybercop" log,pass + +# WEB-MISC Nessus 404 probe +SecFilterSelective THE_REQUEST "/nessus_is_probing_you_" + +# WEB-MISC Netscape admin passwd +SecFilterSelective THE_REQUEST "/admin-serv/config/admpw" + +# WEB-MISC BigBrother access +SecFilterSelective THE_REQUEST "/bb-hostsvc\.sh\?HOSTSVC" + +# WEB-MISC ftp.pl attempt +SecFilterSelective THE_REQUEST "/ftp\.pl\?dir=\.\./\.\." + +# WEB-MISC ftp.pl access +SecFilterSelective THE_REQUEST "/ftp\.pl" log,pass + +# WEB-MISC Tomcat server snoop access +SecFilterSelective THE_REQUEST "\.snp" + +# WEB-MISC apache source.asp file access +SecFilterSelective THE_REQUEST "/site/eg/source\.asp" + +# WEB-MISC Tomcat server exploit access +SecFilterSelective THE_REQUEST "/contextAdmin/contextAdmin\.html" + +# WEB-MISC http directory traversal +SecFilter "\.\.\\" + +# WEB-MISC ICQ webserver DOS +SecFilterSelective THE_REQUEST "\.html/\.\.\.\.\.\." + +# WEB-MISC Lotus DelDoc attempt +SecFilterSelective THE_REQUEST "\?DeleteDocument" + +# WEB-MISC Lotus EditDoc attempt +SecFilterSelective THE_REQUEST "\?EditDocument" + +# WEB-MISC ls%20-l +SecFilter "ls\x20-l" + +# WEB-MISC mlog.phtml access +SecFilterSelective THE_REQUEST "/mlog\.phtml" + +# WEB-MISC mylog.phtml access +SecFilterSelective THE_REQUEST "/mylog\.phtml" + +# WEB-MISC /etc/passwd +SecFilter "/etc/passwd" + +# WEB-MISC ?PageServices access +SecFilterSelective THE_REQUEST "\?PageServices" + +# WEB-MISC Ecommerce check.txt access +SecFilterSelective THE_REQUEST "/config/check\.txt" + +# WEB-MISC webcart access +SecFilterSelective THE_REQUEST "/webcart/" + +# WEB-MISC AuthChangeUrl access +SecFilterSelective THE_REQUEST "_AuthChangeUrl\?" + +# WEB-MISC convert.bas access +SecFilterSelective THE_REQUEST "/scripts/convert\.bas" + +# WEB-MISC cpshost.dll access +SecFilterSelective THE_REQUEST "/scripts/cpshost\.dll" + +# WEB-MISC .htaccess access +SecFilter "\.htaccess" + +# WEB-MISC .wwwacl access +SecFilterSelective THE_REQUEST "\.wwwacl" + +# WEB-MISC .wwwacl access +SecFilterSelective THE_REQUEST "\.www_acl" + +# WEB-MISC cd.. +SecFilter "cd\.\." + +# WEB-MISC guestbook.pl access +SecFilterSelective THE_REQUEST "/guestbook\.pl" + +# WEB-MISC handler access +SecFilterSelective THE_REQUEST "/handler" log,pass + +# WEB-MISC /.... access +SecFilter "/\.\.\.\." + +# WEB-MISC ///cgi-bin access +SecFilterSelective THE_REQUEST "///cgi-bin" + +# WEB-MISC /cgi-bin/// access +SecFilterSelective THE_REQUEST "/cgi-bin///" + +# WEB-MISC /~root access +SecFilterSelective THE_REQUEST "/~root" + +# WEB-MISC /~ftp access +SecFilterSelective THE_REQUEST "/~ftp" + +# WEB-MISC Ecommerce import.txt access +SecFilterSelective THE_REQUEST "/config/import\.txt" + +# WEB-MISC cat%20 access +SecFilter "cat\x20" + +# WEB-MISC Ecommerce import.txt access +SecFilterSelective THE_REQUEST "/orders/import\.txt" + +# WEB-MISC Domino catalog.nsf access +SecFilterSelective THE_REQUEST "/catalog\.nsf" + +# WEB-MISC Domino domcfg.nsf access +SecFilterSelective THE_REQUEST "/domcfg\.nsf" + +# WEB-MISC Domino domlog.nsf access +SecFilterSelective THE_REQUEST "/domlog\.nsf" + +# WEB-MISC Domino log.nsf access +SecFilterSelective THE_REQUEST "/log\.nsf" + +# WEB-MISC Domino names.nsf access +SecFilterSelective THE_REQUEST "/names\.nsf" + +# WEB-MISC Domino mab.nsf access +SecFilterSelective THE_REQUEST "/mab\.nsf" + +# WEB-MISC Domino cersvr.nsf access +SecFilterSelective THE_REQUEST "/cersvr\.nsf" + +# WEB-MISC Domino setup.nsf access +SecFilterSelective THE_REQUEST "/setup\.nsf" + +# WEB-MISC Domino statrep.nsf access +SecFilterSelective THE_REQUEST "/statrep\.nsf" + +# WEB-MISC Domino webadmin.nsf access +SecFilterSelective THE_REQUEST "/webadmin\.nsf" + +# WEB-MISC Domino events4.nsf access +SecFilterSelective THE_REQUEST "/events4\.nsf" + +# WEB-MISC Domino ntsync4.nsf access +SecFilterSelective THE_REQUEST "/ntsync4\.nsf" + +# WEB-MISC Domino collect4.nsf access +SecFilterSelective THE_REQUEST "/collect4\.nsf" + +# WEB-MISC Domino mailw46.nsf access +SecFilterSelective THE_REQUEST "/mailw46\.nsf" + +# WEB-MISC Domino bookmark.nsf access +SecFilterSelective THE_REQUEST "/bookmark\.nsf" + +# WEB-MISC Domino agentrunner.nsf access +SecFilterSelective THE_REQUEST "/agentrunner\.nsf" + +# WEB-MISC Domino mail.box access +SecFilterSelective THE_REQUEST "/mail\.box" + +# WEB-MISC Ecommerce checks.txt access +SecFilterSelective THE_REQUEST "/orders/checks\.txt" + +# WEB-MISC Netscape PublishingXpert access +SecFilterSelective THE_REQUEST "/PSUser/PSCOErrPage\.htm" log,pass + +# WEB-MISC windmail.exe access +SecFilterSelective THE_REQUEST "/windmail\.exe" + +# WEB-MISC webplus access +SecFilterSelective THE_REQUEST "/webplus\?script" + +# WEB-MISC Netscape dir index wp +SecFilterSelective THE_REQUEST "\?wp-" + +# WEB-MISC cart 32 AdminPwd access +SecFilterSelective THE_REQUEST "/c32web\.exe/ChangeAdminPassword" + +# WEB-MISC shopping cart access +SecFilterSelective THE_REQUEST "/quikstore\.cfg" + +# WEB-MISC Novell Groupwise gwweb.exe attempt +SecFilterSelective THE_REQUEST "/GWWEB\.EXE\?HELP=" + +# WEB-MISC Novell Groupwise gwweb.exe access +SecFilter "/GWWEB\.EXE" + +# WEB-MISC ws_ftp.ini access +SecFilterSelective THE_REQUEST "/ws_ftp\.ini" + +# WEB-MISC rpm_query access +SecFilterSelective THE_REQUEST "/rpm_query" + +# WEB-MISC mall log order access +SecFilterSelective THE_REQUEST "/mall_log_files/order\.log" + +# WEB-MISC architext_query.pl access +SecFilterSelective THE_REQUEST "/ews/architext_query\.pl" + +# WEB-MISC wwwboard.pl access +SecFilterSelective THE_REQUEST "/wwwboard\.pl" + +# WEB-MISC order.log access +SecFilterSelective THE_REQUEST "/admin_files/order\.log" + +# WEB-MISC Netscape Enterprise Server directory view +SecFilterSelective THE_REQUEST "\?wp-verify-link" + +# WEB-MISC get32.exe access +SecFilterSelective THE_REQUEST "/get32\.exe" + +# WEB-MISC Annex Terminal DOS attempt +SecFilterSelective THE_REQUEST "/ping\?query=" + +# WEB-MISC cgitest.exe access +SecFilterSelective THE_REQUEST "/cgitest\.exe" log,pass + +# WEB-MISC Netscape Enterprise Server directory view +SecFilterSelective THE_REQUEST "\?wp-cs-dump" + +# WEB-MISC Netscape Enterprise Server directory view +SecFilterSelective THE_REQUEST "\?wp-ver-info" + +# WEB-MISC Netscape Enterprise Server directory view +SecFilterSelective THE_REQUEST "\?wp-ver-diff" + +# WEB-MISC SalesLogix Eviewer web command attempt +SecFilterSelective THE_REQUEST "/slxweb\.dll/admin\?command=" + +# WEB-MISC SalesLogix Eviewer access +SecFilterSelective THE_REQUEST "/slxweb\.dll" log,pass + +# WEB-MISC Netscape Enterprise Server directory view +SecFilterSelective THE_REQUEST "\?wp-start-ver" + +# WEB-MISC Netscape Enterprise Server directory view +SecFilterSelective THE_REQUEST "\?wp-stop-ver" + +# WEB-MISC Netscape Enterprise Server directory view +SecFilterSelective THE_REQUEST "\?wp-uncheckout" + +# WEB-MISC Netscape Enterprise Server directory view +SecFilterSelective THE_REQUEST "\?wp-html-rend" + +# WEB-MISC Trend Micro OfficeScan attempt +SecFilterSelective THE_REQUEST "event=" + +# WEB-MISC Trend Micro OfficeScan access +SecFilterSelective THE_REQUEST "/officescan/cgi/jdkRqNotify\.exe" + +# WEB-MISC oracle web arbitrary command execution attempt +SecFilterSelective THE_REQUEST "\?&" + +# WEB-MISC oracle web application server access +SecFilterSelective THE_REQUEST "/ows-bin/" log,pass + +# WEB-MISC Netscape Enterprise Server directory view +SecFilterSelective THE_REQUEST "\?wp-usr-prop" + +# WEB-MISC search.vts access +SecFilterSelective THE_REQUEST "/search\.vts" + +# WEB-MISC htgrep attempt +SecFilterSelective THE_REQUEST "/htgrep" chain +SecFilter "hdr=/" + +# WEB-MISC htgrep access +SecFilterSelective THE_REQUEST "/htgrep" log,pass + +# WEB-MISC .nsconfig access +SecFilterSelective THE_REQUEST "/\.nsconfig" + +# WEB-MISC Admin_files access +SecFilterSelective THE_REQUEST "/admin_files" + +# WEB-MISC backup access +SecFilterSelective THE_REQUEST "/backup" + +# WEB-MISC intranet access +SecFilterSelective THE_REQUEST "/intranet/" + +# WEB-MISC filemail access +SecFilterSelective THE_REQUEST "/filemail" + +# WEB-MISC plusmail access +SecFilterSelective THE_REQUEST "/plusmail" + +# WEB-MISC adminlogin access +SecFilterSelective THE_REQUEST "/adminlogin" + +# WEB-MISC ultraboard access +SecFilterSelective THE_REQUEST "/ultraboard" + +# WEB-MISC musicat empower attempt +SecFilterSelective THE_REQUEST "/empower\?DB=" + +# WEB-MISC musicat empower access +SecFilterSelective THE_REQUEST "/empower" log,pass + +# WEB-MISC ROADS search.pl attempt +SecFilterSelective THE_REQUEST "/ROADS/cgi-bin/search\.pl" chain +SecFilter "form=" + +# WEB-MISC VirusWall FtpSave access +SecFilterSelective THE_REQUEST "/FtpSave\.dll" + +# WEB-MISC VirusWall FtpSaveCSP access +SecFilterSelective THE_REQUEST "/FtpSaveCSP\.dll" + +# WEB-MISC VirusWall FtpSaveCVP access +SecFilterSelective THE_REQUEST "/FtpSaveCVP\.dll" + +# WEB-MISC Tomcat sourecode view +SecFilterSelective THE_REQUEST "\.js\x2570" + +# WEB-MISC Tomcat sourecode view +SecFilterSelective THE_REQUEST "\.j\x2573p" + +# WEB-MISC Tomcat sourecode view +SecFilterSelective THE_REQUEST "\.\x256Asp" + +# WEB-MISC SWEditServlet directory traversal attempt +SecFilterSelective THE_REQUEST "/SWEditServlet" chain +SecFilter "template=\.\./\.\./\.\./" + +# WEB-MISC SWEditServlet access +SecFilterSelective THE_REQUEST "/SWEditServlet" + +# WEB-MISC whisker HEAD/./ +SecFilter "HEAD/\./" + +# WEB-MISC HP OpenView Manager DOS +SecFilterSelective THE_REQUEST "/OvCgi/OpenView5\.exe\?Context=Snmp&Action=Snmp&Host=&Oid=" + +# WEB-MISC long basic authorization string +SecFilter "Authorization\: Basic " + +# WEB-MISC sml3com access +SecFilterSelective THE_REQUEST "/graphics/sml3com" log,pass + +# WEB-MISC carbo.dll access +SecFilterSelective THE_REQUEST "/carbo\.dll" chain +SecFilter "icatcommand=" + +# WEB-MISC console.exe access +SecFilterSelective THE_REQUEST "/cgi-bin/console\.exe" + +# WEB-MISC cs.exe access +SecFilterSelective THE_REQUEST "/cgi-bin/cs\.exe" + +# WEB-MISC http directory traversal +SecFilter "\.