# http://www.gotroot.com/mod_security+rules
# Gotroot.com ModSecurity rules
# Blacklist of known attackers, spammers and other sources of
# attacks, spam, etc.
# NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
# Visit http://www.gotroot.com to download up to date and supported rules
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/badips.conf
#
# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.

#NOTE:  This ruleset will be retired shortly and will be replace with a pure RBL
#based system.  RBLs are current supported in 2.0dev of mod_security, if you
#wish to test out the rbl please send an e-mail to mike AT gotroot DOT com.
#
#These IPs are current in the atomicrbl.com RBL, which is in closed testing.
#You will need to e-mail us for access.  

#generic PHP forum posting exclusion
<LocationMatch "/posting.php">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>


#PhpMyadmin
<LocationMatch "/tbl_change.php">
   SecFilterRemove 300016
</LocationMatch>

<LocationMatch "/admin/main.php">
	SecFilterRemove 300013
</LocationMatch>

<LocationMatch "/sql.php">
   SecFilterRemove 300016
</LocationMatch>

#/xde/managecontent.php
<LocationMatch "/xde/managecontent.php">
   SecFilterRemove 300016
</LocationMatch>


<LocationMatch "/dbad/import.php">
   SecFilterRemove 300016
</LocationMatch>

#PhpBB posting
<LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
SecFilterRemove 300013
</LocationMatch>

#postnuke admin
<LocationMatch "/admin.php">
   SecFilterRemove 300016
</LocationMatch>

#Postnuke uploads
<LocationMatch "/modules.php?op=modload&name=Downloads.*">
SecFilterRemove 300013
</LocationMatch>

#Tikiwiki forum
<LocationMatch "/tiki-view_forum_thread.php">
SecFilterRemove 300013
</LocationMatch>

#Squirrel mail and Horde postings
<LocationMatch "/imp/compose.php">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>

#Provided by Todd Holforty 
<LocationMatch "/squirrelmail/src/compose.php">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>

#Phorum posting
<LocationMatch "/phorum/post.php">
SecFilterRemove 300013
</LocationMatch>

#Tikiwiki edit
<LocationMatch "/tiki-editpage.php">
SecFilterRemove 300013
</LocationMatch>

<LocationMatch "/misc.php">
SecFilterRemove 300013
</LocationMatch>

<LocationMatch "/forum/posting.php\?mode=.*">
SecFilterRemove 300016
</LocationMatch>

###########################################
#Double pipe exclusion rules
###########################################
<LocationMatch "/_vti_bin/fpcount.exe">
SecFilterRemove 300014
</LocationMatch>

###########################################
#Front page exclusions
###########################################
<LocationMatch "/_vti_bin/_vti_aut/author.exe">
  SecFilterInheritance Off
</LocationMatch>

<Location /modules.php?name=Forums&file=posting>
SecFilterRemove 300016
</Location>

<Location /modules.php?name=Private_Messages&file=index>
SecFilterRemove 300016
</Location>

###########################################
#Mambo/Joomla exclusions
###########################################
<LocationMatch "/index.php">
  SecFilterRemove 380000
  SecFilterRemove 300013
</LocationMatch>
<LocationMatch "/administrator/index2.php">
  SecFilterRemove 300013
  SecFilterRemove 300016
  SecFilterRemove 380000
  SecFilterRemove 360001
</LocationMatch>

#Added 27AUG2006
#Courtesy of Tom Donovan
#ColdFusion RDS
<LocationMatch "/CFIDE/main/ide.cfm">
   SecFilterRemove 360001
</LocationMatch>

#servlet/webacc
<LocationMatch "/servlet/webacc">
  SecFilterRemove 300013
</LocationMatch>

#WordPRess
<LocationMatch "/wp-admin/options-reading.php">
  SecFilterRemove 300015
</LocationMatch>

#/profile.php
<LocationMatch "/profile.php">
  SecFilterRemove 300015
</LocationMatch>

#Open-Exchange
<LocationMatch "/servlet/webdav.calendar/foo.xml">
  SecFilterRemove 300015
</LocationMatch>


#owl intranet
<LocationMatch "/intranet/setacl.php">
  SecFilterRemove 300015
</LocationMatch>





#Open proxies and other bad players
# NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
# Visit http://www.gotroot.com to download up to date and supported rules

# http://www.gotroot.com/mod_security+rules
# Gotroot.com ModSecurity rules
# Just In Time Patches for Vulnerable Applications Rules
# NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
# Visit http://www.gotroot.com to download up to date and supported rules
#
# Version: N-20061219-01
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/jitp.conf
#
# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS 
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 
# THE POSSIBILITY OF SUCH DAMAGE.
#

#--------------------------------
# notes
#--------------------------------
# NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
# Visit http://www.gotroot.com to download up to date and supported rules


#--------------------------------
#start rules
#--------------------------------

# WEB-CGI formmail
SecFilterSelective REQUEST_URI "/(formmail|mailform)(\x0a|\.pl\x0a)" 

#pals-cgi arbitrary file access attempt
SecFilterSelective REQUEST_URI "/pals-cgi.*documentName="

# WEB-CGI phf arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/phf" chain
SecFilter "\x0a/" 
# WEB-CGI phf access
SecFilterSelective THE_REQUEST "/phf(\?| HTTP\/(0\.9|1\.0|1\.1)$)"

# WEB-CGI htsearch arbitrary file read attempt
SecFilterSelective REQUEST_URI "/htsearch\?exclude=\`" 

# WEB-CGI csSearch.cgi arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/csSearch\.cgi\?" chain
SecFilter "\`" 

## WEB-CGI FormHandler.cgi directory traversal attempt attempt
SecFilterSelective REQUEST_URI "/FormHandler\.cgi" chain
SecFilter "/\.\./" 

# WEB-CGI FormHandler.cgi external site redirection attempt
SecFilterSelective REQUEST_URI "/FormHandler\.cgi" chain
SecFilter "redirect=http" 

# WEB-PHP squirrel mail spell-check arbitrary command attempt
SecFilterSelective REQUEST_URI "/squirrelspell/modules/check_me\.mod\.php" chain
SecFilter "SQSPELL_APP\[" 

# WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective REQUEST_URI "/left_main\.php" chain
SecFilter "cmdd=" 

# WEB-PHP directory.php arbitrary command attempt
SecFilterSelective REQUEST_URI "/directory\.php\?" chain
SecFilter "\;" 

# WEB-PHP PHPLIB remote commanSelective THE_REQUESTd attempt
SecFilterSelective THE_REQUEST "_PHPLIB\[libdir\]" 

# WEB-PHP PHPLIB remote command attempt
SecFilterSelective REQUEST_URI   "/db_mysql\.inc" 

# Exploit phpBB Highlighting Code Execution Attempt
SecFilterSelective THE_REQUEST "(\;|\&)highlight=\'\.system\("

# Exploit phpBB Highlighting SQL Injection
SecFilterSelective THE_REQUEST "&highlight=\'\.mysql_query\(" 

# Exploit phpBB Highlighting Code Execution - Santy.A Worm
SecFilterSelective THE_REQUEST "&highlight=\'\.fwrite\(fopen\(" 

# Exploit phpBB Highlight Exploit Attempt
SecFilterSelective THE_REQUEST "&highlight=\x2527\x252Esystem\(" 

# WEB-CGI dcforum.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/dcforum\.cgi" chain
SecFilter "forum=\.\./\.\." 

# WEB-CGI dcboard.cgi invalid user addition attempt
SecFilterSelective REQUEST_URI "/dcboard\.cgi.*\|admin" 

# WEB-CGI alchemy http server PRN arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/PRN/\.\./\.\./" 

# WEB-CGI alchemy http server NUL arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/NUL/\.\./\.\./" 

# WEB-CGI AltaVista Intranet Search directory traversal attempt
SecFilterSelective REQUEST_URI "/query\?mss=\.\." 

# WEB-CGI hello.bat arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/hello\.bat" chain
SecFilter "\&" 

# WEB-CGI Home Free search.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/search\.cgi" chain
SecFilter "letter=\.\./\.\." 

#campus attempt
SecFilterSelective REQUEST_URI "/campus\?\|0A\|"

# WEB-CGI pfdispaly.cgi arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/pfdispaly\.cgi\?\'" 

# WEB-CGI talkback.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/talkbalk\.cgi" chain
SecFilter "article=\.\./\.\./" 

# WEB-CGI technote main.cgi file directory traversal attempt
SecFilterSelective REQUEST_URI "/technote/main\.cgi" chain
SecFilter "\.\./\.\./" 

# WEB-CGI technote print.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/technote/print\.cgi.*\x00" 

# WEB-CGI eXtropia webstore directory traversal
SecFilterSelective REQUEST_URI "/web_store\.cgi" chain
SecFilter "page=\.\./" 

# WEB-CGI shopping cart directory traversal
SecFilterSelective REQUEST_URI "/shop\.cgi" chain
SecFilter "page=\.\./" 

# WEB-CGI Allaire Pro Web Shell attempt
SecFilterSelective REQUEST_URI "/authenticate\.cgi\?PASSWORD" chain
SecFilter "config\.ini" 

# WEB-CGI Armada Style Master Index directory traversal
SecFilterSelective REQUEST_URI "/search\.cgi\?keys" chain
SecFilter "catigory=\.\./" 

# WEB-CGI cached_feed.cgi moreover shopping cart directory traversal
SecFilterSelective REQUEST_URI "/cached_feed\.cgi" chain
SecFilter "\.\./" 

# WEB-CGI Talentsoft Web+ exploit attempt
SecFilterSelective REQUEST_URI "/webplus\.cgi\?Script=/webplus/webping/webping\.wml" 

# WEB-CGI txt2html.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/txt2html\.cgi" chain
SecFilter "/\.\./\.\./\.\./\.\./" 

# WEB-CGI store.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/store\.cgi" chain
SecFilter "\.\./" 

# WEB-CGI mrtg.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/mrtg\.cgi" chain
SecFilter "cfg=/\.\./" 

# WEB-CGI CCBill whereami.cgi arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/whereami\.cgi\?g=" 

# WEB-CGI WhatsUpGold instancename overflow attempt
SecFilterSelective REQUEST_URI "/_maincfgret\.cgi" 

#Demarc SQL injection attempt
SecFilterSelective REQUEST_URI "/dm/demarc.*s_key=.*\'"

# WEB-MISC apache directory disclosure attempt
SecFilterSelective THE_REQUEST "////////" 

# WEB-MISC htgrep attempt
SecFilterSelective REQUEST_URI "/htgrep" chain
SecFilter "hdr=/" 

#musicat empower attempt
SecFilterSelective REQUEST_URI "/empower\?DB="

# WEB-PHP DNSTools administrator authentication bypass attempt
SecFilterSelective REQUEST_URI "/dnstools\.php" chain
SecFilter "user_dnstools_administrator=true" 

# WEB-PHP DNSTools authentication bypass attempt
SecFilterSelective REQUEST_URI "/dnstools\.php" chain
SecFilter "user_logged_in=true" 

#General phpbb_root_path vulnerabilities
SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?\:/|\.\./)"  "id:390070,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path exploit'"

# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective REQUEST_URI "/quick-reply\.php" chain
SecFilter "phpbb_root_path=" 

# WEB-PHP Blahz-DNS dostuff.php modify user attempt
SecFilterSelective REQUEST_URI "/dostuff\.php\?action=modify_user"

# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective REQUEST_URI "/modules\.php\?*name=Wiki*\<*(script|about|applet|activex|chrome)*\>"

# WEB-MISC *%0a.pl access
SecFilterSelective REQUEST_URI "/*\x0a\.pl" 

# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR" 

# WEB-PHP shoutbox.php directory traversal attempt
SecFilterSelective REQUEST_URI "/shoutbox\.php" chain
SecFilter "\.\./" 

# WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt
SecFilterSelective REQUEST_URI "/gm-2-b2\.php" chain
SecFilter "b2inc=(http|https|ftp)\:/" 

# WEB-PHP BLNews objects.inc.php4 remote file include attempt
SecFilterSelective REQUEST_URI "/objects\.inc\.php*" chain
SecFilter "Server\[path\]=(http|https|ftp)\:/" 

# WEB-PHP ttCMS header.php remote file include attempt
SecFilterSelective REQUEST_URI "/admin/templates/header\.php" chain
SecFilter "admin_root=(http|https|ftp)\:/" 

# WEB-PHP autohtml.php directory traversal attempt
SecFilterSelective REQUEST_URI "/autohtml\.php" chain
SecFilter "\.\./\.\./" 

# WEB-PHP ttforum remote file include attempt
SecFilterSelective REQUEST_URI "forum/index\.php" chain
SecFilter "template=" 

# WEB-PHP pmachine remote file include attempt
SecFilterSelective REQUEST_URI "lib\.inc\.php" chain
SecFilter "pm_path=(http|https|ftp)\:/" 
SecFilterSelective REQUEST_URI "lib\.inc\.php.*pm_path.*(http|https|ftp)\:/"

#rolis guestbook remote file include attempt
SecFilterSelective REQUEST_URI "/insert\.inc\.php*path="

# IdeaBox cord.php file include
SecFilterSelective REQUEST_URI "/index\.php*ideaDir*cord\.php"

#IdeaBox notification.php file include
SecFilterSelective REQUEST_URI "/index\.php*gorumDir*notification\.php"

# WEB-PHP DCP-Portal remote file include attempt
SecFilterSelective REQUEST_URI "/library/lib\.php" chain
SecFilter "root=" 

# WEB-PHP IdeaBox cord.php file include
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilter "cord\.php" 

# WEB-PHP IdeaBox notification.php file include
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilter "notification\.php" 

# WEB-PHP Invision Board emailer.php file include
SecFilterSelective REQUEST_URI "/ad_member\.php" chain
SecFilter "emailer\.php" 

# WEB-PHP WebChat db_mysql.php file include
SecFilterSelective REQUEST_URI "/defines\.php" chain
SecFilter "db_mysql\.php" 

# WEB-PHP WebChat english.php file include
SecFilterSelective REQUEST_URI "/defines\.php" chain
SecFilter "english\.php" 

# WEB-PHP Typo3 translations.php file include
SecFilterSelective REQUEST_URI "/translations\.php" chain
SecFilter "ONLY=\x2e" 

# WEB-PHP news.php file include
SecFilterSelective REQUEST_URI "/news\.php" chain
SecFilter "template" 

# WEB-PHP YaBB SE packages.php file include
SecFilterSelective REQUEST_URI "/packages\.php" chain
SecFilter "packer\.php" 

# WEB-PHP newsPHP Language file include attempt
SecFilterSelective REQUEST_URI "/nphpd\.php" chain
SecFilter "LangFile" 

#myphpPagetool pt_config.inc file include
SecFilterSelective REQUEST_URI "/doc/admin*ptinclude*pt_config\.inc"

#Invision Board ipchat.php file include
SecFilterSelective REQUEST_URI "/ipchat\.php*root_path*conf_global\.php"

# WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt
SecFilterSelective REQUEST_URI "/authentication_index\.php" chain
SecFilter "PGV_BASE_DIRECTORY=(http|https|ftp)\:/" 

# WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt
SecFilterSelective REQUEST_URI "/functions\.php" chain
SecFilter "PGV_BASE_DIRECTORY" 

# WEB-PHP TUTOS path disclosure attempt
SecFilterSelective REQUEST_URI "/note_overview\.php" chain
SecFilter "id=" 

# WEB-PHP PhpGedView PGV base directory manipulation
SecFilterSelective REQUEST_URI "_conf\.php" chain
SecFilter "PGV_BASE_DIRECTORY" 

#PHPBB worm sigs
SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"

#Mailto domain search possible MyDoom.M,O
SecFilterSelective REQUEST_URI "/search\?hl=en&ie=UTF-8&oe=UTF-8&q=mailto\+" chain
SecFilter "Host\: www\.google\.com" 

#WEB-PHP EasyDynamicPages exploit
SecFilterSelective REQUEST_URI "edp_relative_path=" 

#Calendar XSS
SecFilterSelective REQUEST_URI "/(calendar|setup).php\?phpc_root_path=((http|https|ftp)\:/|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>)"

#phpMyAdmin Export.PHP File Disclosure Vulnerability
SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
SecFilterSelective ARG_what "\.\." 

#nmap version request
SecFilterSelective THE_REQUEST "^(HELP|default|\||TNMP|DmdT|\:)$" 

#More PHPBB worms
SecFilterSelective REQUEST_URI "/viewtopic\.php\?" chain
SecFilterSelective ARGS "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(([0-9a-fA-Fx]{1,3})\)" 

# TIKIWIKI
SecFilterSelective REQUEST_URI  "/tiki-map.phtml\?mapfile=\.\./\.\./"

# WEB-MISC BitKeeper arbitrary command attempt
SecFilterSelective REQUEST_URI "/diffs/" chain
SecFilter "\'" 

#awstats probe
SecFilterSelective THE_REQUEST  "/awstats\.pl HTTP\/(0\.9|1\.0|1\.1)$" "id:390000,rev:1,severity:2,msg:'JITP: Awstats.pl probe'"

#/forum/viewtopic.php?x=http://
SecFilterSelective REQUEST_URI "/forum/viewtopic\.php\?x=(http|https|ftp)\:/"

# WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt
SecFilterSelective REQUEST_URI "/crystalimagehandler\.aspx" chain
SecFilter "dynamicimage=\.\./" 

#mailman 2.x path recursion attack
SecFilterSelective THE_REQUEST "mailman/private/.*\.\.\./\.\.\.\.///" 
SecFilterSelective THE_REQUEST "/mailman/.*\.\.\./"

#ftp.pl attempt
SecFilterSelective REQUEST_URI "/ftp\.pl\?dir=\.\./\.\."

#Tomcat server snoop access
SecFilterSelective REQUEST_URI "/jsp/snp/.*\.snp"

# WEB-CGI HyperSeek hsx.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/hsx\.cgi.*\x00"

# WEB-CGI SWSoft ASPSeek Overflow attempt
SecFilterSelective REQUEST_URI "/s\.cgi" chain
SecFilter "tmpl="

# WEB-CGI /wwwboard/passwd.txt access
SecFilterSelective REQUEST_URI "/wwwboard/passwd\.txt"

# WEB-CGI webplus directory traversal
SecFilterSelective REQUEST_URI "/webplus\?script" chain
SecFilter "\.\./"

# WEB-CGI websendmail access
SecFilterSelective REQUEST_URI "/websendmail"

# WEB-CGI anaconda directory transversal attempt
SecFilterSelective REQUEST_URI "/(apexec|anacondaclip)\.pl" chain
SecFilter "template=\.\./"

# WEB-CGI imagemap.exe overflow attempt
SecFilterSelective REQUEST_URI "/imagemap\.exe\?"

# WEB-CGI htmlscript attempt
SecFilterSelective REQUEST_URI "/htmlscript\?\.\./\.\."

# WEB-CGI nph-test-cgi access
SecFilterSelective REQUEST_URI "/nph-test-cgi"


# WEB-CGI rwwwshell.pl access
SecFilterSelective REQUEST_URI "/rwwwshell\.pl"

# WEB-CGI view-source directory traversal
SecFilterSelective REQUEST_URI "/view-source" chain
SecFilter "\.\./"

# WEB-CGI calendar_admin.pl arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/calendar_admin.pl\?config=\|7C\|"

# WEB-CGI bb-hist.sh attempt
SecFilterSelective REQUEST_URI "/bb-hist\.sh\?HISTFILE=\.\./\.\."

# WEB-CGI bb-hostscv.sh attempt
SecFilterSelective REQUEST_URI "/bb-hostsvc\.sh\?HOSTSVC\?\.\./\.\."

# WEB-CGI wayboard attempt
SecFilterSelective REQUEST_URI "/way-board/way-board\.cgi" chain
SecFilter "\.\./\.\."

# WEB-CGI commerce.cgi arbitrary file access attempt
SecFilterSelective REQUEST_URI "/commerce\.cgi" chain
SecFilter "/\.\./"

# WEB-CGI Amaya templates sendtemp.pl directory traversal attempt
SecFilterSelective REQUEST_URI "/sendtemp\.pl" chain
SecFilter "templ="

# WEB-CGI webspirs.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/webspirs\.cgi" chain
SecFilter "\.\./\.\./"

# WEB-CGI auktion.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/auktion\.cgi" chain
SecFilter "menue=\.\./\.\./"

# WEB-CGI cgiforum.pl attempt
SecFilterSelective REQUEST_URI "/cgiforum\.pl\?thesection=\.\./\.\."

# WEB-CGI directorypro.cgi attempt
SecFilterSelective REQUEST_URI "/directorypro\.cgi" chain
SecFilter "\.\./\.\."

# WEB-CGI Web Shopper shopper.cgi attempt
SecFilterSelective REQUEST_URI "/shopper\.cgi" chain
SecFilter "newpage=\.\./"

# WEB-CGI cal_make.pl directory traversal attempt
SecFilterSelective REQUEST_URI "/cal_make\.pl" chain
SecFilter "p0=\.\./\.\./"

# WEB-CGI ttawebtop.cgi arbitrary file attempt
SecFilterSelective REQUEST_URI "/ttawebtop\.cgi" chain
SecFilter "pg=\.\./"

# WEB-CGI ustorekeeper.pl directory traversal attempt
SecFilterSelective REQUEST_URI "/ustorekeeper\.pl" chain
SecFilter "file=\.\./\.\./"

# WEB-CGI htsearch arbitrary configuration file attempt
SecFilterSelective REQUEST_URI "/htsearch\?\-c"


# WEB-CGI alibaba.pl arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/alibaba\.pl(\|7C\||\x7C)"

# WEB-CGI AltaVista Intranet Search directory traversal attempt
SecFilterSelective REQUEST_URI "/query\?mss=\.\."

# WEB-CGI test.bat arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/test.bat(\|7C\||\x7C)"

# WEB-CGI input.bat arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/input.bat(\|7C\||\x7C)"

# WEB-CGI envout.bat arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/envout.bat(\|7C\||\x7C)"

# WEB-CGI hello.bat arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/hello\.bat" chain
SecFilter "\&"

# WEB-CGI csSearch.cgi arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/csSearch\.cgi" chain
SecFilter "\`"

# WEB-CGI eshop.pl arbitrary commane execution attempt
SecFilterSelective REQUEST_URI "/eshop\.pl\?seite=(\|3B\|\x3B)"

# WEB-CGI loadpage.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/loadpage\.cgi" chain
SecFilter "file=\.\./"

#faqmanager.cgi arbitrary file access attempt
SecFilterSelective REQUEST_URI "/faqmanager\.cgi\?toc=*/"
SecFilterSelective REQUEST_URI "/faqmanager\.cgi\?(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)"

# WEB-CGI Home Free search.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/search\.cgi" chain
SecFilter "letter=\.\./\.\."

# WEB-CGI pfdispaly.cgi arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/pfdispaly\.cgi\?'"

# WEB-CGI pagelog.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/pagelog\.cgi" chain
SecFilter "name=\.\./" 

# WEB-CGI talkback.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/talkbalk\.cgi" chain
SecFilter "article=\.\./\.\./"

# WEB-CGI emumail.cgi NULL attempt
SecFilterSelective REQUEST_URI "/emumail\.cgi.*\x00"

# WEB-CGI technote main.cgi file directory traversal attempt
SecFilterSelective REQUEST_URI "/technote/main\.cgi" chain
SecFilter "\.\./\.\./"

# WEB-CGI technote print.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/technote/print\.cgi.*\x00"

# WEB-CGI Allaire Pro Web Shell attempt
SecFilterSelective REQUEST_URI "/authenticate.cgi\?PASSWORD" chain
SecFilter "config\.ini"

# WEB-CGI Armada Style Master Index directory traversal
SecFilterSelective REQUEST_URI "/search\.cgi\?keys" chain
SecFilter "catigory=\.\./"

# WEB-CGI cached_feed.cgi moreover shopping cart directory traversal
SecFilterSelective REQUEST_URI "/cached_feed\.cgi" chain
SecFilter "\.\./"

# WEB-CGI Talentsoft Web+ exploit attempt
SecFilterSelective REQUEST_URI "/webplus.cgi\?Script=/webplus/webping/webping\.wml"

# WEB-CGI bizdbsearch attempt
SecFilterSelective REQUEST_URI "/bizdb1-search\.cgi" chain
SecFilter "mail"

# WEB-CGI sojourn.cgi File attempt
SecFilterSelective REQUEST_URI "/sojourn\.cgi\?cat=.*\x00"

# WEB-CGI SGI InfoSearch fname attempt
SecFilterSelective REQUEST_URI "/infosrch\.cgi\?" chain
SecFilter "fname="


# WEB-CGI store.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/store\.cgi" chain
SecFilter "\.\./"

# WEB-CGI SIX webboard generate.cgi attempt
SecFilterSelective REQUEST_URI "/generate\.cgi" chain
SecFilter "content=\.\./"

# WEB-CGI story.pl arbitrary file read attempt
SecFilterSelective REQUEST_URI "/story\.pl" chain
SecFilter "next=\.\./"

# WEB-CGI mrtg.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/mrtg\.cgi" chain
SecFilter "cfg=/\.\./"

#alienform.cgi directory traversal attempt
SecFilterSelective REQUEST_URI "/alienform\.cgi.*\.\|7C\|\./\.\|7C\|\."
SecFilterSelective REQUEST_URI "/af\.cgi.*\.\|7C\|\./\.\|7C\|\."

# WEB-CGI CCBill whereami.cgi arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/whereami\.cgi\?g="

# WEB-CGI MDaemon form2raw.cgi overflow attempt
SecFilterSelective REQUEST_URI "/form2raw\.cgi"

# WEB-CGI WhatsUpGold instancename overflow attempt
SecFilterSelective REQUEST_URI "/_maincfgret\.cgi"

#honeypot
SecFilterSelective THE_REQUEST "clamav-partial "
SecFilterSelective THE_REQUEST "vi\.recover "

# WEB-COLDFUSION cfcache.map access
SecFilterSelective REQUEST_URI "/cfcache\.map"

# WEB-COLDFUSION exampleapp application.cfm
SecFilterSelective REQUEST_URI "/cfdocs/exampleapp/email/application\.cfm"

# WEB-COLDFUSION application.cfm access
SecFilterSelective REQUEST_URI "/cfdocs/exampleapp/publish/admin/application\.cfm"

# WEB-COLDFUSION getfile.cfm access
SecFilterSelective REQUEST_URI "/cfdocs/exampleapp/email/getfile\.cfm"

# WEB-COLDFUSION addcontent.cfm access
SecFilterSelective REQUEST_URI "/cfdocs/exampleapp/publish/admin/addcontent\.cfm"

# WEB-COLDFUSION administrator access
SecFilterSelective REQUEST_URI "/cfide/administrator/index\.cfm"

# WEB-COLDFUSION fileexists.cfm access
SecFilterSelective REQUEST_URI "/cfdocs/snippets/fileexists\.cfm"

# WEB-COLDFUSION exprcalc access
SecFilterSelective REQUEST_URI "/cfdocs/expeval/exprcalc\.cfm"

# WEB-COLDFUSION parks access
SecFilterSelective REQUEST_URI "/cfdocs/examples/parks/detail\.cfm"

# WEB-COLDFUSION cfappman access
SecFilterSelective REQUEST_URI "/cfappman/index\.cfm"

# WEB-COLDFUSION beaninfo access
SecFilterSelective REQUEST_URI "/cfdocs/examples/cvbeans/beaninfo\.cfm"

# WEB-COLDFUSION evaluate.cfm access
SecFilterSelective REQUEST_URI "/cfdocs/snippets/evaluate\.cfm"

# WEB-COLDFUSION expeval access
SecFilterSelective REQUEST_URI "/cfdocs/expeval/"

# WEB-COLDFUSION displayfile access
SecFilterSelective REQUEST_URI "/cfdocs/expeval/displayopenedfile\.cfm"

# WEB-COLDFUSION mainframeset access
SecFilterSelective REQUEST_URI "/cfdocs/examples/mainframeset\.cfm"

# WEB-COLDFUSION exampleapp access
SecFilterSelective REQUEST_URI "/cfdocs/exampleapp/"

# WEB-COLDFUSION snippets attempt
SecFilterSelective REQUEST_URI "/cfdocs/snippets/"

# WEB-COLDFUSION cfmlsyntaxcheck.cfm access
SecFilterSelective REQUEST_URI "/cfdocs/cfmlsyntaxcheck\.cfm"

# WEB-COLDFUSION application.cfm access
SecFilterSelective REQUEST_URI "/application\.cfm"

# WEB-COLDFUSION onrequestend.cfm access
SecFilterSelective REQUEST_URI "/onrequestend\.cfm"

# WEB-COLDFUSION startstop DOS access
SecFilterSelective REQUEST_URI "/cfide/administrator/startstop\.html"

# WEB-COLDFUSION gettempdirectory.cfm access 
SecFilterSelective REQUEST_URI "/cfdocs/snippets/gettempdirectory\.cfm"

# WEB-COLDFUSION sendmail.cfm access
SecFilterSelective REQUEST_URI "/sendmail\.cfm"

# WEB-COLDFUSION ?Mode=debug attempt
#SecFilterSelective REQUEST_URI "Mode=debug"

# WEB-MISC Tomcat view source attempt
SecFilterSelective THE_REQUEST "\x252ejsp"

# WEB-MISC unify eWave ServletExec upload
SecFilterSelective THE_REQUEST "/servlet/com\.unify\.servletexec\.UploadServlet"

# WEB-MISC Talentsoft Web+ Source Code view access
SecFilterSelective REQUEST_URI "/webplus\.exe\?script=test\.wml"

# WEB-MISC ftp.pl attempt
SecFilterSelective REQUEST_URI "/ftp\.pl\?dir=\.\./\.\."

# WEB-MISC apache source.asp file access
SecFilterSelective REQUEST_URI "/site/eg/source\.asp"

# WEB-MISC Tomcat server exploit access
SecFilterSelective REQUEST_URI "/contextAdmin/contextAdmin\.html"

# WEB-MISC Ecommerce import.txt access
SecFilterSelective REQUEST_URI "/orders/import\.txt"

# WEB-MISC Domino catalog.nsf access
SecFilterSelective REQUEST_URI "/catalog\.nsf"

# WEB-MISC Domino domcfg.nsf access
SecFilterSelective REQUEST_URI "/domcfg\.nsf"

# WEB-MISC Domino domlog.nsf access
SecFilterSelective REQUEST_URI "/domlog\.nsf"

# WEB-MISC Domino log.nsf access
SecFilterSelective REQUEST_URI "/log\.nsf"

# WEB-MISC Domino names.nsf access
SecFilterSelective REQUEST_URI "/names\.nsf"

# WEB-MISC Domino mab.nsf access
SecFilterSelective REQUEST_URI "/mab\.nsf"

# WEB-MISC Domino cersvr.nsf access
SecFilterSelective REQUEST_URI "/cersvr\.nsf"

# WEB-MISC Domino setup.nsf access
SecFilterSelective REQUEST_URI "/setup\.nsf"

# WEB-MISC Domino statrep.nsf access
SecFilterSelective REQUEST_URI "/statrep\.nsf"

# WEB-MISC Domino webadmin.nsf access
SecFilterSelective REQUEST_URI "/webadmin\.nsf"

# WEB-MISC Domino events4.nsf access
SecFilterSelective REQUEST_URI "/events4\.nsf"

# WEB-MISC Domino ntsync4.nsf access
SecFilterSelective REQUEST_URI "/ntsync4\.nsf"

# WEB-MISC Domino collect4.nsf access
SecFilterSelective REQUEST_URI "/collect4\.nsf"

# WEB-MISC Domino mailw46.nsf access
SecFilterSelective REQUEST_URI "/mailw46\.nsf"

# WEB-MISC Domino bookmark.nsf access
SecFilterSelective REQUEST_URI "/bookmark\.nsf"

# WEB-MISC Domino agentrunner.nsf access
SecFilterSelective REQUEST_URI "/agentrunner\.nsf"

# WEB-MISC Domino mail.box access
#SecFilterSelective REQUEST_URI "/mail.box"

# WEB-MISC Ecommerce checks.txt access
SecFilterSelective REQUEST_URI "/orders/checks\.txt"

# WEB-MISC mall log order access
SecFilterSelective REQUEST_URI "/mall_log_files/order\.log"

# WEB-MISC ROADS search.pl attempt
SecFilterSelective REQUEST_URI "/ROADS/cgi-bin/search\.pl" chain
SecFilter "form="

# WEB-MISC SWEditServlet directory traversal attempt
SecFilterSelective REQUEST_URI "/SWEditServlet" chain
SecFilter "template=\.\./\.\./\.\./"

# WEB-MISC whisker HEAD/./
#SecFilter "HEAD/./"

# WEB-MISC RBS ISP /newuser  directory traversal attempt
SecFilterSelective REQUEST_URI "/newuser\?Image=\.\./\.\."

# WEB-MISC PCCS mysql database admin tool access
SecFilterSelective REQUEST_URI "pccsmysqladm/incs/dbconnect\.inc"

# WEB-MISC ans.pl attempt
SecFilterSelective REQUEST_URI "/ans.pl\?p=\.\./\.\./"

# WEB-MISC Demarc SQL injection attempt
SecFilterSelective REQUEST_URI "/dm/demarc" chain
SecFilter "\'" 

# WEB-MISC philboard_admin.asp authentication bypass attempt
SecFilterSelective REQUEST_URI  "/philboard_admin\.asp" chain
SecFilter "philboard_admin=True" 

# WEB-PHP Phorum /support/common.php access
SecFilterSelective REQUEST_URI  "/support/common\.php"

# WEB-PHP rolis guestbook remote file include attempt
SecFilterSelective REQUEST_URI  "/insert\.inc\.php" chain
SecFilter "path="

# book.cgi arbitrary command execution attempt
SecFilterSelective REQUEST_URI  "/book\.cgi.*current=\|7C\|"

# WEB-PHP gallery remote file include attempt
SecFilterSelective REQUEST_URI  "/setup/" chain
SecFilter "GALLERY_BASEDIR=(http|https|ftp)\:/"

#Needinit remote file include attempt
SecFilterSelective REQUEST_URI  "/needinit\.php\?" chain
SecFilter "GALLERY_BASEDIR=(http|https|ftp)\:/"