\./" + +# WEB-MISC sadmind worm access +SecFilter "GET x HTTP/1\.0" + +# WEB-MISC jrun directory browse attempt +SecFilterSelective THE_REQUEST "/\x3f\.jsp" + +# WEB-MISC mod-plsql administration access +SecFilterSelective THE_REQUEST "/admin_/" log,pass + +# WEB-MISC Phorecast remote code execution attempt +SecFilter "includedir=" + +# WEB-MISC viewcode access +SecFilterSelective THE_REQUEST "/viewcode" + +# WEB-MISC showcode access +SecFilterSelective THE_REQUEST "/showcode" + +# WEB-MISC .history access +SecFilterSelective THE_REQUEST "/\.history" + +# WEB-MISC .bash_history access +SecFilterSelective THE_REQUEST "/\.bash_history" + +# WEB-MISC /~nobody access +SecFilterSelective THE_REQUEST "/~nobody" + +# WEB-MISC RBS ISP /newuser directory traversal attempt +SecFilterSelective THE_REQUEST "/newuser\?Image=\.\./\.\." + +# WEB-MISC RBS ISP /newuser access +SecFilterSelective THE_REQUEST "/newuser" log,pass + +# WEB-MISC *%0a.pl access +SecFilterSelective THE_REQUEST "/*\x0a\.pl" + +# WEB-MISC mkplog.exe access +SecFilterSelective THE_REQUEST "/mkplog\.exe" log,pass + +# WEB-MISC mkilog.exe access +SecFilterSelective THE_REQUEST "/mkilog\.exe" log,pass + +# WEB-MISC PCCS mysql database admin tool access +SecFilter "pccsmysqladm/incs/dbconnect\.inc" + +# WEB-MISC .DS_Store access +SecFilterSelective THE_REQUEST "/\.DS_Store" log,pass + +# WEB-MISC .FBCIndex access +SecFilterSelective THE_REQUEST "/\.FBCIndex" log,pass + +# WEB-MISC ExAir access +SecFilterSelective THE_REQUEST "/exair/search/" log,pass + +# WEB-MISC apache ?M=D directory list attempt +SecFilterSelective THE_REQUEST "/\?M=D" log,pass + +# WEB-MISC server-info access +SecFilterSelective THE_REQUEST "/server-info" log,pass + +# WEB-MISC server-status access +SecFilterSelective THE_REQUEST "/server-status" log,pass + +# WEB-MISC ans.pl attempt +SecFilterSelective THE_REQUEST "/ans\.pl\?p=\.\./\.\./" + +# WEB-MISC ans.pl access +SecFilterSelective THE_REQUEST "/ans\.pl" log,pass + +# WEB-MISC AxisStorpoint CD attempt +SecFilterSelective THE_REQUEST "/cd/\.\./config/html/cnf_gi\.htm" + +# WEB-MISC Axis Storpoint CD access +SecFilterSelective THE_REQUEST "/config/html/cnf_gi\.htm" log,pass + +# WEB-MISC basilix sendmail.inc access +SecFilterSelective THE_REQUEST "/inc/sendmail\.inc" log,pass + +# WEB-MISC basilix mysql.class access +SecFilterSelective THE_REQUEST "/class/mysql\.class" log,pass + +# WEB-MISC BBoard access +SecFilterSelective THE_REQUEST "/servlet/sunexamples\.BBoardServlet" log,pass + +# WEB-MISC Cisco Catalyst command execution attempt +SecFilterSelective THE_REQUEST "/exec/show/config/cr" log,pass + +# WEB-MISC Cisco /%% DOS attempt +SecFilterSelective THE_REQUEST "/%%" + +# WEB-MISC /CVS/Entries access +SecFilterSelective THE_REQUEST "/CVS/Entries" log,pass + +# WEB-MISC cvsweb version access +SecFilterSelective THE_REQUEST "/cvsweb/version" log,pass + +# WEB-MISC /doc/packages access +SecFilterSelective THE_REQUEST "/doc/packages" log,pass + +# WEB-MISC /doc/ access +SecFilterSelective THE_REQUEST "/doc/" log,pass + +# WEB-MISC ?open access +SecFilterSelective THE_REQUEST "\?open" log,pass + +# WEB-MISC login.htm attempt +SecFilterSelective THE_REQUEST "/login\.htm\?password=" log,pass + +# WEB-MISC login.htm access +SecFilterSelective THE_REQUEST "/login\.htm" log,pass + +# WEB-MISC DELETE attempt +SecFilter "DELETE " log,pass + +# WEB-MISC /home/ftp access +SecFilterSelective THE_REQUEST "/home/ftp" log,pass + +# WEB-MISC /home/www access +SecFilterSelective THE_REQUEST "/home/www" log,pass + +# WEB-MISC global.inc access +SecFilterSelective THE_REQUEST "/global\.inc" + +# WEB-MISC SecureSite authentication bypass attempt +SecFilter "secure_site, ok" + +# WEB-MISC b2 arbitrary command execution attempt +SecFilterSelective THE_REQUEST "/b2/b2-include/" chain +SecFilter "http\://" + +# WEB-MISC b2 access +SecFilterSelective THE_REQUEST "/b2/b2-include/" chain +SecFilter "http\://" + +# WEB-MISC search.dll directory listing attempt +SecFilterSelective THE_REQUEST "/search\.dll" chain +SecFilter "query=\x00" + +# WEB-MISC search.dll access +SecFilterSelective THE_REQUEST "/search\.dll" log,pass + +# WEB-MISC PIX firewall manager directory traversal attempt +SecFilterSelective THE_REQUEST "/\.\./\.\./" + +# WEB-MISC iChat directory traversal attempt +SecFilterSelective THE_REQUEST "/\.\./\.\./" log,pass + +# WEB-MISC Delegate whois overflow attempt +SecFilter "whois\://" log,pass + +# WEB-MISC nstelemetry.adp access +SecFilterSelective THE_REQUEST "/nstelemetry\.adp" log,pass + +# WEB-MISC Compaq Insight directory traversal +SecFilterSelective THE_REQUEST "\.\./" + +# WEB-MISC VirusWall catinfo access +SecFilterSelective THE_REQUEST "/catinfo" + +# WEB-MISC VirusWall catinfo access +SecFilterSelective THE_REQUEST "/catinfo" + +# WEB-MISC Apache Chunked-Encoding worm attempt +SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA" + +# WEB-MISC Transfer-Encoding\: chunked +SecFilter "chunked" + +# WEB-MISC CISCO VoIP DOS ATTEMPT +SecFilterSelective THE_REQUEST "/StreamingStatistics" + +# WEB-MISC IBM Net.Commerce orderdspc.d2w access +SecFilterSelective THE_REQUEST "/ncommerce3/ExecMacro/orderdspc\.d2w" log,pass + +# WEB-MISC WEB-INF access +SecFilterSelective THE_REQUEST "/WEB-INF" log,pass + +# WEB-MISC Tomcat servlet mapping cross site scripting attempt +SecFilterSelective THE_REQUEST "/org\.apache\." + +# WEB-MISC iPlanet Search directory traversal attempt +SecFilterSelective THE_REQUEST "/search" chain +SecFilter "\.\./\.\./" + +# WEB-MISC Tomcat TroubleShooter servlet access +SecFilterSelective THE_REQUEST "/examples/servlet/TroubleShooter" log,pass + +# WEB-MISC Tomcat SnoopServlet servlet access +SecFilterSelective THE_REQUEST "/examples/servlet/SnoopServlet" log,pass + +# WEB-MISC jigsaw dos attempt +SecFilterSelective THE_REQUEST "/servlet/con" + +# WEB-MISC Macromedia SiteSpring cross site scripting attempt +SecFilterSelective THE_REQUEST "<script" + +# WEB-MISC mailman cross site scripting attempt +SecFilterSelective THE_REQUEST "<script" + +# WEB-MISC webalizer access +SecFilterSelective THE_REQUEST "/webalizer/" log,pass + +# WEB-MISC webcart-lite access +SecFilterSelective THE_REQUEST "/webcart-lite/" log,pass + +# WEB-MISC webfind.exe access +SecFilterSelective THE_REQUEST "/webfind\.exe" log,pass + +# WEB-MISC active.log access +SecFilterSelective THE_REQUEST "/active\.log" log,pass + +# WEB-MISC robots.txt access +SecFilterSelective THE_REQUEST "/robots\.txt" log,pass + +# WEB-MISC robot.txt access +SecFilterSelective THE_REQUEST "/robot\.txt" log,pass + +# WEB-MISC CISCO PIX Firewall Manager directory traversal attempt +SecFilterSelective THE_REQUEST "/pixfir~1/how_to_login\.html" + +# WEB-MISC Sun JavaServer default password login attempt +SecFilterSelective THE_REQUEST "/servlet/admin" chain +SecFilter "ae9f86d6beaa3f9ecb9a5b7e072a4138" + +# WEB-MISC Linksys router default password login attempt \(\:admin\) +SecFilter "Authorization\: Basic OmFkbWlu" + +# WEB-MISC Linksys router default password login attempt \(admin\:admin\) +SecFilter "YWRtaW46YWRtaW4" + +# WEB-MISC Oracle XSQLConfig.xml access +SecFilterSelective THE_REQUEST "/XSQLConfig\.xml" log,pass + +# WEB-MISC Oracle Dynamic Monitoring Services (dms) access +SecFilterSelective THE_REQUEST "/dms0" log,pass + +# WEB-MISC globals.jsa access +SecFilterSelective THE_REQUEST "/globals\.jsa" log,pass + +# WEB-MISC Oracle Java Process Manager access +SecFilterSelective THE_REQUEST "/oprocmgr-status" log,pass + +# WEB-MISC /Carello/add.exe access +SecFilterSelective THE_REQUEST "/Carello/add\.exe" log,pass + +# WEB-MISC /ecscripts/ecware.exe access +SecFilterSelective THE_REQUEST "/ecscripts/ecware\.exe" log,pass + +# WEB-MISC ion-p access +SecFilterSelective THE_REQUEST "/ion-p" log,pass + +# WEB-MISC SiteScope Service access +SecFilterSelective THE_REQUEST "/SiteScope/cgi/go\.exe/SiteScope" log,pass + +# WEB-MISC answerbook2 admin attempt +SecFilterSelective THE_REQUEST "/cgi-bin/admin/admin" log,pass + +# WEB-MISC answerbook2 arbitrary command execution attempt +SecFilterSelective THE_REQUEST "/ab2/" chain +SecFilter "\;" + +# WEB-MISC perl post attempt +SecFilterSelective THE_REQUEST "/perl/" chain +SecFilter "POST" + +# WEB-MISC TRACE attempt +SecFilter "TRACE" + +# WEB-MISC helpout.exe access +SecFilterSelective THE_REQUEST "/helpout\.exe" log,pass + +# WEB-MISC MsmMask.exe attempt +SecFilterSelective THE_REQUEST "/MsmMask\.exe" chain +SecFilter "mask=" + +# WEB-MISC MsmMask.exe access +SecFilterSelective THE_REQUEST "/MsmMask\.exe" log,pass + +# WEB-MISC DB4Web access +SecFilterSelective THE_REQUEST "/DB4Web/" log,pass + +# WEB-MISC iPlanet .perf access +SecFilterSelective THE_REQUEST "/\.perf" log,pass + +# WEB-MISC Demarc SQL injection attempt +SecFilterSelective THE_REQUEST "/dm/demarc" chain +SecFilter "'" log,pass + +# WEB-MISC Lotus Notes .csp script source download attempt +SecFilterSelective THE_REQUEST "\.csp" chain +SecFilter "\." + +# WEB-MISC Lotus Notes .pl script source download attempt +SecFilterSelective THE_REQUEST "\.pl" chain +SecFilter "\." + +# WEB-MISC Lotus Notes .exe script source download attempt +SecFilterSelective THE_REQUEST "\.exe" chain +SecFilter "\." + +# WEB-MISC BitKeeper arbitrary command attempt +SecFilterSelective THE_REQUEST "/diffs/" chain +SecFilter "'" + +# WEB-MISC chip.ini access +SecFilterSelective THE_REQUEST "/chip\.ini" log,pass + +# WEB-MISC post32.exe access +SecFilterSelective THE_REQUEST "/post32\.exe" log,pass + +# WEB-MISC lyris.pl access +SecFilterSelective THE_REQUEST "/lyris\.pl" log,pass + +# WEB-MISC globals.pl access +SecFilterSelective THE_REQUEST "/globals\.pl" log,pass + +# WEB-MISC philboard.mdb access +SecFilterSelective THE_REQUEST "/philboard\.mdb" log,pass + +# WEB-MISC philboard_admin.asp authentication