# WEB-PHP IdeaBox cord.php file include
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilter "cord\.php" 

# WEB-PHP Invision Board ipchat.php file include
SecFilterSelective REQUEST_URI  "/ipchat\.php" chain
SecFilter "conf_global\.php"

# WEB-PHP myphpPagetool pt_config.inc file include
SecFilterSelective REQUEST_URI  "/doc/admin" chain
SecFilter "pt_config\.inc"

# WEB-PHP YaBB SE packages.php file include
SecFilterSelective REQUEST_URI  "/packages\.php" chain
SecFilter "packer\.php"

# WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt
SecFilterSelective REQUEST_URI  "/authentication_index\.php" chain
SecFilter "PGV_BASE_DIRECTORY"

# WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt
SecFilterSelective REQUEST_URI  "/functions\.php" chain
SecFilter "PGV_BASE_DIRECTORY"

# WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt
SecFilterSelective REQUEST_URI  "/config_gedcom\.php" chain
SecFilter "PGV_BASE_DIRECTORY"

# WEB-PHP PhpGedView PGV base directory manipulation
SecFilterSelective REQUEST_URI  "_conf\.php" chain
SecFilter "PGV_BASE_DIRECTORY"

# WEB-PHP WAnewsletter newsletter.php file include attempt
SecFilterSelective REQUEST_URI  "newsletter\.php" chain
SecFilter "start\.php"

# WEB-PHP Opt-X header.php remote file include attempt
SecFilterSelective REQUEST_URI  "/header\.php" chain
SecFilter "systempath="

#webdav searcg attack
SecFilterSelective REQUEST_URI  "/_vti_bin/_vti_aut/fp30reg\.dll" 

#/auth.php?path=http://[attacker]/
SecFilterSelective REQUEST_URI  "/auth.php\?path=(http|https|ftp)\:/" 

SecFilterSelective REQUEST_URI  "/dforum/nav\.php3\?page=<[[:space:]]*(script|about|applet|activex|chrome)+.*(script|about|applet|activex|chrome)[[:space:]]*>" 

#phpMyAdmin path vln
SecFilterSelective REQUEST_URI "/phpMyAdmin/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=(/|.*\.\./)"

#PHPBB full path disclosure
SecFilterSelective REQUEST_URI "phpBB/db/oracle\.php"
SecFilterSelective REQUEST_URI "forum/db/oracle\.php"
SecFilterSelective REQUEST_URI "forums/db/oracle\.php"


#PHP Form Mail Script File Incusion vuln
SecFilterSelective REQUEST_URI "/inc/formmail\.inc\.php\?script_root=(http|https|ftp)\:/"

#Download Center Lite File Incusion vuln
SecFilterSelective REQUEST_URI "/inc/download_center_lite\.inc\.php\?script_root=(http|https|ftp)\:/"

#/modules/mod_mainmenu.php?mosConfig_absolute_path=http://
SecFilterSelective REQUEST_URI "/modules/mod_mainmenu\.php\?mosConfig_absolute_path=(http|https|ftp)\:/"

#phpWebLog command execution
SecFilterSelective REQUEST_URI "/init\.inc\.php\?G_PATH=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/backend/addons/links/index\.php\?PATH=(http|https|ftp)\:/"

#mcNews command execution
SecFilterSelective REQUEST_URI "/mcNews/admin/header\.php\?skinfile=(http|https|ftp)\:/"

#phpbb
SecFilterSelective REQUEST_URI "admin/admin_styles\.php\?mode=addnew\&install_to=\.\./\.\./"
#votebox
SecFilterSelective REQUEST_URI "/votebox\.php\?VoteBoxPath=(http|https|ftp)\:/"

#phpAdsNew path disclosure
SecFilterSelective REQUEST_URI "/libraries/lib-xmlrpcs.inc\.php"
SecFilterSelective REQUEST_URI "/maintenance/maintenance-activation\.php"
SecFilterSelective REQUEST_URI "/maintenance/maintenance-cleantables\.php"
SecFilterSelective REQUEST_URI "/maintenance/maintenance-autotargeting\.php"
SecFilterSelective REQUEST_URI "/maintenance/maintenance-reports\.php"
SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/phpads\.php"
SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/remotehtmlview\.php"
SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/click\.php"
SecFilterSelective REQUEST_URI "/adframe\.php\?refresh=securityreason\.com\'\>"

#include cgi command exec
SecFilterSelective REQUEST_URI "/includer\.cgi\?=\|"

#citrusDB
#adjust these to your system, you might need to upload
SecFilterSelective REQUEST_URI "tools/index\.php\?load=\.\./\.\./"
SecFilterSelective REQUEST_URI "citrusdb/tools/index\.php\?load=importcc\&submit=on"
SecFilterSelective REQUEST_URI "/citrusdb/tools/uploadcc\.php"

#awstats vulns
SecFilterSelective REQUEST_URI  "/awstats\.pl\?(configdir|update|pluginmode|cgi)=(\||echo|\:system\()"
SecFilterSelective REQUEST_URI  "/awstats\.pl\?(debug=1|pluginmode=rawlog\&loadplugin=rawlog|update=1\&logfile=\|)"
SecFilterSelective REQUEST_URI  "/awstats\.pl\?[^\r\n]*logfile=\|"
SecFilterSelective REQUEST_URI  "/awstats\.pl\?configdir="
SecFilterSelective REQUEST_URI  "awstats\.pl\?" chain
SecFilterSelective ARGS "(debug|configdir|perl|chmod|exec|print|cgi)"

#yabb
SecFilterSelective REQUEST_URI "/YaBB\.pl\?action=usersrecentposts\;username=\<IFRAME.*javascript\:alert\(\'"

# WEB-FRONTPAGE .... request
SecFilterSelective THE_REQUEST "\.\.\.\./"

#phpbb XSS
SecFilterSelective REQUEST_URI "/posting\.php\?mode=reply&t=.*userid.*phpbb2mysql_t=(\<(script|javascript|about|applet|activex|chrome)|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/posting\.php\\?.*(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective THE_REQUEST "/privmsg\.php" chain
SecFilter "\<a href=*(script|about|applet|activex|chrome)"

#proxy grabber
SecFilterSelective REQUEST_URI  "/proxy-grabber\.com/cgi-bin/v2/nph-env\.cgi\?"

#Unique stuff caught in our traps
SecFilterSelective REQUEST_URI  "/mail_autocheck\.php\?pm_path=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

# Remote File Inclusion Vulnerability in phpWebLog
SecFilterSelective REQUEST_URI  "/include/init\.inc\.php\?G_PATH=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI  "addons/links/index\.php\?PATH=(http|https|ftp)\:/"

#Multiple Vulnerabilities in ProjectBB
SecFilterSelective REQUEST_URI  "/divers\.php\?action=liste\&liste=\&desc=\&pages=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/divers\.php\?action=liste\&liste=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/Zip/divers\.php\?action =liste&liste=email&desc=.*\'"

#WebChat english.php or db_mysql.php file include
SecFilterSelective REQUEST_URI "/defines\.php*WEBCHATPATH*(db_mysql\.php|english\.php)"

#Cross-Site Scripting Vulnerability in D-Forum
SecFilterSelective REQUEST_URI "/nav\.php3\?page=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#Multiple Vulnerabilities in auraCMS
SecFilterSelective REQUEST_URI "/index\.php\?query=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/).*\&pilih=search"
SecFilterSelective REQUEST_URI "/hits\.php\?hits=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/counter\.php\?theCount=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#vBulletin Remote Command Execution Attempt
SecFilterSelective REQUEST_URI "/forumdisplay\.php?[^\r\n]*comma=[^\r\n\x26]*system\x28.*\x29/Ui"
SecFilterSelective REQUEST_URI "/forumdisplay\.php\?" chain
SecFilter "\.system\(.+\)\."
SecFilterSelective REQUEST_URI "/forumdisplay\.php\?*comma="

#PHPNuke general XSS attempt
#/modules.php?name=News&file=article&sid=1&optionbox=
SecFilterSelective REQUEST_URI "/modules\.php\?*name=*\<*(script|about|applet|activex|chrome)*\>"
SecFilterSelective REQUEST_URI "/modules\.php\?op=modload&name=News&file=article&sid=*\<*(script|about|applet|activex|chrome)*\>"

# PHPNuke SQL injection attempt
SecFilterSelective REQUEST_URI  "/modules\.php\?*name=Search*instory="
SecFilterSelective REQUEST_URI  "/modules\.php\?*name=(Search|Web_Links).*\'"

#EasyDynamicPages exploit
SecFilterSelective THE_REQUEST "edp_relative_path="

#Readfile.tcl Access
SecFilterSelective REQUEST_URI "/readfile\.tcl\?file="

#phpnuke sql insertion
SecFilterSelective REQUEST_URI "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/"

#WAnewsletter newsletter.php file include attempt
SecFilterSelective REQUEST_URI "newsletter\.php*waroot*start\.php"

# Typo3 translations.php file include
SecFilterSelective REQUEST_URI "/translations\.php*ONLY"

#PHP-Nuke remote file include attempt
SecFilterSelective REQUEST_URI "/index\.php*file=*(http|https|ftp)\:/"

#PayPal Storefront remote file include attempt
SecFilterSelective REQUEST_URI "do=ext*/page=(http|https|ftp)\:/"

#PHPOpenChat 
SecFilterSelective REQUEST_URI "/poc_loginform\.php\?phpbb_root_path=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/poc\.php\?phpbb_root_path=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/poc\.php\?poc_root_path=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/ENGLISH_poc\.php\?poc_root_path=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/poc\.php\?sourcedir=(http|https|ftp)\:/"

#ACS Blog Search.ASP Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "/search\.asp\?search=.*iframe\+src.*((javascript|script|about|applet|activex|chrome)*\>|http|https|ftp)\:/"

#mcNews Remote command execution
SecFilterSelective REQUEST_URI "/admin/install\.php\?l=(http|https|ftp)\:/"

#mailman XSS
SecFilterSelective THE_REQUEST "/mailman/.*\?.*info=*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#Macromedia SiteSpring XSS
SecFilterSelective THE_REQUEST "/error/500error\.jsp.*et=*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#OWA phishing redirect
SecFilterSelective REQUEST_URI "/exchweb/bin/auth/owalogon\.asp\?url=(http|https)\:/"

#ads.cgi command execution attempt
SecFilterSelective REQUEST_URI "/ads\.cgi.*file=.*\.\./\.\./"

#webdist.cgi arbitrary command attemp
SecFilterSelective REQUEST_URI "/webdist\.cgi.*distloc=(\|3B\||\x3B)"

#enter_bug.cgi arbitrary command attempt
SecFilterSelective REQUEST_URI "/enter_bug\.cgi.*who.*(\|3B\||\x3B)"

#cross site scripting HTML Image tag set to javascript attempt
SecFilterSelective THE_REQUEST "img src=javascript"

#b2 arbitrary command execution attempt
SecFilterSelective REQUEST_URI "/b2-include/.*b2inc.*http(\|3A\|//|\x3A)"

#tomcat servlet mapping XSS
SecFilterSelective THE_REQUEST "/servlet/.*/org\.apache\."

#RUNCMS,Exoops,CIAMOS highlight file access hole
SecFilterSelective REQUEST_URI "/class/debug/highlight\.php\?file=(/|\.\./)"

#TRG/CzarNews News Script Include File Hole Lets Remote Users Execute Arbitrary Commands
SecFilterSelective REQUEST_URI "/install/(article|authorall|comment|display|displayall.)\.php\?dir=(http|https|ftp):/"

#zpanel XSS
SecFilterSelective REQUEST_URI "/zpanel\.php\?page=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#zpanel SQL injection
SecFilterSelective REQUEST_URI "/zpanel\.php\?page=.*\'"

#Phorum HTTP Response Splitting Vulnerability
SecFilterSelective REQUEST_URI "/search\.php\?forum_id=.*\&search=.*\&body=.*Content-Length\:.*HTTP/1\.0.*Content-Type\:.*Content-Length\:"

#Subdreamer Light Global Variables SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/index\.php\?categoryid=.*\&.*_sectionid=.*\&.*_imageid=.*\'"

#PhotoPost Pro
SecFilterSelective REQUEST_URI "/showgallery\.php\?cat=[0-9].*\&page=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/showgallery\.php\?si=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/showgallery\.php\?ppuser=[0-9].*\&cat=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/showgallery\.php\?cat=[0-9].*\'"
SecFilterSelective REQUEST_URI "/showgallery\.php\?ppuser=[0-9].*\'.*\&cat="

#betaparticle blog Discloses Database to Remote Users 
#and Lets Remote Users Upload/Delete Arbitrary Files
SecFilterSelective REQUEST_URI "/bp/database/dbBlogMX\.mdb"
SecFilterSelective REQUEST_URI "/Blog\.mdb"

#Kayako eSupport Remote Cross Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "/eSupport/index.php\?_a=knowledgebase\&_j=questiondetails\&_i=[0-9].*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/eSupport/index.php\?_a=knowledgebase\&_j=questionprint\&_i=[0-9].*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/eSupport/index.php\?_a=troubleshooter\&_c=[0-9].*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/eSupport/index.php\?_a=knowledgebase\&_j=subcat\&_i=[0-9].*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#phpSysInfo XSS vulns
SecFilterSelective REQUEST_URI "/index\.php\?sensor_program=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/includes/system_footer\.php\?text[template]=\"\>.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/includes/system_footer\.php\?hide_picklist=.*\&VERSION=\<iframesrc=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#DigitalHive Remote Unathenticated Software Re-install and Cross-Site Scripting Vulnerabilities
SecFilterSelective REQUEST_URI "/base\.php\?page=forum/msg\.php-afs-1-\"/\>\<script\>"
SecFilterSelective REQUEST_URI "/hive/base\.php\?page=membres\.php\&mt=\"/\>\<script\>"

#Topic Calendar Mod for phpBB Cross-Site Scripting Attack
SecFilterSelective REQUEST_URI "/calendar_scheduler\.php\?start=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#phpSysInfo Cross-Site Scripting Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.php\?sensor_program=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/includes/system_footer\.php\?text.*=\"\>.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/includes/system_footer\.php\?text[template]=\"\>.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/includes/system_footer\.php\?hide_picklist=.*=\<iframe src.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#Interspire ArticleLive 2005 "ArticleId" Remote Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "/articles/newcomment\?ArticleId=\"\>"

#Dream4 Koobi CMS Index.PHP SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/index\.php\?p=articles&area=.*\'"
SecFilterSelective REQUEST_URI "/index\.php\?area.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#Vortex Portal Remote File Inclusion and Path Disclosure Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.php\?act=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/content\.php\?act=(http|https|ftp)\:/" 

#Topic Calendar Cross Site Scripting
SecFilterSelective REQUEST_URI "/calendar_scheduler\.php\?start.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#ESMI PayPal Storefront SQL inject and XSS
SecFilterSelective REQUEST_URI "/ecdis/pages.php?idpages=\'"
SecFilterSelective REQUEST_URI "/ecdis/products.*.php?id=.*&id.*=\'"
SecFilterSelective REQUEST_URI "/ecdis/products.*\.php\?id=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#Nuke Bookmarks Marks.php SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9| ]+[[:space:]](from|into|table|database|index|view)"

#Nuke Bookmarks XSS
SecFilterSelective REQUEST_URI "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#possible new vuln in tikiwiki
SecFilterSelective REQUEST_URI "/tiki-list_faqs\.php\?offset=(http|https|ftp)\:/"

#exoops Input Validation Flaws SQL injection and XSS
SecFilterSelective REQUEST_URI "/newbb/index\.php\?viewcat=\'"
SecFilterSelective REQUEST_URI "/modules/sections/index\.php\?op=viewarticle&artid=9\x2c+9\x2c+9"
SecFilterSelective REQUEST_URI "/newbb/viewforum\.php\?sortname=p\.post_time\&sortorder=.*\&sortdays=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/newbb/index\.php\?viewcat=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#Valdersoft Shopping Cart SQL injection and XSS
SecFilterSelective REQUEST_URI "/(item|category).php?sid=.*\&id=\'"
SecFilterSelective REQUEST_URI "/index\.php\?sid=.*\&lang=\'"
SecFilterSelective REQUEST_URI "/search_result\.php\?sid=.*\&search.*\'"

#OSCommerce XSS
SecFilterSelective REQUEST_URI "/default\.php\?(error_message|info_message)=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#Typo3 remote file retrieval
SecFilterSelective REQUEST_URI "/dev/translations\.php\?ONLY=\x2e\x2e/\x2e\x2e/\x2e\x2e/\x2e\x2e/\x2e\x2e/.*\x00"

#Mambo XSS
SecFilterSelective REQUEST_URI "/emailfriend/(emailarticle|emailfaq|emailnews)\.php\?id=\"(\<script|(http|https|ftp)\:/)"

#Photopost XSS and sql injection
SecFilterSelective REQUEST_URI "photos/(showgallery|showmembers|slideshow)\.php\?.*(\'|\<script|(http|https|ftp)\:/)"

#TKai's Shoutbox XSS
SecFilterSelective REQUEST_URI "/shoutact\.php\?yousay=default\&query=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/shoutact\.php\?yousay=default\&name=default&query=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/shoutact\.php\?yousay=default\&email=default\&query=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/shoutact\.php\?yousay=default\&email=default\&name=default\&query=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/shoutact\.php\?yousay=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#EncapsBB Remote File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/index_header.php?root=(http|https|ftp)\:/"

#CPG Dragonfly CMS Two Cross-Site Scripting Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.php\?name=.*\&profile=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/coppermine/displayimage/meta=lastcom/cat=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/).*/pos=.*\.html"

#PHPCoin
SecFilterSelective REQUEST_URI "phpcoin/auxpage\.php\?page=\.\./\.\."