bypass attempt +SecFilterSelective THE_REQUEST "/philboard_admin\.asp" chain +SecFilter "philboard_admin=True" + +# WEB-MISC philboard_admin.asp access +SecFilterSelective THE_REQUEST "/philboard_admin\.asp" log,pass + +# WEB-MISC logicworks.ini access +SecFilterSelective THE_REQUEST "/logicworks\.ini" log,pass + +# WEB-MISC /*.shtml access +SecFilterSelective THE_REQUEST "/*\.shtml" log,pass + +# WEB-MISC mod_gzip_status access +SecFilterSelective THE_REQUEST "/mod_gzip_status" log,pass + +# WEB-PHP bb_smilies.php access +SecFilterSelective THE_REQUEST "/bb_smilies\.php" log,pass + +# WEB-PHP squirrel mail spell-check arbitrary command attempt +SecFilterSelective THE_REQUEST "/squirrelspell/modules/check_me\.mod\.php" chain +SecFilter "SQSPELL_APP\[" + +# WEB-PHP squirrel mail theme arbitrary command attempt +SecFilterSelective THE_REQUEST "/left_main\.php" chain +SecFilter "cmdd=" + +# WEB-PHP DNSTools administrator authentication bypass attempt +SecFilterSelective THE_REQUEST "/dnstools\.php" chain +SecFilter "user_dnstools_administrator=true" + +# WEB-PHP DNSTools authentication bypass attempt +SecFilterSelective THE_REQUEST "/dnstools\.php" chain +SecFilter "user_logged_in=true" + +# WEB-PHP DNSTools access +SecFilterSelective THE_REQUEST "/dnstools\.php" log,pass + +# WEB-PHP Blahz-DNS dostuff.php modify user attempt +SecFilterSelective THE_REQUEST "/dostuff\.php\?action=modify_user" + +# WEB-PHP Blahz-DNS dostuff.php access +SecFilterSelective THE_REQUEST "/dostuff\.php" log,pass + +# WEB-PHP Messagerie supp_membre.php access +SecFilterSelective THE_REQUEST "/supp_membre\.php" log,pass + +# WEB-PHP php.exe access +SecFilterSelective THE_REQUEST "/php\.exe" log,pass + +# WEB-PHP directory.php arbitrary command attempt +SecFilterSelective THE_REQUEST "/directory\.php" chain +SecFilter "\;" + +# WEB-PHP directory.php access +SecFilterSelective THE_REQUEST "/directory\.php" + +# WEB-PHP PHP-Wiki cross site scripting attempt +SecFilterSelective THE_REQUEST "<script" + +# WEB-PHP phpbb quick-reply.php arbitrary command attempt +SecFilterSelective THE_REQUEST "/quick-reply\.php" chain +SecFilter "phpbb_root_path=" + +# WEB-PHP phpbb quick-reply.php access +SecFilterSelective THE_REQUEST "/quick-reply\.php" log,pass + +# WEB-PHP read_body.php access attempt +SecFilterSelective THE_REQUEST "/read_body\.php" log,pass + +# WEB-PHP calendar.php access +SecFilterSelective THE_REQUEST "/calendar\.php" log,pass + +# WEB-PHP edit_image.php access +SecFilterSelective THE_REQUEST "/edit_image\.php" log,pass + +# WEB-PHP readmsg.php access +SecFilterSelective THE_REQUEST "/readmsg\.php" log,pass + +# WEB-PHP external include path +SecFilterSelective THE_REQUEST "\.php" chain +SecFilter "path=http\://" + +# WEB-PHP Phorum admin access +SecFilterSelective THE_REQUEST "/admin\.php3" + +# WEB-PHP piranha passwd.php3 access +SecFilterSelective THE_REQUEST "/passwd\.php3" + +# WEB-PHP Phorum read access +SecFilterSelective THE_REQUEST "/read\.php3" + +# WEB-PHP Phorum violation access +SecFilterSelective THE_REQUEST "/violation\.php3" + +# WEB-PHP Phorum code access +SecFilterSelective THE_REQUEST "/code\.php3" + +# WEB-PHP admin.php file upload attempt +SecFilterSelective THE_REQUEST "/admin\.php" chain +SecFilter "file_name=" + +# WEB-PHP admin.php access +SecFilterSelective THE_REQUEST "/admin\.php" + +# WEB-PHP smssend.php access +SecFilterSelective THE_REQUEST "/smssend\.php" log,pass + +# WEB-PHP PHP-Nuke remote file include attempt +SecFilterSelective THE_REQUEST "index\.php" chain +SecFilter "file=http\://" + +# WEB-PHP Phorum /support/common.php attempt +SecFilterSelective THE_REQUEST "/support/common\.php" chain +SecFilter "ForumLang=\.