#PortalApp SQL injection and XSS
SecFilterSelective REQUEST_URI "/ad_click\.asp\?banner _id=\'"
SecFilterSelective REQUEST_URI "/content\.asp\?CatId=\'"
SecFilterSelective REQUEST_URI "/content\.asp\?ContentId=\'"
SecFilterSelective REQUEST_URI "/content\.asp\?contenttype=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/content\.asp\?do_search=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#Lighthouse Development Squirrelcart SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/index\.php\?crn=\'"

#PunBB version <= 1.2.2 auth bypass exploit
SecFilterSelective COOKIE_punbb_cookie "a\:2\:\{i\:0\;s\:.*\;i\:1\;b\:1\;\}"

#Multiple sql injection, and xss vulnerabilities in AspApp
SecFilterSelective REQUEST_URI "/content\.asp\?CatId=.*\&ContentType=(.*script|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/content\.asp\?CatId=\'"
SecFilterSelective REQUEST_URI "/content\.asp\?contenttype=(.*script|(http|https|ftp)\:/)"

#PaFileDB Version 3.1 and below SQL injection and XSS
SecFilterSelective REQUEST_URI "/pafiledb\.php\?action=viewall&id=&start=\'"
SecFilterSelective REQUEST_URI "/pafiledb\.php\?action=file&id=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#E-Data 2.0 XSS
SecFilterSelective REQUEST_URI "cgi-bin/dir\.pl.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#PHPNuke general SQL injection
SecFilterSelective REQUEST_URI "/modules\.php\?.*name=.*UNION.*SELECT"

#InterAKT Online MX Kart Multiple SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.php\?mod=pages&idp=\'"
SecFilterSelective REQUEST_URI "/MXShop/\?mod=category&id_ctg=\'"
SecFilterSelective REQUEST_URI "/index\.php\?mod=category&id_ctg=\'"
SecFilterSelective REQUEST_URI "/index\.php\?PHPSESSID=.*&id_man=\'"

#CPG Dragonfly XSS
SecFilterSelective REQUEST_URI "/index\.php\?name=.*\&file=.*\&meta=.*\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?name=.*\&mode=.*&id=.*\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/coppermine/displayimage/meta=.*/cat=.*\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?name=.*&profile=.*\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#AlstraSoft EPay Pro Multiple Cross-Site Scripting Vulnerabilities
SecFilterSelective REQUEST_URI "/epal/\?order_num=crap&payment=\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/epal/\?order_num=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#AlstraSoft EPay Pro Remote File Include Vulnerability
SecFilterSelective REQUEST_URI "/epal/index\.php\?view=(http|https|ftp)\:/"

#SiteEnable SQL injection and XSS
SecFilterSelective REQUEST_URI "content\.asp\?contenttype=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#phpbb 2.0.13 download vuln
SecFilterSelective REQUEST_URI "/downloads\.php\?cat=.*(UNION|SELECT|delete|insert)*user_password.*phpbb_users"

#Turnkey Websites Shopping Cart SQL injection
SecFilterSelective REQUEST_URI "/SearchResults\.php\?SearchTerm=\'"
SecFilterSelective REQUEST_URI "/SearchResults\.php\?SearchTerm=.*\'"

#Authenticaion bypass, Directory transversal and XSS vulnerabilities in PayProCart 3.0
SecFilterSelective REQUEST_URI "/usrdetails\.php\?sgnuptype=.*((javsscript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "adminshop/index\.php\?proMod=index\&amp.*toedit=\.\..*shopincs.*maintopENG"

#PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12
SecFilterSelective REQUEST_URI "/banners\.php\?op=EmailStats&name=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#PHP-Nuke Input Validation Flaws in Search, FAQ, and Banners Modules Permit Cross-Site Scripting Attacks
SecFilterSelective REQUEST_URI "/modules\.php\?name=Search&author=.*&topic=.*&min.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=FAQ&.*=.*&id_cat=.*&categories=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?op=EmailStats&login=.*&cid=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Encyclopedia&file=.*&op=.*&eid.*1&ltr=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#phpMyAdmin convcharset Parameter Cross Site Scripting
SecFilterSelective REQUEST_URI "/phpmyadmin/index\.php\?pma_username=*&pma_password=*&server=.*&lang=.*&convcharset=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

##phpBB Calendar Pro catergory Parameter SQL Injection
SecFilterSelective REQUEST_URI "/cal_view_month\.php\?month=.*&year=.*&category=.*(UNION|SELECT|DELETE|INSERT)"

#cubecart SQL injection
SecFilterSelective REQUEST_URI "/index\.php\?&PHPSESSID=\'"
SecFilterSelective REQUEST_URI "/tellafriend\.php\?&product=\'"
SecFilterSelective REQUEST_URI "/view_cart\.php\?add=\'"
SecFilterSelective REQUEST_URI "/view_product\.php\?product=\'" 

#PHPBB LinksLinks Pro Module SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/links\.php\?func=show&id=\'"

#LiteCommerce Multiple SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/cart\.php\?target=\'"
SecFilterSelective REQUEST_URI "/cart\.php\?target=category&category_id=\'"
SecFilterSelective REQUEST_URI "/cart\.php\?target=product&product_id=\'"

#PHP-Nuke "querylang" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/modules\.php\?name=Top&querylang=.*(UNION|SELECT|DELETE|INSERT).*\,"

#PHPBB DLMan Pro Module SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/dlman\.php\?func=file_info&file_id=\'"

#ModernBill XSS and file include
SecFilterSelective REQUEST_URI "/samples/news\.php\?DIR=(http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "/order/orderwiz\.php\?v=.*&aid=.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/)"

#TowerBlog! Discloses Hashed Administrative Password to Remote Users
SecFilterSelective THE_REQUEST "/_dat/login"

#Invision Power Board SQL injection
SecFilterSelective REQUEST_URI "/forums/index\.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELETE|INSERT)"
#SQL injection in jPortal version 2.3.1
SecFilterSelective REQUEST_URI "/jportal/banner\.php*(UNION|SELECT|DELETE|INSERT)"


#PinnacleCart XSS Attack
SecFilterSelective REQUEST_URI "/index\.php\?p=catalog&parent=.*&pg=\">"

#Serendipity exip.php SQL injection
SecFilterSelective REQUEST_URI "exit\.php\?entry_id=.*&url_id=.*\x20UNION\x20SELECT\x20(password|username)\x20FROM"

#phpbb p[lus
SecFilterSelective REQUEST_URI "/groupcp\.php\?g=.*sid=\'"
SecFilterSelective REQUEST_URI "/index\.php\?(c|mark)=*\'"
SecFilterSelective REQUEST_URI "/portal\.php\?article=*\'"
SecFilterSelective REQUEST_URI "/viewforum.php?f=.*sid=\'"
SecFilterSelective REQUEST_URI "/viewtopic.php?p=.*sid=\'"
SecFilterSelective REQUEST_URI "/album_search\.php\?mode=\'"
SecFilterSelective REQUEST_URI "/album_cat\.php\?cat_id=.*sid=\'"
SecFilterSelective REQUEST_URI "/album_comment\.php\?pic_id=.*sid=\'"
SecFilterSelective REQUEST_URI "calendar_scheduler\.php\?d=.*&mode=&start=\'\">"

#EasyPHPCalendar XSS
SecFilterSelective REQUEST_URI "/index\.php\?mo=.*&yr=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#CalendarScript path discolsure and XSS
SecFilterSelective REQUEST_URI "/calendar\.pl\?calendar=.*&template=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/calendar\.pl\?calendar=.*&command=login&username=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#SPHPBlog Search.PHP Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "/search\.php\?q=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"


#All4WWW-Homepagecreator
SecFilterSelective REQUEST_URI "/index.php?site=(http|https|ftp)\:/"

#zOOM Media Gallery SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/index\.php\?option=com_zoom&Itemid=.*&catid=*(AND|OR|INSERT|UNION|DELETE)"

#caught in honeypot
SecFilterSelective REQUEST_URI ".*\.php\?(do=.*&template=\{\$\{|inc=(http|https|ftp)\:/)"

#phpMyAdmin path vln
SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"

#PHP-Nuke Web_Links Multiple Variable SQL Injection
SecFilterSelective SCRIPT_FILENAME "modules\.php" chain
SecFilterSelective ARG_email|ARG_ratenum|ARG_min|ARG_show|ARG_orderby|ARG_url "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"

#phpCOIN SQL injection
SecFilterSelective SCRIPT_FILENAME "mod\.php" chain
SecFilterSelective ARG_faq_id|ARG_id|ARG_topic_id|ARG_ord_id|ARG_dom_id|ARG_invd_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"

#NukeBookmarks  SQL injection
SecFilterSelective SCRIPT_FILENAME "modules\.php" chain
SecFilterSelective ARG_category "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#e107 SQL injection
SecFilterSelective SCRIPT_FILENAME "news\.php" chain
SecFilterSelective ARG_list "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"

#squirrelcart SQL injection
SecFilterSelective SCRIPT_FILENAME "index\.php" chain
SecFilterSelective ARG_crn "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)"

#PHP-Nuke HTTP Response Splitting vuln
SecFilterSelective REQUEST_URI "modules\.php\?name=Surveys&pollID=.*&forwarder=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#AzDGDatingPlatinum view.php id Variable XSS
SecFilterSelective REQUEST_URI "/view\.php\?l=.*&id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

# AzDGDatingPlatinum index.php from Variable SQL Injection
SecFilterSelective REQUEST_URI "/members/index\.php\?l=.*&a=.*&from=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"

# AzDGDatingPlatinum view.php id Variable SQL Injection
SecFilterSelective REQUEST_URI "/view.php\?l=.*&id=.*\'"

#PHPBB Remote Mod.PHP SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/moddb/mod\.php\?id=\'"

#CityPost PHP LNKX Input Validation Hole Permits Cross-Site Scripting Attacks
SecFilterSelective REQUEST_URI "/lnkx/message\.php\?msg=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#Coppermine Photo Gallery Multiple XSS
SecFilterSelective REQUEST_URI "/index\.php\?lang=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#PHP-Nuke Blind SQL Injection
SecFilterSelective REQUEST_URI "/modules\.php\?name=Downloads&d_op=.*&title=.*&url=.*&description=.*&email=\'\,*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Downloads&d_op=.*&url=\'\,*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Downloads&d_op=viewsdownload&min=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*]+(from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Downloads&d_op=search&min=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"

#UBB Thread /ubbthreads/printthread.php SQL Injection Yes\No vulnerability
SecFilterSelective REQUEST_URI "/printthread\.php*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"

#coppermine remote file inclusion
SecFilterSelective REQUEST_URI "/theme\.php\?THEME_DIR=(http|https|ftp)/:/"

#E-Cart Mod remote command execution
SecFilterSelective REQUEST_URI "/index\.cgi\?action=.*&cat=.*&art=.*\|"

#phpBB Auction Mod SQL injection
SecFilterSelective REQUEST_URI "/auction_rating\.php\?mode=.*&u=.*\'"
SecFilterSelective REQUEST_URI "/auction_offer\.php\?mode=.*&ar=.*\'"

#kali's tagboard remote command execution
SecFilterSelective REQUEST_URI "/admin/banned\.php\?&cmd="

#PHPBB Profile.PHP Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "/profile\.php\?mode=viewprofile&u=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)"

#PHPBB Viewtopic.PHP Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "/viewtopic\.php\?p=.*&highlight=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)"

#Netref Remote Arbitrary File Creation Vulnerability
SecFilterSelective REQUEST_URI "script/cat_for_gen\.php"

# eGroupWare index.php cats_app Variable SQL Injection
SecFilterSelective REQUEST_URI "/index\.php\?menuaction=preferences\.uicategories\.index\&cats_app=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

# eGroupWare tts/index.php filter Variable SQL Injection
SecFilterSelective REQUEST_URI "/tts/index\.php\?filter=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

# eGroupWare sitemgr-site/index.php category_id Variable XSS
SecFilterSelective REQUEST_URI "/sitemgr/sitemgr-site/\?category_id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

# eGroupWare wiki/index.php Multiple Variable XSS
SecFilterSelective REQUEST_URI "/index\.php\?page=RecentChanges.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?action=history&page=.*&lang=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

# eGroupWare index.php Multiple Variable XSS
SecFilterSelective REQUEST_URI "/index\.php\?menuaction=addressbook\.uiaddressbook\.edit\&ab_id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?menuaction=manual\.uimanual\.view\&page=ManualAddressbook.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?menuaction=forum\.uiforum\.post\&type=new.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?menuaction=wiki\.uiwiki\.edit\&page=setup.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#SQL Injections in MetaBid Auctions
SecFilterSelective REQUEST_URI "/item\.asp\?intAuctionID=\'"

#honeypot catch
SecFilterSelective REQUEST_URI "tiki-print\.php\?page=(http|https|ftp)\:/"

# phpBB Notes Mod SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/posting_notes\.php\?mode=editpost\&*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

#phpCOIN SQL injection attacks
SecFilterSelective REQUEST_URI "/index\.php\?title=.*&search=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/login\.php\?w=.*&o=.*&phpcoinsessid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)*\'"
SecFilterSelective REQUEST_URI "/mod\.php\?mod=siteinfo&id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)*\'&phpcoinsessid="
SecFilterSelective REQUEST_URI "/mod\.php\?mod=pages&mode=list&(dcat_id|topic_id)=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)*\'\&phpcoinsessid=" 

#honeypot catch
SecFilterSelective REQUEST_URI "/index\.php\?page=(http|https|ftp)\:/"

#honeypot catch
#ideabox code injection
SecFilterSelective REQUEST_URI "/ideabox/include\.php" chain
SecFilter "(Dir=(http|https|ftp)\:/|\?\&(cmd|id|inc|name)=)"

#12Planet Chat Server Path Disclosure
# CVE: "CVE-MAP-NOMATCH"
SecFilterSelective REQUEST_URI "/qwe/qwe/index\.html"

#Agora CGI Cross Site Scripting
# CVE: "CVE-2001-1199"
SecFilterSelective REQUEST_URI  "/store/agora\.cgi\?cart_id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#Apache Remote Command Execution via .bat files
# CVE: "CVE-2002-0061"
SecFilterSelective REQUEST_URI  "/test-cgi\.bat\?\|"

#cpanel remote command execution
SecFilterSelective REQUEST_URI "/cgi-sys/guestbook\.cgi\?user=cpanel&template=\|"

#Oracle 9iAS mod_plsql directory traversal
# CVE: "CAN-2001-1217"
SecFilterSelective REQUEST_URI  "/pls/sample/admin_/help/\.\."

#Zeus Admin Interface XSS
SecFilterSelective REQUEST_URI "/apps/web/vs_diag\.cgi\?server=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#Oracle 9iAS iSQLplus XSS
SecFilterSelective THE_REQUEST "/isqlplus\?action=logon&username=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

# main.cgi directory traversal and file access
SecFilterSelective REQUEST_URI "/main\.cgi\?next_file=*/"

#TorrentTrader SQL Injection
SecFilterSelective REQUEST_URI "/download\.php\?id=\'"

#OpenCA HTML Injection
# CVE: "CAN-2004-0787"
SecFilterSelective REQUEST_URI "/cgi-bin/pub/pki\?cmd=serverInfo"

#pdesk directory traversal and file theft
SecFilterSelective REQUEST_URI "/cgi-bin/pdesk\.cgi\?lang=\.\./\.\./"

#ShowCenter XSS
SecFilterSelective REQUEST_URI "/ShowCenter/SettingsBase\.php\?Skin=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#honeypot XSS attack
SecFilterSelective REQUEST_URI "/page\.php\?action=view&id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#i-mall remote command execution attack
SecFilterSelective REQUEST_URI "/i-mall/i-mall\.cgi\?p=\|"

#PArser XSS
SecFilterSelective REQUEST_URI "/parser/parser\.php\?file=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#caught in honeypot
SecFilterSelective REQUEST_URI "/check_user_id\.php\?user_id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#formmail probe
#SecFilterSelective THE_REQUEST "/formmail\.pl HTTP\/(0\.9|1\.0|1\.1)$"
SecFilterSelective THE_REQUEST "GET .*/formmail\.pl HTTP\/(0\.9|1\.0|1\.1)$"
SecFilterSelective THE_REQUEST "HEAD .*/formmail\.pl HTTP\/(0\.9|1\.0|1\.1)$"
SecFilterSelective THE_REQUEST "POST .*/formmail\.pl HTTP\/(0\.9|1\.0|1\.1)$" 

#JGS-Portal ID Variable SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/jgs_portal\.php\?id=\'"

#SitePanel 2 command exec, file access
SecFilterSelective REQUEST_URI "/users/index\.php\?lang=en\.inc/\.\./\.\./"
SecFilterSelective REQUEST_URI "/users/main.php?p=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/admin/5\.php\?do=rmattach&rm=yes&id=\.\./"

#osTicket directory traversal
SecFilterSelective REQUEST_URI "/attachments\.php\?file=\.\./\.\."