\./" + +# WEB-PHP Phorum /support/common.php access +SecFilterSelective THE_REQUEST "/support/common\.php" + +# WEB-PHP Phorum authentication access +SecFilter "PHP_AUTH_USER=boogieman" + +# WEB-PHP strings overflow +SecFilterSelective THE_REQUEST "\?STRENGUR" + +# WEB-PHP PHPLIB remote command attempt +SecFilter "_PHPLIB\[libdir\]" + +# WEB-PHP PHPLIB remote command attempt +SecFilterSelective THE_REQUEST "/db_mysql\.inc" + +# WEB-PHP Mambo uploadimage.php upload php file attempt +SecFilterSelective THE_REQUEST "/uploadimage\.php" chain +SecFilter "\.php" + +# WEB-PHP Mambo upload.php upload php file attempt +SecFilterSelective THE_REQUEST "/upload\.php" chain +SecFilter "\.php" + +# WEB-PHP Mambo uploadimage.php access +SecFilterSelective THE_REQUEST "/uploadimage\.php" log,pass + +# WEB-PHP Mambo upload.php access +SecFilterSelective THE_REQUEST "/upload\.php" log,pass + +# WEB-PHP phpBB privmsg.php access +SecFilterSelective THE_REQUEST "/privmsg\.php" log,pass + +# WEB-PHP p-news.php access +SecFilterSelective THE_REQUEST "/p-news\.php" log,pass + +# WEB-PHP shoutbox.php directory traversal attempt +SecFilterSelective THE_REQUEST "/shoutbox\.php" chain +SecFilter "\.\./" + +# WEB-PHP shoutbox.php access +SecFilterSelective THE_REQUEST "/shoutbox\.php" log,pass + +# WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt +SecFilterSelective THE_REQUEST "/gm-2-b2\.php" chain +SecFilter "b2inc=http" + +# WEB-PHP b2 cafelog gm-2-b2.php access +SecFilterSelective THE_REQUEST "/gm-2-b2\.php" log,pass + +# WEB-PHP TextPortal admin.php default password (admin) attempt +SecFilterSelective THE_REQUEST "/admin\.php" chain +SecFilter "password=admin" log,pass + +# WEB-PHP TextPortal admin.php default password (12345) attempt +SecFilterSelective THE_REQUEST "/admin\.php" chain +SecFilter "password=12345" log,pass + +# WEB-PHP BLNews objects.inc.php4 remote command execution attempt +SecFilterSelective THE_REQUEST "/objects\.inc\.php4" chain +SecFilter "Server\[path\]=http" + +# WEB-PHP BLNews objects.inc.php4 access +SecFilterSelective THE_REQUEST "/objects\.inc\.php4" log,pass + +# WEB-PHP Turba status.php access +SecFilterSelective THE_REQUEST "/turba/status\.php" log,pass + +# WEB-PHP ttCMS header.php remote command execution attempt +SecFilterSelective THE_REQUEST "/admin/templates/header\.php" chain +SecFilter "admin_root=http" + +# WEB-PHP ttCMS header.php access +SecFilterSelective THE_REQUEST "/admin/templates/header\.php" log,pass + +# WEB-PHP test.php access +SecFilterSelective THE_REQUEST "/test\.php" log,pass + +# WEB-PHP autohtml.php directory traversal attempt +SecFilterSelective THE_REQUEST "/autohtml\.php" chain +SecFilter "\.\./\.\./" + +# WEB-PHP autohtml.php access +SecFilterSelective THE_REQUEST "/autohtml\.php" log,pass + +# WEB-PHP ttforum remote command execution attempt +SecFilterSelective THE_REQUEST "forum/index\.php" chain +SecFilter "template=http" + |