#osticket remote file inclusion
SecFilterSelective REQUEST_URI "/include/main\.php\?config.*=.*&include_dir=(http|https|ftp)\:/"

#osticket SQL injection
SecFilterSelective REQUEST_URI "/admin\.php\?a=view&id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]]+(from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/view\.php\?s=.*&query=*&cat=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

#Woltlab Burning Board JGS-Portal "id" SQL Injection
SecFilterSelective REQUEST_URI "/jgs_portal\.php" chain
SecFilter "id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

#eSKUeL "ConfLangCookie" and "lang_config" Local File Inclusion
SecFilterSelective REQUEST_URI "include/functions\.inc\.php" chain
SecFilter "(ConfLangCookie|lang_config)=*\.\./"

#FishCart Cross-Site Scripting and SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "display\.php" chain
SecFilter "nlst=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

SecFilterSelective REQUEST_URI "upstracking\.php" chain
SecFilter "(eqagree|m|trackingnum)=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

SecFilterSelective REQUEST_URI "display\.php" chain
SecFilter "psku=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

SecFilterSelective REQUEST_URI "upstnt\.php" chain
SecFilter "cartid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

# vBulletin calendar.php comma Parameter Arbitrary Command Execution
SecFilterSelective REQUEST_URI "calendar\.php\?calbirthdays=.*&action=.*&day=.*&comma=*(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)sh|(s|r)cp|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)"
SecFilterSelective REQUEST_URI "/calendar\.php\?calbirthdays=.*&action=getday&day=.*&comma=\x22;"

#FishCart SQL injection
SecFilterSelective REQUEST_URI "/display\.php\?cartid=.*&zid=*&lid=*&nlst=*&olimit=*&cat=*&key*=&psku=\'"
SecFilterSelective REQUEST_URI "/upstnt\.php\?zid=.*&lid=.*&cartid=\'"

#PHP-Nuke "phpbb_root_path" Arbitrary File Inclusion
SecFilterSelective REQUEST_URI "/admin_styles\.php\?phpbb_root_path=(http|https|ftp)\:/"

# Apache Jakarta-Tomcat? /admin Context Vulnerability
SecFilterSelective THE_REQUEST "/admin/\?op=\xc0"

#generic Common HTTP vulnerability
SecFilterSelective THE_REQUEST "/\?cwd=/"

#XSS in phpBB
SecFilterSelective THE_REQUEST "/(viewtopic|privmsg|bbcode)\.php\?" chain
SecFilter "\[url=(script|javascript|about|applet|activex|chrome)\:/"

#phbb admin forums XSS
SecFilterSelective THE_REQUEST "/admin_forums\.php\?" chain
SecFilter "\<[[:space:]]*(script|about|applet|activex|chrome)"

#HTMLJunction EZGuestbook Remote Database Disclosure Vulnerability
SecFilterSelective THE_REQUEST "/datastores/guestbook\.mdb"

#phpbb XSS
SecFilterSelective THE_REQUEST "/admin/admin_forums\.php\?sid=.*" chain
SecFilter "(forumname|forumdesc)=*\<[[:space:]]*(script|about|applet|activex|chrome)"

#DirectTopics Topic.PHP SQL Injection Vulnerability
SecFilterSelective THE_REQUEST "/topic\.php\?topic=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

#honeypot
SecFilterSelective REQUEST_URI "tiki-index\.php\?page=(http|https|ftp)\:/"

#Help Center Live Multiple Input Validation Vulnerabilities
SecFilterSelective REQUEST_URI "/faq/index\.php\?x=.*&id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/tt/view\.php\?tid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/tt/download\.php\?fid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/lh/icon\.php\?status=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/lh/chat_download\.php\?fid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

#WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities
SecFilterSelective REQUEST_URI "/jgs_portal\.php\?anzahl_beitraege=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/jgs_portal_statistik\.php\?meinaction=mitglieder&month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/jgs_portal_statistik\.php\?meinaction=themen&month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/jgs_portal_statistik\.php\?meinaction=beitrag&month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/jgs_portal_beitraggraf\.php\?month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/jgs_portal_viewsgraf\.php\?jahr=.*&monat=.*&tag=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+(from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/jgs_portal_themengraf\.php\?month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/jgs_portal_mitgraf\.php\?month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/jgs_portal_sponsor\.php\?id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/jgs_portal_box\.php\?id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

#NPDS "comments.php" and "pollcomments.php" Remote SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/npds/comments\.php\?thold=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/npds/pollcomments\.php\?thold=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/npds/pollcomments\.php\?op=results&pollID=2&mode=&order=&thold=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

#Gurgens Guest Book Remote Database Disclosure Vulnerability
SecFilterSelective THE_REQUEST "/db/Genit\.dat"

#PhotoPost Arbitrary Data vuln
SecFilterSelective REQUEST_URI "/member\.php\?ppaction=.*&verifykey=.*&uid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

#OpenBB SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/read\.php" chain
SecFilterSelective ARG_TID "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

#PostNuke "func" Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/index\.php.*func=*(\.\./|(http|https|ftp)\:/)"

#Bug Report Script Insertion Vulnerability
SecFilterSelective SCRIPT_FILENAME "bug_report\.php" chain
SecFilterSelective ARG_name|ARG_sujet|ARG_commentaries|ARG_os|ARG_navig|ARG_url "<[[:space:]]*(script|about|applet|activex|chrome)"

#NPDS SQL Injection and XSS Vulnerabilities
SecFilterSelective REQUEST_URI "/(pollcomments|comments)\.php" chain
SecFilterSelective ARG_thold "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective REQUEST_URI "/faq\.php" chain
SecFilterSelective ARG_categories "<[[:space:]]*(script|about|applet|activex|chrome)"

#Post tiki Wiki install rules
SecFilterSelective REQUEST_URI "/tiki-install\.php"
SecFilterSelective REQUEST_URI "/tiki-edit_templates\.php"

#phpATM Arbitrary Remote File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/index\.php\?include_location=(http|https|ftp)\:/"

#TOPo XSS vuln
SecFilterSelective REQUEST_URI "/index\.php\?m=(top|members)*<[[:space:]]*(script|about|applet|activex|chrome)"

#honeypot
SecFilterSelective REQUEST_URI "/news\.php\?tpath=(http|https|ftp)\:/"

#honeypot
SecFilterSelective REQUEST_URI "tiki-(index|print)\.php\?page=.*\?include_location=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "tiki-.*\?include_location=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "tiki-editpage\.php\?page=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "tiki-export_wiki_pages\.php\?page=(http|https|ftp)\:/"

#sawmill remote file access
SecFilterSelective THE_REQUEST "/cgi-bin/sawmill5\?.*\x22"

#mailview CGI remote file access`
SecFilterSelective REQUEST_URI "mailview\.cgi\?cmd=view&fldrname=.*&select=.*&html=\.\./\.\."

#Javamail info disclosure
SecFilterSelective REQUEST_URI "/Download\?/.*/web/WEB-INF/web\.xml"

#javamail file access
SecFilterSelective THE_REQUEST "/Download\?(\.\./|/\.\./|/etc/|/home/|/tmp/|/usr/|/backup/|/dev/|/proc/|/var/(cache|spool|mail|adm|log|tmp)/)"

#Gforge "viewFile.php" Remote Arbitrary Command Execution Vulnerability
SecFilterSelective REQUEST_URI "/viewFile\.php\?group_id=.*&file_name=\x0A"

#WebAPP v0.9.9.2.1 Remote Command Execution vuln
SecFilterSelective REQUEST_URI "/apage\.cgi?f=.*\|"

#honeypot
SecFilterSelective REQUEST_URI "/displayCategory\.php\?basepath=(http|https|ftp)\:/"

#PHP Poll Creator Include File Error Lets Remote Users Execute Arbitrary Commands 
SecFilterSelective REQUEST_URI "/poll_vote\.php\?relativer_pfad=(http|https|ftp)\:/"

#PostNuke version : x=> 0.750 SQL injection
SecFilterSelective REQUEST_URI "/modules\.php\?op=modload&name=Messages&file=readpmsg&start=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

#SQL Injection Vuln for myBloggie 2.1.1 - 2.1.2
SecFilterSelective REQUEST_URI "index\.php\?month_no=.*&year=.*&mode=viewdate&date_no=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)"

#powerdownload remote file include
SecFilterSelective REQUEST_URI "/downloads\.php\?release_id=.*&incdir=(http|https|ftp)\:/"

#X-Cart SQL inject vulns
SecFilterSelective REQUEST_URI "/home\.php\?(cat|printable)=\'"
SecFilterSelective REQUEST_URI "/product\.php\?(product|mode)=\'"
SecFilterSelective REQUEST_URI "/error_message\.php\?access_denied&id=\'"
SecFilterSelective REQUEST_URI "/help\.php\?section=\'"
SecFilterSelective REQUEST_URI "/(orders|register|search)\.php\?mode=\'"
SecFilterSelective REQUEST_URI "/giftcert\.php\?(gcid|gcindex)=\'"

#Calendarix Advanced
SecFilterSelective REQUEST_URI "/cal_week\.php\?op=week&catview=.*\'"
SecFilterSelective REQUEST_URI "/cal_cat\.php\?op=cats&catview=.*\'"
SecFilterSelective REQUEST_URI "/cal_day\.php\?op=.*&date=.*&catview=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/cal_pophols\.php\?id=.*\'"


#MyBulletinBoard SQL injection
SecFilterSelective REQUEST_URI "/online\.php\?pidsql=\)(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/memberlist\.php\?usersearch=\%\'"
SecFilterSelective REQUEST_URI "/editpost\.php\?pid=\'"
SecFilterSelective REQUEST_URI "/forumdisplay\.php\?fid=\'"
SecFilterSelective REQUEST_URI "/newreply\.php\?tid=\'"
SecFilterSelective REQUEST_URI "/search\.php\?action=.*&(sid|uid)=*\'"
SecFilterSelective REQUEST_URI "/showthread\.php\?(tp)id=\'"
SecFilterSelective REQUEST_URI "/usercp2\.php\?tid=\'"
SecFilterSelective REQUEST_URI "/printthread\.php\?tid=\'"
SecFilterSelective REQUEST_URI "/reputation\.php\?pid=\'"
SecFilterSelective REQUEST_URI "/portal\.php\?action=do_login&username=\'"
SecFilterSelective REQUEST_URI "/polls\.php\?action=newpoll&tid=\'"
SecFilterSelective REQUEST_URI "/ratethread\.php\?tid=\'"

#MyBulletinBoard XSS
SecFilterSelective REQUEST_URI "/misc\.php\?action=syndication&forums.*=*\<[[:space:]]*(script|about|applet|activex|chrome)"
SecFilterSelective REQUEST_URI "/misc\.php\?action=syndication&forums.*=.*&version*\<[[:space:]]*(script|about|applet|activex|chrome)"
SecFilterSelective REQUEST_URI "/misc\.php\?action=syndication&limit=*\<[[:space:]]*(script|about|applet|activex|chrome)"
SecFilterSelective REQUEST_URI "/forumdisplay\.php\?fid=.*&datecut=*\<[[:space:]]*(script|about|applet|activex|chrome)"
SecFilterSelective REQUEST_URI "/forumdisplay\.php\?fid=.*&page=*\<[[:space:]]*(script|about|applet|activex|chrome)"
SecFilterSelective REQUEST_URI "/member\.php\?agree=.*&username=*\<[[:space:]]*(script|about|applet|activex|chrome)"
SecFilterSelective REQUEST_URI "/member\.php\?agree=.*&(email|email2)=*\<[[:space:]]*(script|about|applet|activex|chrome)"
SecFilterSelective REQUEST_URI "/memberlist\.php\?(page|usersearch)=*\<[[:space:]]*(script|about|applet|activex|chrome)"
SecFilterSelective REQUEST_URI "/showthread\.php\?mode=linear&tid=.*&pid=*\<[[:space:]]*(script|about|applet|activex|chrome)"
SecFilterSelective REQUEST_URI "/showthread\.php\?mode=linear&tid=.*\<[[:space:]]*(script|about|applet|activex|chrome)"
SecFilterSelective REQUEST_URI "/printthread\.php?tid=.*\<[[:space:]]*(script|about|applet|activex|chrome)"

#Wordpress SQL injection
SecFilterSelective REQUEST_URI "/wp-trackback\.php\?tb_id=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/wp-trackback\.php" chain
SecFilterSelective ARG_tb_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/index\.php\?cat=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#MWChat remote file inclusion vuln
SecFilterSelective REQUEST_URI "/libs/start_lobby\.php\?CONFIG.*=(http|https|ftp)\:/"

#phpCMS "class.layout_phpcms.php" Remote Arbitrary File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/parser\.php\?&phpcmsaction=FILEMANAGER&language=.*(/\.\./|(http|https|ftp)\:/)"

#Exhibit Engine Remote SQL Injection Vulnerabilities
SecFilterSelective THE_REQUEST "/search_row=ee_photo\.ee_photo_exif_iso.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/list\.php" chain
SecFilter "(search_row|sort_row|order|perpage)=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"

#phpCMS "language" Local File Inclusion Vulnerability
SecFilterSelective SCRIPT_FILENAME "/parser\.php" chain
SecFilterSelective ARG_laguage "/\.\./"

#Popper "form" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/childwindow\.inc\.php" chain
SecFilter "form=.*(/\.\./|(http|https|ftp)\:/)"

#phpThumb() "src" Exposure of Sensitive Information
SecFilterSelective SCRIPT_FILENAME "/phpThumb\.php" chain
SecFilterSelective ARG_src "/\.\./"

#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecFilterSelective THE_REQUEST "\.php\?" chain
SecFilter "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]"

#e107 eTrace Plugin Shell Command Injection Vulnerability
SecFilterSelective SCRIPT_FILENAME "/dotrace\.php" chain
SecFilterSelective ARG_etrace_cmd|ARG_etrace_host "(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)"

#WebHints Shell Command Injection Vulnerability
SecFilterSelective REQUEST_URI "/hints\.pl.*\|"

#Invision Gallery SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_comment "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"

#Ovidentia FX "babInstallPath" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_babInstallPath "(/\.\./|(http|https|ftp)\:/)" 

#Siteframe "LOCAL_PATH" File Inclusion Vulnerability
SecFilterSelective SCRIPT_FILENAME "/siteframe\.php" chain
SecFilterSelective ARG_LOCAL_PATH "(/\.\./|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/siteframe\.php\?LOCAL_PATH=(http|https|ftp)\:/"

#e107 ePing Plugin Shell Command Injection Vulnerability
SecFilterSelective REQUEST_URI "/doping\.php" chain
SecFilterSelective ARG_eping_cmd|ARG_eping_host|ARG_eping_count "(cd|\;|(ba|tc|c|z)sh|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)"

#Invision Community Blog Module SQL injection
SecFilterSelective REQUEST_URI "/index.php" chain
SecFilterSelective ARG_mid ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"

#MWChat "CONFIG[MWCHAT_Libs]" File Inclusion Vulnerability
SecFilterSelective THE_REQUEST "CONFIG\[MWCHAT_Libs\]" chain
SecFilter "(/\.\./|(http|https|ftp)\:/)"

#YaPiG Multiple Vulnerabilities
SecFilterSelective REQUEST_URI "last_gallery\.php" chain
SecFilterSelective ARG_YAPIG_PATH "(/\.\./|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "BASE_DIR.*(/\.\./|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/upload\.php" chain
SecFilterSelective ARG_dir "(/\.\./|.*\.\./)"

#honeypot catch
SecFilterSelective REQUEST_URI "/write\.php\?dir=(http|https|ftp)\:/"

#socialMPN Remote SQL Injection and Path Disclosure Vulnerabilities
SecFilterSelective REQUEST_URI "/article\.php\?sid=\x27"
SecFilterSelective REQUEST_URI "/user\.php\?uname=\'"
SecFilterSelective REQUEST_URI "/viewforum\.php\?forum=.*&siteid=\x2527"
SecFilterSelective REQUEST_URI "/newtopic\.php\?username=\'&password="
SecFilterSelective REQUEST_URI "/sections.php\?op=listarticles&secid=(\x27|\x2527)"
SecFilterSelective REQUEST_URI "/index\.php\?siteid=\'&op=show&aftersid="
SecFilterSelective REQUEST_URI "/friend\.php\?sid=\x2527&yname=.*&ymail=.*&fname=.*&fmail=.*&op=SendStory"

#JBOSS Installation Path and Configuration File disclosure
SecFilterSelective THE_REQUEST "^\%\."
SecFilterSelective THE_REQUEST "^\%server\.policy"

#Mambo 'com_contents' Input Validation Hole in 'user_rating' SQL Injection 
SecFilterSelective REQUEST_URI "/index\.php\?option=com_content&task=vote&id=.*&Itemid=.*&cid=.*&user_rating=.*\((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+(from|into|table|database|index|view)"


#Web Store remote command execution
SecFilterSelective REQUEST_URI "web_store\.cgi\?page=.*\|"

#Mambo "user_rating" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/content\.php" chain
SecFilterSelective ARG_user_rating ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#Cacti remote file inclusion vuln
SecFilterSelective REQUEST_URI "/(top_graph_header|config_settings)\.php\?.*=(http|https|ftp)\:/" 

#Claroline E-Learning SQL injection
SecFilterSelective REQUEST_URI "/(userInfo|exercises_details)\.php\?(uInfo|exo_id)=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "\?uInfo=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+(from|into|table|database|index|view)"

#Forum Russian Board 4.2 Full command execution vuln
SecFilterSelective THE_REQUEST "message=.*&form_h=.*&style_edit_ok=\xC8x\E7x\ECx\E5x\EDx\E8x\F2x\FC"

#SMF Modify SQL Injection vuln
SecFilterSelective REQUEST_URI "/index\.php\?action=(login|profile).*msg=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#cpanel XSS vuln
SecFilterSelective THE_REQUEST "/login\?user=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#Cacti command execution vuln
SecFilterSelective REQUEST_URI "\.php\?rrdtool=*(cd |\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)"
SecFilterSelective REQUEST_URI "/graph_image\.php\?local_graph_id=.*\x0a"

#honeypot
SecFilterSelective REQUEST_URI "/index\.php\?pagina=(http|https|ftp)\:/"

#PHPNuke spam hole
SecFilterSelective REQUEST_URI "/modules\.php\?name=WebMail\&file=nlmail"

#Community Link Pro "file" Shell Command Injection Vulnerability
SecFilterSelective THE_REQUEST "/login\.cgi\?username=.*command=.*do=.*password=.*file=\|"

#Pavsta Auto Site "sitepath" File Inclusion Vulnerability
SecFilterSelective THE_REQUEST "user_check\.php" chain
SecFilterSelective ARG_sitepath "((http|https|ftp)\:/|(/\.\./|.*\.\./))"

#Comdevn eCommerce Form Handler Vulnerabilities
SecFilterSelective THE_REQUEST "/index\.php\?homeinclude=catalog&category_id=&parent_id=.*" chain
SecFilter "<[[:space:]]*(href|script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome|a)[[:space:]]*>"

#Plans "evt_id" SQL Injection Vulnerability
SecFilterSelective THE_REQUEST "plans\.cgi" chain
SecFilterSelective ARG_evt_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#Sukru Alatas Guestbook Exposure of User Credentials
SecFilterSelective THE_REQUEST "db/gbdb\.mdb"

#CSV_DB / i_DB Arbitrary Command Execution Vulnerability
SecFilterSelective THE_REQUEST "csv_db\.cgi" chain
SecFilterSelective ARG_file "\|"

#PHP-Fusion database backup file retrieval vuln
SecFilterSelective THE_REQUEST "/(fusion_admin|administration)/db_backups/"

#PHP-Fusion XSS vuln
SecFilterSelective THE_REQUEST "/submit\.php?.*(news_body|article_description|article_body).*<[[:space:]]*(href|script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome|a)[[:space:]]*>"

#UBB.threads SQL Injection
SecFilterSelective THE_REQUEST "/download\.php\?Number=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/calendar\.php\?Cat=.*&month=.*&year=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/calendar\.php\?Cat=&month=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*year=.*"
SecFilterSelective THE_REQUEST "/modifypost\.phpCat=.*&Username=.*&Number=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*&Board=UBB8"
SecFilterSelective THE_REQUEST "/mailthread\.php\?Cat=.*&Board=.*&Number=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/viewmessage\.php\?Cat=&message=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/(addfav\|notifymod|grabnext).php\?Cat=.*&Board=.*&main=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#Xoops XML sql injection
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain
SecFilterSelective POST_PAYLOAD "<methodName>blogger\.getUsersBlogs</methodName>" chain
SecFilter ".*\' AND ascii\(substring\(pass"

#Wordpress cat vuln
SecFilterSelective REQUEST_URI  "/wordpress/" chain
SecFilterSelective ARG_cat "!^[0-9]*$"

#Atomicboard path recursion
SecFilterSelective THE_REQUEST "/atomicboard/index\.php\?location=\.\./\."

#basilix path recursion
SecFilterSelective THE_REQUEST "/basilix\.php3\?request_id\[.*\]=\.\./\."

#bigconf path recursion vuln
SecFilterSelective THE_REQUEST "/bigconf\.cgi\?command=view_textfile&file=/"

#a1disp3 path recursion vuln
SecFilterSelective THE_REQUEST "/a1disp3\.cgi\?/\.\./"

#contacts remote file inclusion
SecFilterSelective THE_REQUEST "/contacts\.php\?cal_dir=(http|https|ftp)\:/"

#CuteNews Search remote file inclusion
SecFilterSelective THE_REQUEST "/cutenews/search\.php\?cutepath=(http|https|ftp)\:/"

#Dynamic Pages config remote file inclusion
SecFilterSelective THE_REQUEST "/config_page\.php\?do=.*&du=site&edp_relative_path=(http|https|ftp)\:/"

#Edit_image file recursion vuln
SecFilterSelective THE_REQUEST "/edit_image\.php\?dn=.*&userfile=/"

#export.php directory recursion vuln
SecFilterSelective THE_REQUEST "/export\.php\?\?what=\.\./\."

#awol-condensed remote file inclusion
SecFilterSelective THE_REQUEST "/awol-condensed\.inc\.php\?path=(http|https|ftp)\:/"

#config.php remote file inclusion
SecFilterSelective THE_REQUEST "/config\.php\?relative_script_path=(http|https|ftp)\:/"

#hnmain remote file inclusion
SecFilterSelective THE_REQUEST "/hnmain\.inc\.php3\?config\[incdir\]=(http|https|ftp)\:/"

#template remote file inclusion
SecFilterSelective THE_REQUEST "/index\.php\?board=.*;action=.*;ext=.*;template=(http|https|ftp)\:/"

#generic remote file inclusion vulns
SecFilterSelective THE_REQUEST "/index\.php\?do=.*&page=(http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "/index\.php\?libDir=http://xxxxxxxx"
SecFilterSelective THE_REQUEST "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/"

#Cacti no_http_headers security vuln
SecFilterSelective THE_REQUEST "/config\.php\?" chain
SecFilterSelective ARG_no_http_headers ".*"

#Quick & Dirty PHPSource Printer Directory Traversal Vulnerability
SecFilterSelective THE_REQUEST "/source\.php\?" chain
SecFilterSelective ARG_file "\.\."

#nabopoll "path" File Inclusion Vulnerability
SecFilterSelective THE_REQUEST "/survey\.inc\.php\?" chain
SecFilterSelective ARG_path "((\.\.|(http|https|ftp)\:/)|.*(\.\.|(http|https|ftp)\:/))"
SecFilterSelective THE_REQUEST "/survey\.inc\.php\?path=(http|https|ftp)\:/"

#DCP-Portal remote file include
SecFilterSelective THE_REQUEST "/editor/editor\.php\?root=(http|https|ftp)\:/"

#phpBB remote code execution vuln
SecFilterSelective THE_REQUEST "/viewtopic\.php\?.*(highlight.*(\'\.|\x2527|\x27)|include\(.*GET\[.*\]\)|=(http|https|ftp)\:/|(printf|system)\()"

#Virus HTTP Challenge/Reponse Auth
SecFilterSelective THE_REQUEST "^Authorization\: Negotiate" chain
SecFilter "YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB"

#Unknown Malware
SecFilterSelective THE_REQUEST "/mcp/mcp\.cgi"

# osTicket "t" SQL Injection Vulnerability
SecFilterSelective THE_REQUEST "/view\.php" chain
SecFilterSelective ARG_t ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#Mark Kronsbein MyGuestbook "lang" File Inclusion Vulnerability
SecFilterSelective THE_REQUEST "/form\.inc\.php3" chain
SecFilterSelective ARG_lang "((\.\.|(http|https|ftp)\:/)|.*(\.\.|(http|https|ftp)\:/))"

#phpPgAdmin "formLanguage" Local File Inclusion Vulnerability
SecFilterSelective THE_REQUEST "/index\.php" chain
SecFilterSelective ARG_formLanguage "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))"

#PPA Include File Bug remote file inclusion
SecFilterSelective THE_REQUEST "/functions\.inc\.php\?config\[ppa_root_path\]=(http|https|ftp)\:/"

#SPiD Include File Bug remote file inclusion
SecFilterSelective THE_REQUEST "/lang/lang\.php\?lang_path=(http|https|ftp)\:/"

#Id Board 'tbl_suff' Input Validation Hole SQL injection
SecFilterSelective THE_REQUEST "/index\.php\?site=.*&f=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#DownloadProtect "file" Disclosure of Sensitive Information
SecFilterSelective THE_REQUEST "/download\.php\?" chain
SecFilterSelective ARG_file "\.\./"

#phpSecurePages "cfgProgDir" File Inclusion Vulnerability
SecFilterSelective THE_REQUEST "phpSecurePages/secure\.php" chain
SecFilterSelective ARG_cfgProgDir "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))"

#PunBB SQL Injection and PHP Code Execution Vulnerabilities
SecFilterSelective THE_REQUEST "/profile\.php" chain
SecFilterSelective ARG_temp "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "redirect_url.*(http|https|ftp)\:/.*cmd="

#pngcntrp "kaiseki.cgi" Shell Command Injection Vulnerability
SecFilterSelective THE_REQUEST "/kaiseki\.cgi.*\|"

#phpWebSite SQL Injection and Disclosure of Sensitive Information
SecFilterSelective THE_REQUEST "index\.php" chain
SecFilterSelective ARG_mod|ARG_module "(\.\./|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view))"

#Simple PHP Blog Exposure of User Credentials
SecFilterSelective THE_REQUEST "config/password\.txt"

#Squito Gallery "photoroot" File Inclusion Vulnerability
SecFilterSelective THE_REQUEST "photolist\.inc\.php" chain
SecFilterSelective ARG_photoroot "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))"

#iPhotoAlbum File Inclusion Vulnerabilities
SecFilterSelective THE_REQUEST "/getpage\.php" chain
SecFilterSelective ARG_docpath|ARG_path "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))"
SecFilterSelective THE_REQUEST "header\.php" chain
SecFilterSelective ARG_set_menu "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))"

#Yawp "_Yawp[conf_path]" File Inclusion Vulnerability
SecFilterSelective THE_REQUEST "_Yawp\[conf_path\]=((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))"

#Phpauction GPL Multiple Vulnerabilities
SecFilterSelective THE_REQUEST "/index\.php" chain
SecFilterSelective ARG_lan "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))"
SecFilterSelective THE_REQUEST "/adsearch\.php" chain
SecFilterSelective ARG_category "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#USANet Creations Products Shell Command Injection Vulnerability
SecFilterSelective THE_REQUEST "/dispallclosed\.pl.*\|"

#Web-Portal-System 'wps_shop.cgi' Remote Command Execution 
SecFilterSelective THE_REQUEST "/wps_shop\.cgi" chain
SecFilterSelective ARG_art "(\[|\;|\<|\>|\*|\||\'|\&|\$|\!|\?|\#|\(|\)|\[|\]|\{|\}|\:|\'|\"|\])"
SecFilterSelective THE_REQUEST "/wps_shop\.cgi" chain
SecFilterSelective ARG_cat "(\[|\;|\<|\>|\*|\||\'|\&|\$|\!|\?|\#|\(|\)|\[|\]|\{|\}|\:|\'|\"|\])"
SecFilterSelective THE_REQUEST "/wps_shop\.cgi" chain
SecFilter "art=\|.+\|"

#class-1 Forum Software SQL Injection
SecFilterSelective THE_REQUEST "/viewattach\.php" chain
SecFilterSelective ARG_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/users\.php" chain
SecFilterSelective ARG_viewuser_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/viewforum\.php" chain
SecFilterSelective ARG_forum "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#MooseGallery "type" File Inclusion Vulnerability
SecFilterSelective THE_REQUEST "/display\.php" chain
SecFilterSelective ARG_type "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))"

#honetpot catch
SecFilterSelective THE_REQUEST "\x03\x03\x03\x03\x18\x18\x18\x18\x1a\x1c\x1a\x1c\x1c4r43tr"

#CaLogic "CLPATH" Arbitrary File Inclusion Vulnerability
SecFilterSelective THE_REQUEST "(clmcpreload|mcconfig)\.php" chain
SecFilterSelective ARG_CLPATH "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))"

#OpenBB sql injection 
SecFilterSelective THE_REQUEST "/index\.php\?CID=.*\+union\+select\+.*\,.*\,password.*from\+profiles\+where"

#ReviewPost PHP Pro "sort" SQL Injection Vulnerability
SecFilterSelective THE_REQUEST "/showproduct\.php" chain
SecFilterSelective ARG_sort "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#PHPNews "user" and "password" SQL Injection Vulnerability
SecFilterSelective THE_REQUEST "/auth\.php" chain
SecFilterSelective ARG_user|ARG_password "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#PHP Surveyor Remote SQL Injection
SecFilterSelective THE_REQUEST "/admin/" chain
SecFilterSelective ARG_sid|ARG_start|ARG_id|ARG_lid "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#Invision PowerBoard 1.3.x - 2.0 SQL injection
SecFilterSelective THE_REQUEST "/index\.php\?act=Login&CODE=autologin.*((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|user\+AND\+MID\(password)"

#sendcard "id" SQL Injection Vulnerability
SecFilterSelective THE_REQUEST  "/sendcard\.php" chain
SecFilterSelective ARG_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#Report from user
SecFilterSelective THE_REQUEST "/functions_admin\.php\?phpbb_root_path=(http|https|ftp)\:/"

#SQL injection vuln in Contrexx
SecFilterSelective THE_REQUEST "/index\.php\?section=gallery&cmd=.*&cid*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#PHP FirstPost remote file include
SecFilterSelective THE_REQUEST "/block\.php\?Include=(http|https|ftp)\:/"

#DCForum remote file viewing
SecFilterSelective THE_REQUEST "/dcforum\.cgi\?az=.*&forum=*\.\./\.\."

#Atomic Photo Album "apa_module_basedir" File Inclusion
SecFilterSelective THE_REQUEST "/apa_phpinclude\.inc\.php" chain
SecFilterSelective ARG_apa_module_basedir "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))"

#VBZooM "SubjectID" SQL Injection Vulnerability
SecFilterSelective THE_REQUEST "/show\.php" chain
SecFilterSelective ARG_SubjectID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#Phorm remote file inclusion protections
SecFilterSelective THE_REQUEST "/phorm\.php" chain
SecFilterSelective ARG_PHORM_* "(http|https|ftp)\:/"

#Athena Web Registration Remote Command Execution Vuln
SecFilterSelective THE_REQUEST "/athenareg\.php\?pass=\x20\;"

#wowBB view_user.php SQL Injection
SecFilterSelective THE_REQUEST "/wowbb/view_user\.php\?" chain
SecFilter "sort_by=\'" chain
SecFilter "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#Simplicity oF Upload remote command exec and remote file inclusion
SecFilterSelective THE_REQUEST "/download\.php\?language=(upload\.php|(http|https|ftp)\:/)"

#uguestbook exploit
SecFilterSelective THE_REQUEST "/mdb-database/guestbook\.mdb"

#FtpLocate remote command execution
SecFilterSelective THE_REQUEST "/flsearch\.pl" chain
SecFilter "query=.*&fsite=*\|"

#PHPmyGallery "confdir" File Inclusion Vulnerability
SecFilterSelective THE_REQUEST "/common-tpl-vars\.php" chain
SecFilterSelective ARG_confdir "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))"

#Netquery 3.1 Remote Command Execution vuln
SecFilterSelective POST_PAYLOAD "op=modload*&name=Net.*&file=*&query=ping&host=*\|"

#MySQL Eventum SQL Injection Vulnerabilities
SecFilterSelective THE_REQUEST "/includes/class\.auth\.php" chain
SecFilterSelective ARG_email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#Kayako LiveResponse SQL injection
SecFilterSelective THE_REQUEST "/index\.php\?date=.*\x20.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#PHPlist SQL injection
SecFilterSelective THE_REQUEST "lists/admin/\?page=admin&id=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#ChurchInfo SQL injection vulns
SecFilterSelective THE_REQUEST "/(PersonView|MemberRoleChange|PropertyAssign|WhyCameEditor|GroupPropsEditor|Reports/PDFLabel|UserDelete)\.php" chain
SecFilterSelective ARG_PersonID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/DepositSlipEditor\.php" chain
SecFilterSelective ARG_DepositSlipID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/QueryView\.php" chain
SecFilterSelective ARG_QueryID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/(GroupView|GroupMemberList|MemberRoleChange|GroupDelete|/Reports/ClassAttendance|/Reports/GroupReport)\.php" chain
SecFilterSelective ARG_GroupID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/PropertyEditor\.php" chain
SecFilterSelective ARG_PropertyID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/PledgeDetails\.php" chain
SecFilterSelective ARG_PledgeID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/(AutoPaymentEditor|Canvas05Editor|CanvassEditor)\.php" chain
SecFilterSelective ARG_FamilyID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#denial of service attack on Flex PHPNews 0.0.4
SecFilterSelective REQUEST_URI "/news\.php?(prenumber|nextnumber)=[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+"

#SQL admin bypass for Flex PHPNews 0.0.4
SecFilterSelective THE_REQUEST "/admin/" chain
SecFilter "\' OR \'a\'='a*\' OR \'a\'=\'a"

#Naxtor Shopping Cart SQL Injection
SecFilterSelective REQUEST_URI  "/(lost_passowrd|lost_password)\.php" chain
SecFilterSelective ARG_email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI  "/shop_display_products\.php\?cat_id=\'"

#OpenBook "admin.php" Remote SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/admin\.php" chain
SecFilterSelective ARG_userid "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|no\'\) or [0-9]/\*)"
SecFilterSelective REQUEST_URI  "/admin\.php" chain
SecFilterSelective ARG_password "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|no\'\) or [0-9]/\*)"

#'web content management'Add admin user bypass vuln
SecFilterSelective REQUEST_URI  "/Admin/Users/AddModifyInput\.php"

#Silvernews 2.0.3 command injection backdoor
SecFilterSelective REQUEST_URI "/templates/tpl_global\.php\?command="
SecFilterSelective REQUEST_URI "/templates/tpl_global\.php\?"

#PortailPHP Index.PHP SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/index\.php\?affiche=Forum-read_mess&id=\'"

#python namespace exposure with karrigell services
SecFilterSelective THE_REQUEST ".*\.ks/.*\?\x22"
SecFilterSelective THE_REQUEST ".*\.ks/(file|input|open|raw_input|reload|((s|g)et|del|has)attr|import|callable|compile|execfile|exec|globals)"

#Flatnuke remote command vuln
SecFilterSelective REQUEST_URI "/forum/users/.*\.php\?command="

#Forum Russian Board (FRB) SQL injection vulns
SecFilterSelective REQUEST_URI "/reply_in.php?subject_reply=.*&name_reply=.*\'"
SecFilterSelective REQUEST_URI "(search_msg_us|view_profile.php)\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')"
SecFilterSelective REQUEST_URI "/send_mail_user\.php" chain
SecFilterSelective ARG_id_mail "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')"
SecFilterSelective REQUEST_URI "/(set|new|reply)\.php" chain
SecFilterSelective ARG_name_ig_array "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')"
SecFilterSelective REQUEST_URI "/menu_header\.php" chain
SecFilterSelective ARG_table_sql "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')"
SecFilterSelective REQUEST_URI "/registr_1\.php" chain
SecFilterSelective ARG_telephone "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')"

#Owl Intranet Engine SQL injection
SecFilterSelective REQUEST_URI "/browse\.php\?sess=.*parent=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#PHP-Fusion Messages.PHP SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/messages\.php\?msg_view=\'"

#MySQL Eventum SQL injection
SecFilterSelective REQUEST_URI "/login\.php" chain
SecFilter "cat=login&url=&email=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#phpIncludes News System SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/news_change_category\.php" chain
SecFilterSelective ARG_category "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#Comdev eCommerce File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/config\.php\?path\[docroot\]=((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))"

#honeypot
SecFilterSelective REQUEST_URI "/write.php" chain
SecFilter "dir=(http|https|ftp)\:/"

#Gravity Board X SQL injection vuln
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
#Gravity Board X command injection vulnerability
SecFilterSelective REQUEST_URI "/editcss\.php\?" chain
SecFilter "csscontent=\</style\>\<\?php"

#Open Bulletin Board SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/(board|read|member)\.php" chain
SecFilterSelective ARG_FID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/(board|read|member)\.php" chain
SecFilterSelective ARG_TID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/(board|read|member)\.php" chain
SecFilterSelective ARG_UID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#XMB Forum 1.9.1 sql injection
SecFilterSelective REQUEST_URI "/xmb\.php" chain
SecFilterSelective ARG_in "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#Funkboard command injection vuln
SecFilterSelective REQUEST_URI "/info\.php\?command="

#honeypot catch
SecFilterSelective REQUEST_URI "/forum/users/jimyhendrix\.php\?command="

#XMB Forum sql injection
SecFilterSelective REQUEST_URI "include/u2u\.inc\.php" chain
SecFilterSelective ARG_u2u_select "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#WordPress "cache_lastpostdate" PHP Code Insertion
SecFilterSelective ARG_cache_lastpostdate "<\?php"

#honeypot
SecFilterSelective REQUEST_URI "/lib\.php\?root=(http|https|ftp)\:/"

#honeypot
SecFilterSelective REQUEST_URI "/index\.php\?(content|menu)=(http|https|ftp)\:/"

#PHPTB Topic Boards 2.0  sql injection vulnerability
SecFilterSelective REQUEST_URI "/index\.php\?act=emailvalidate&mid=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#FreznoShop product_details.php id Variable SQL Injection
SecFilterSelective REQUEST_URI "/product_details\.php" chain
SecFilterSelective ARG_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#ECW Shop SQL injection
SecFilterSelective REQUEST_URI "/index\.php\?c=.*&ctg=.*&id=.*&key=.*&comp=.*&min.*\'"

#Mig Remote Cross-Site Scripting vuln
SecFilterSelective REQUEST_URI "/index\.php\?currDir=.*[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#ezupload remote file inclusion vuln
SecFilterSelective REQUEST_URI "(customize|initialize|form|index)\.php\?path=(http|https|ftp)\:/"

#Dokeos Multiple Directory Traversal Vulnerabilities
SecFilterSelective REQUEST_URI "/scorm/scormdocument\.php" chain
SecFilter "\.\."
SecFilterSelective REQUEST_URI "/claroline/document/document\.php" chain
SecFilterSelective ARG_move_file "\.\."
SecFilterSelective REQUEST_URI "/claroline/document/document\.php" chain
SecFilterSelective ARG_move_to "\.\."

#PHPOpenChat Script Insertion Vulnerabilities
SecFilterSelective REQUEST_URI "/(profile|profile_misc|mail)\.php" chain
SecFilterSelective ARG_title|ARG_content|ARG_motto|ARG_subject "[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

# FunkBoard mysql_install.php Email Field Arbitrary PHP Code Injection
SecFilterSelective REQUEST_URI "/mysql_install\.php" chain
SecFilterSelective ARG_Email "\<.*php"

#phpPgAds SQL injection
SecFilterSelective REQUEST_URI "/lib-view-direct\.inc\.php" chain
SecFilterSelective ARG_clientid "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#Honeypot catch
SecFilterSelective REQUEST_URI "/guest\.php\?page=(http|https|ftp)\:/"

#PHPTB "absolutepath" Arbitrary File Inclusion Vulnerability
SecFilterSelective REQUEST_URI ".*\.php\?absolutepath=(http|https|ftp)\:/"

#PHPFreeNews SQL Injection and Cross-Site Scripting
SecFilterSelective REQUEST_URI "/SearchResults\.php" chain
SecFilterSelective ARG_Match|ARG_CatID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#w-Agora "site" Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/index\.php\?site=.*\x00"

#Zorum prod.php Arbitrary Command Execution Vulnerability
SecFilterSelective REQUEST_URI "/prod\.php\?argv\[.*\]=\|"

#Zorum path disclosure
SecFilterSelective REQUEST_URI "/gorum/(notification|trace|badwords|flood)\.php"
SecFilterSelective REQUEST_URI "/zorum/(user|attach|blacklist|forum|globalstat)\.php"

#Land Down Under SQL injection vulns
SecFilterSelective REQUEST_URI "/forums\.php\?m=topics&s=\'"
SecFilterSelective REQUEST_URI "/list\.php\?c=.*&s=.*&.*\'"
SecFilterSelective REQUEST_URI "/list\.php\?c=.*&s=\'"
SecFilterSelective REQUEST_URI "/links\.php\?c=.*&s=.*&w=\'"
SecFilterSelective REQUEST_URI "/journal\.php?m=.*\'"
SecFilterSelective REQUEST_URI "/forums\.php?filter=forums.*x='"
SecFilterSelective REQUEST_URI "/forums\.php?m=.*\'"
SecFilterSelective REQUEST_URI "/forums\.php?m=\'"

#Woltlab Burning Board ModCP.PHP SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/modcp\.php\?action=post_del&x=\'"
SecFilterSelective REQUEST_URI "/modcp\.php\?action=post_del&x.*\'"

#Cacti graph_image.php Remote Command Execution
SecFilterSelective REQUEST_URI "/graph_image\.php" chain
SecFilter "graph_start=x0a.+x0a"

#AreaEdit SpellChecker Plugin Code Execution Vulnerability
SecFilterSelective REQUEST_URI "/aspell_setup\.php" chain
SecFilterSelective ARG_dictionary "(\;|\|)"

#WebCalendar "includedir" Arbitrary File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/send_reminders\.php" chain
SecFilterSelective ARG_includedir "(\.\./|(http|https|ftp)\:/)"

#PHPKit SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "login/imcenter\.php" chain
SecFilterSelective ARG_im_receiver "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "login/member\.php" chain
SecFilterSelective ARG_letter "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

#Netquery "host" Parameter Arbitrary Command Execution
SecFilterSelective REQUEST_URI "/nquser\.php" chain
SecFilterSelective ARG_host "\|"

#SaveWebPortal include PHP scripts vuln
SecFilterSelective REQUEST_URI "admin/PhpMyExplorer/editerfichier\.php\?chemin=\.&fichier=header\.php&type=Source"

#SaveWebPortal remote/local file inclusion vuln
SecFilterSelective REQUEST_URI "menu_dx\.php" chain
SecFilterSelective ARG_SITE_Path "(\.\./|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "menu_sx\.php" chain
SecFilterSelective ARG_CONTENTS_Dir "(\.\./|(http|https|ftp)\:/)"

#RunCMS SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "newbb_plus/newtopic\.php\?forum=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "newbb_plus/print\.php\?msgid=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*&op="
SecFilterSelective REQUEST_URI "newbb_plus/(edit|reply)\.php\?forum=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*post_id=.*&topic_id=.*&viewmode=.*&order=.*"

#honeypot catch
SecFilterSelective REQUEST_URI "/index\.php\?page=(http|https|ftp)\:/"

#PostNuke "show" Parameter SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "modules/Downloads/dl-viewdownload\.php" chain
SecFilterSelective ARG_show "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"

# PaFileDB cookie SQL injection
SecFilterSelective REQUEST_URI "/pafiledb\.php\?action=admin" chain
SecFilterSelective COOKIE_pafiledbcookie ".*((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)|union.*select.*[0-9]+\,[0-9]+\,\'.*pass)"

#Looking Glass v20040427 arbitrary commands execution
SecFilterSelective REQUEST_URI "/lg\.php" chain
SecFilter "func=.*&ipv=.*&target.*\|"
SecFilterSelective REQUEST_URI "/lg\.php" chain
SecFilterSelective ARG_target "\|"

#probe.cgi remote file inclusion and command execution
SecFilterSelective REQUEST_URI "/probe\.cgi\?olddat=(\||(http|https|ftp)\:/)"

# phpMyAdmin XSS vulns
SecFilterSelective REQUEST_URI "libraries/auth/cookie\.auth\.lib\.php" chain
SecFilter "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/error\.php" chain
SecFilterSelective ARG_error "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#Looking Glass v20040427 XSS vulns
SecFilterSelective REQUEST_URI "/(footer|header)\.php\?version\[.*\]=" chain
SecFilter "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#phpLDAPadmin welcome.php Arbitrary File Inclusion
SecFilterSelective REQUEST_URI "/welcome\.php\?custom_welcome_page=(http|https|ftp)\:/"

#Simple PHP Blog comment_delete_cgi.php Arbitrary File Deletion
SecFilterSelective REQUEST_URI "/comment_delete_cgi\.php" chain
SecFilterSelective ARG_comment "(/|\.\.|config/password\.txt)"

#nested URL tags exploit for some BBcode implementations
SecFilterSelective REQUEST_URI ".*\.php" chain
SecFilterSelective POST_PAYLOAD|ARGS "\[url=\[url="

#AutoLinks Pro "alpath" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/al_initialize\.php" chain
SecFilterSelective ARG_alpath "(ftp|http|https)\:/"

#Simple PHP Blog Image File Upload Vulnerability
SecFilterSelective REQUEST_URI "/upload_img_cgi\.php" chain
SecFilterSelective POST_PAYLOAD|ARGS "\.php"

#phpWebNotes Include File Error in 'php_api.php'
SecFilterSelective REQUEST_URI "/api\.php\?t_path_core=(http|https|ftp)\:/"

#FlatNuke "id" Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_id "(http|https|.ftp)\:/"

#CMS Made Simple File Inclusion
SecFilterSelective REQUEST_URI "admin/lang\.php.*nls\[file\]\[vx\]\[vxsfx\].*(http|https|.ftp)\:/"

#Phorum "Username" Script Insertion Vulnerability
SecFilterSelective REQUEST_URI "register\.php" chain
SecFilterSelective ARG_Username "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#Test CGI probe
SecFilterSelective THE_REQUEST "/test-cgi HTTP\/(0\.9|1\.0|1\.1)$"

#Annoying Cisco IOS HTTP configuration probe attempts
SecFilterSelective REQUEST_URI "/level/[0-9]+/exec/-/+pwd"

#myBloggie "username" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/login\.php" chain
SecFilterSelective ARG_username "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#PBLang <= 4.65 remote commands exec exploit sig
SecFilterSelective THE_REQUEST "Content-Length:.*user=.*pass=.*pass2=.*oldpass=.*loc.*(\x22|system)"

#man2web cgi-scripts remote command spawn
SecFilterSelective REQUEST_URI "/(man-cgi|man2web|man2html)" chain
SecFilter "\x20"
SecFilterSelective REQUEST_URI "/(man-cgi|man2web|man2html)" chain
SecFilter "\|"

#SimplePHPBplog vulns
SecFilterSelective REQUEST_URI "/comment_delete_cgi\.php\?y=.*&m=.*&comment.*(/|\.\.)"
SecFilterSelective REQUEST_URI "/comment_delete_cgi\.php\?.*/config/password\.txt"
SecFilterSelective REQUEST_URI "/images/reset\.php"
SecFilterSelective REQUEST_URI "/images/cmd\.php\?cmd="
SecFilterSelective REQUEST_URI "/upload_img_cgi.php" chain
SecFilterSelective POST_PAYLOAD "(Content.*\.php|cmd\.php|reset\.php)"
SecFilterSelective REQUEST_URI "/install03_cgi\.php\?blog_language=english.*[A-Z|a-z|0-9]"
SecFilterSelective THE_REQUEST "<hr+><pre>.*Command\: [A-Z|a-z|0-9|\w].*pre><hr"

#aMember Pro "config['root_dir']" Remote File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI "(/db/mysql/mysql|payment|/efsnet/efsnet|theinternetcommerce/theinternetcommerce|/cdg/cdg|compuworld/compuworld|directone/directone|authorize_aim/authorize_aim|beanstream/beanstream|echo/config|/eprocessingnetwork/eprocessingnetwork|eway/eway|linkpoint/linkpoint|logiccommerce/logiccommerce|netbilling/netbilling|payflow_pro/payflow_pro|paymentsgateway/paymentsgateway|payos/payos|payready/payready|plugnplay/plugnplay)\.inc\.php\?config\[root_dir\]=(http|https|ftp):/"
SecFilterSelective REQUEST_URI "(/db/mysql/mysql|payment|/efsnet/efsnet|theinternetcommerce/theinternetcommerce|/cdg/cdg|compuworld/compuworld|directone/directone|authorize_aim/authorize_aim|beanstream/beanstream|echo/config|/eprocessingnetwork/eprocessingnetwork|eway/eway|linkpoint/linkpoint|logiccommerce/logiccommerce|netbilling/netbilling|payflow_pro/payflow_pro|paymentsgateway/paymentsgateway|payos/payos|payready/payready|plugnplay/plugnplay)\.inc\.php" chain
SecFilter "(http|https|ftp):/"
SecFilterSelective REQUEST_URI "\.inc\.php\?config\[root_dir\]=(http|https|ftp):/"

#CuteNews Input Validation Hole
SecFilterSelective REQUEST_URI "/cute/data/flood\.db\.php" 

#DeluxeBB SQL injection
SecFilterSelective REQUEST_URI "community/index\.php\?limit=\'"


#honeypoit
SecFilterSelective REQUEST_URI "/admin_module_deldir\.php\?config\[.*\]=(http|https|ftp)\:/"

#honeypot catch
SecFilterSelective REQUEST_URI "/view\.php\?inc=(http|https|ftp)\:/"

#Alkalay contribute "template" Shell Command Injection Vulnerability
SecFilterSelective REQUEST_URI "/contribute\.pl" chain
SecFilterSelective ARG_template "\|"
SecFilterSelective REQUEST_URI "/contribute\.pl.*\|"

#Alkalay man-cgi "topic" Shell Command Injection Vulnerability
SecFilterSelective REQUEST_URI "/man-cgi\.cgi"
SecFilterSelective ARG_topic "\|"
SecFilterSelective REQUEST_URI "/man-cgi\.cgi.*\|"

#Alkalay notify "from" Shell Command Injection Vulnerability
SecFilterSelective REQUEST_URI "/notify\.cgi" chain
SecFilterSelective ARG_from  "\|"
SecFilterSelective REQUEST_URI "/notify\.cgi.*\|"

#Alkalay nslookup Shell Command Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/nslookup\.cgi" chain
SecFilterSelective ARG_type|ARG_queryARG_ns "\|" 
SecFilterSelective REQUEST_URI "/nslookup\.cgi.*\|"

#Simplog SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/archive\.php" chain
SecFilterSelective ARG_pid|ARG_blogid|ARG_cid|ARG_m "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/blogadmin\.php"  chain
SecFilterSelective ARG_blogid "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#vbulletin vulnerabilities, SQL injection
SecFilterSelective REQUEST_URI "/joinrequests\.php" chain
SecFilter "do=processjoinrequests&usergroupid=.*&request.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/admincp/user\.php" chain
SecFilter "do=find&orderby=username&limit.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/admincp/(usertitle|usertools)\.php" chain
SecFilter "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/modcp/announcement\.php" chain
SecFilter "do=update&announcementid=.*&start=.*&end=.*&announcement.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/admincp/admincalendar\.php" chain
SecFilter "do=update&calendarid=.*&calendar\[.*\]=.*&calendar.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/admincp/email\.php" chain
SecFilter "do=makelist&user\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/admincp/help\.php" chain
SecFilter "do=doedit&help\[.*\]=.*&help\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "admincp/language\.php" chain
SecFilter "do=update&rvt\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/admincp/phrase\.php" chain
SecFilter "do=completeorphans&keep\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#PHP Advanced Transfer Manager Multiple Vulnerabilities
SecFilterSelective REQUEST_URI "/(txt|htm|html|zip)\.php" chain
SecFilterSelective ARG_current_dir|ARG_filename "\.\." 
SecFilterSelective REQUEST_URI "/txt\.php" chain
SecFilterSelective ARG_font|ARG_normalfontcolor|ARG_mess\[31\] "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#phpCommunityCalendar SQJ injection Vulnerabilities
SecFilterSelective REQUEST_URI "/webadmin/login\.php" chain
SecFilterSelective ARG_Username "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/week\.php" chain
SecFilterSelective ARG_LocationID "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#MyBulletinBoard SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/misc\.php" chain
SecFilterSelective ARG_fid "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/newreply\.php" chain
SecFilterSelective ARG_icon "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" 

#WEB//NEWS SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/modules/startup\.php" chain
SecFilterSelective ARG_wn_userpw "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "include_this/news\.php" chain
SecFilterSelective ARG_cat|ARG_id|ARG_stof "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/print\.php" chain
SecFilterSelective ARG_id "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#PBLang Local File Inclusion and PHP Code Injection
SecFilterSelective REQUEST_URI "/setcookie.php" chain
SecFilterSelective ARG_u "\.\."
SecFilterSelective REQUEST_URI "/ucp\.php" chain
SecFilter "\""

#mimicboard2 Exposure of User Credentials
SecFilterSelective REQUEST_URI "/mimic2\.dat"

#Mall23 eCommerce "idPage" SQL Injection Vulnerability
SecFilterSelective ARG_idPage "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#PHP-Nuke SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/modules\.php" chain
SecFilterSelective ARG_name|ARG_sid|ARG_pid "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" 

#Subscribe Me Pro "l" Parameter Directory Traversal Vulnerability
SecFilterSelective REQUEST_URI "/s\.pl" chain
SecFilterSelective ARG_l "\.\."

#TWiki "rev" Shell Command Injection Vulnerability
SecFilterSelective REQUEST_URI "/TWikiUsers" chain
SecFilterSelective ARG_rev "![0-9]+"
SecFilterSelective REQUEST_URI "/TWikiUsers\?rev=.*(\'|\|)"

#DeluxeBB SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/topic\.php\?tid.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/misc\.php\?sub=profile&uid.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/forums\.php\?fid=.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/pm\.php\?sub=newpm&uid=.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/newpost\.php\]?sub=newthread&fid=.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#Noah's Classified SQL Injection and Cross-Site Scripting
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_rollid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>)"

#AzDGDatingLite "l" Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/include/security\.inc\.php" chain
SecFilterSelective ARG_l "(\.\.|/)"

#ATutor Password Reminder SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/password_reminder\.php" chain
SecFilter "email.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/password_reminder\.php.*form_email=.+UNION\s+SELECT"

#Digital Scribe "username" SQL Injection
SecFilterSelective REQUEST_URI "/login\.php" chain
SecFilterSelective ARG_username "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#aeDating "Country[]" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/search_result.php" chain
SecFilterSelective ARG_Country\[\] "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#NooToplist "o" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_o "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#HTTP header PHP code injection attacks
SecFilterSelective HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)"

#phpWebSite SQL-injection 
SecFilterSelective REQUEST_URI "/index\.php\?module=\x27\+union\+select\+username\,password\+from\+mod_users\+where\+username="

#HP-Nuke <=7.8 SQL injection exploit
SecFilterSelective REQUEST_URI "/modules\.php" chain
SecFilter "name=.*\'.*UNION.*SELECT.*FROM.*users.*WHERE.*user_id=.*AND"

#My Little Forum 1. SQL injection
SecFilterSelective REQUEST_URI "/search\.php\?search.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw).*&ao=phrase"

#Interchange Catalog Skeleton SQL Injection and ITL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "pages/forum/submit.html" chain
SecFilter "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\[include\])"

#Ikonboard "st" and "keywords" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/ikonboard\.cgi" chain
SecFilterSelective ARG_st|ARG_keywords "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#ikonboard arbitary file access
SecFilterSelective REQUEST_URI "/help\.cgi\?helpon=\.\./"

#Ikonboard remote file includion
SecFilterSelective REQUEST_URI "/register\.cgi" chain
SecFilter "(http|https|ftp)\:/"

#IkonBoard 3.1.1/3.1.2a arbitrary command execution
SecFilterSelective REQUEST_URI "/ikonboard\.cgi" chain
SecFilterSelective COOKIE_lang "\|"

#phpMyFAQ vulns
SecFilterSelective REQUEST_URI "/index\.php\?LANGCODE=/\.\."
SecFilterSelective REQUEST_URI "/admin/password\.php" chain
SecFilter "(user\: \' or isnull\(1/0\)|mail\:)"
SecFilterSelective REQUEST_URI "/footer\.php\?PMF_CONF\[version\].*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/admin/header\.php\?PMF_LANG\[metaLanguage\].*(\"|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>)"

#Riverdark RSS Syndicator XSS attack
SecFilterSelective REQUEST_URI "/rss\.php\?(forum|topic).*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#ContentServ "ctsWebsite" Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/admin/about\.php" chain
SecFilterSelective ARG_ctsWebsite "\.\."

#AlstraSoft E-Friends "mode" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_mode "(\.\.|/|(http|https|ftp)\:/)"

#SEO-Board SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/(admin|index)\.php" chain
SecFilterSelective ARG_user_pass_sha1 "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#CJ LinkOut "123" Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "/top\.php" chain
SecFilterSelective ARG_123 "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#jPortal Download Search SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/download\.php" chain
SecFilterSelective ARG_word "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#CJ Tag Board Cross-Site Scripting Vulnerabilities
SecFilterSelective REQUEST_URI "/details\.php" chain
SecFilterSelective ARG_date|ARG_time|ARG_name|ARG_ip|ARG_agent "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/display\.php" chain
SecFilterSelective ARG_msg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#CJ Web2Mail Cross-Site Scripting Vulnerabilities
SecFilterSelective REQUEST_URI "/thankyou\.php" chain
SecFilterSelective ARG_message|ARG_ip|ARG_name "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/web2mail\.php" chain
SecFilterSelective ARG_emsg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#postnuke Local file inclusion via GeSHi library
SecFilterSelective REQUEST_URI "/modules/pn_bbcode/pnincludes/contrib/example\.php"

#TWiki "%INCLUDE" Shell Command Injection Vulnerability
SecFilterSelective THE_REQUEST "INCLUDE.*rev=.*\|.*\}"

#Barracuda Anti-spam firewall IMG.PL Remote Command Execution
SecFilterSelective REQUEST_URI "/img\.pl\?f=(\x2e\x2e|\;|\.\.|qq\#|\|)"

#PHP-Fusion "msg_send" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/messages\.php" chain
SecFilterSelective ARG_msg_send "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT user_password FROM fusion_users WHERE user_name|\')"

#SquirrelMail Address Add Plugin "first" Cross-Site Scripting
SecFilterSelective REQUEST_URI "/add\.php" chain
SecFilterSelective ARG_first "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#honeypot
SecFilterSelective REQUEST_URI "/tiki-view_forum_thread\.php\?forumid.*=(http|https|ftp)\:/"

#honeypot
SecFilterSelective REQUEST_URI "/upgrade_album\.php\?GALLERY_BASEDIR=(http|https|ftp)\:/"

#honeypot
SecFilterSelective REQUEST_URI "/index\.php\?page=\|"

#MediaWiki Cross-Site Scripting Vulnerabilities
SecFilterSelective THE_REQUEST "\<(math|nowiki)\.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#honeypot
SecFilterSelective REQUEST_URI "/modules\.php\?op=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/modules\.php\?op=.*&name=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/modules\.php\?op=.*&name=.*file=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/modules\.php\?op=.*&name=.*file=.*sid=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/view\.php\?cat=.*(http|https|ftp)\:/"

#PHP-Fusion "album" and "photo" SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/photogallery\.php" chain
SecFilterSelective ARG_album|ARG_photo "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#honeypot
SecFilterSelective REQUEST_URI "/forumpollrenderer\.php\?bbPath\[.*\]=(http|https|ftp)\:/"

#phorum spam rules
SecFilterSelective ARG_PHORUM_CONFIG "(@|(http|https|ftp)\:/)"

#osCommerce "products_id" Additional Images Module SQL Injection
SecFilterSelective REQUEST_URI "/product_info\.php" chain
SecFilterSelective ARG_products_id  "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#PHP-Fusion SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/register\.php" chain
SecFilterSelective ARG_activate "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/faq\.php" chain
SecFilterSelective ARG_cat_id "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#Utopia News Pro 1.1.3 SQL injection
SecFilterSelective REQUEST_URI "/news\.php\?action=.*&newsid=" chain
SecFilter "(UNION.*SELECT.*username,password,null,email,null|(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,])"
SecFilterSelective REQUEST_URI "/news\.php" chain
SecFilterSelective ARG_newsid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION.*SELECT.*username,password,null,email,null)"

#wormsign
SecFilter "XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+"
SecFilterSelective THE_REQUEST "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC"

#Utopia News Pro Cross-Site Scripting
SecFilterSelective REQUEST_URI "/header\.php" chain
SecFilterSelective ARG_sitetitle "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/footer\.php" chain
SecFilterSelective ARG_query_count|ARG_version "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#phpMyAdmin "subform" Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/libraries/grab_globals\.lib\.php" chain
SecFilterSelective ARG_subform "(/|\.\.|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/libraries/grab_globals\.lib\.php" chain
SecFilter "usesubform.*=.*&usesubform.*=.*&subform.*(/|\.\.|(http|https|ftp)\:/)"


#Cyphor Cross-Site Scripting and SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/newmsg\.php" chain
SecFilterSelective ARG_fid "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/lostpwd\.php" chain
SecFilterSelective ARG_email|ARG_nick  "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/include/footer\.php" chain
SecFilterSelective ARG_t_login "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#phpbb wormsign
SecFilterSelective THE_REQUEST "echo _GHC/RST_"

#versatileBulletinBoard 1.00 RC2 sql injection
SecFilterSelective REQUEST_URI "/userlistpre\.php\?list=\'"

#honeypot
SecFilterSelective REQUEST_URI "/BlogModel\.php\?path=(http|https|ftp)\:/"

#YaPiG Multiple Vulnerabilities
SecFilterSelective ARG_Website "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/view\.php" chain
SecFilterSelective ARG_img_size "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective ARG_title "<.*php .*php*\>"

#honeypot
SecFilterSelective REQUEST_URI "/guest\.php\?name=.*web=.*homepage=.*home=&phone="

#W-Agora Remote commands execution
SecFilterSelective REQUEST_URI "extras/quicklist\.php\?fake.*(<\?|\;system)"
SecFilterSelective REQUEST_URI "avatars/suntzu\.php\?suntzu="
SecFilterSelective REQUEST_URI "extras/quicklist\.php\?suntzu="
SecFilterSelective REQUEST_URI "/browse_avatar\.php" chain
SecFilterSelective POST_PAYLOAD "Content-Disposition\: form-data\; name=\"avatar\"\;" chain
SecFilter "\<\?php" chain
SecFilter "\?>"

#PHPBB remote command execution SQL injection step
SecFilterSelective REQUEST_URI "/admin_db_utilities\.php\?sid=.*(ALTER TABLE.*VARCHAR.*NOT NULL|DELETE FROM.*WHERE style_name=|SELECT .*passthru.*FROM.*users LIMIT 1 INTO OUTFILE)"
SecFilterSelective REQUEST_URI "/theme_info\.cfg"

#honeypot
SecFilterSelective REQUEST_URI "/item\.php\?pathtoroot=(http|https|ftp)\:/"

#PunBB "old_searches" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/search\.php" chain
SecFilterSelective ARG_old_searches "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"

#W-Agora Local File Inclusion
SecFilterSelective REQUEST_URI "/extras/quicklist\.php" chain
SecFilterSelective ARG_site "(/|\.\./\.\.)"

#Gallery "g2_itemId" Disclosure of Sensitive Information
SecFilterSelective REQUEST_URI "/main\.php" chain
SecFilterSelective ARG_g2_itemId "(/|\.\./\.\.)"

#e107 0.617 resetcore.php SQL Injection
SecFilterSelective REQUEST_URI "/resetcore\.php" chain
SecFilter "(\'or isnull|siteadmin=suntzu&siteadminemail=fakefakefake@suntzu\.com|a_password=d41d8cd98f00b204e9800998ecf8427e)"

#e107 "a_name" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/resetcore\.php" chain
SecFilterSelective ARG_a_name "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')"

#honeypot
SecFilterSelective REQUEST_URI "/main\.php\?x=(http|https|ftp)\:/"

# MySource PEAR_PATH Remote File Inclusion
SecFilterSelective REQUEST_URI "/(socket|span|request|mimeDecode|mime|mail|date)\.php" chain
SecFilterSelective ARG_PEAR_PATH "(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/new_upgrade_functions\.php" chain
SecFilterSelective ARG_INCLUDE_PATH|ARG_SQUIZLIB_PATH "(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/init_mysource\.php" chain
SecFilterSelective ARG_INCLUDE_PATH "(http|https|ftp)\:/"

#MySource XSS
SecFilterSelective REQUEST_URI "/upgrade_in_progress_backend.php?target_url=\">"
SecFilterSelective REQUEST_URI "/insert_table\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/edit_table_cell_props\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/header\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/edit_table_row_props\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/edit_table_props\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/edit_table_cell_type_wysiwyg.php?stylesheet=\">"

#Chipmunk Topsites "ID" Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "/recommend\.php" chain
SecFilterSelective ARG_ID|ARG_entryID "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#Chipmunk Forum "forumID" Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "/(newtopic|quote|index|reply)\.php" chain
SecFilterSelective ARG_ForumID "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#PHP-Nuke NukeFixes Addon "file" Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/modules\.php" chain
SecFilterSelective ARG_files "\.\./"

#ManageEngine NetFlow Analyzer "grDisp" Cross-Site Scripting
SecFilterSelective REQUEST_URI "/index\.jsp" chain
SecFilterSelective ARG_grDisp "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#IBM Lotus Domino XSS attempts
SecFilterSelective REQUEST_URI "OpenForm.*/BaseTarget=.*\""
SecFilterSelective REQUEST_URI "OpenFrameSet.*/src=.*\"><\/FRAMESET>.*<script>.*<\/script>"

#HP OpenView Network Node Manager Remote Command Execution Attempt
SecFilterSelective REQUEST_URI "/OvCgi/connectedNodes\.ovpl\?" chain
SecFilter "node=.*\|.+\|"

#
SecFilterSelective REQUEST_URI "/chat\.php" chain
SecFilterSelective ARG_Username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')"

#Zomplog Cross-Site Scripting and SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "detail\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')"
SecFilterSelective REQUEST_URI "/(get|index)\.php" chain
SecFilterSelective ARG_catid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')"

#Basic Analysis and Security Engine SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/base_qry_main\.php\?new=.*&sig\[.*\]=\x3D&sig\[.*\]=((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')"

#TClanPortal "id" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')"
SecFilterSelective REQUEST_URI "/index\.php\?action=.*id.*UNION.*SELECT.*id="

#SaphpLesson "forumid" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/(showcat|add)\.php" chain
SecFilterSelective ARG_forumid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')"

#PHP-Nuke SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/modules\.php\?name=Downloads&d_op=.*&url.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION SELECT)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Web_Links&d_op=.*title=.*description.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#PHP-Fusion "news_body" Script Insertion Vulnerability
SecFilterSelective REQUEST_URI "/submit\.php" chain
SecFilterSelective ARG_news_body "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#FlatNuke Cross-Site Scripting and Disclosure of Sensitive Information
SecFilterSelective REQUEST_URI "/index\.php\?op=profile&user=\.\./"
SecFilterSelective REQUEST_URI "/index\.php\?op=newtopic&mode=ris&quale=\.\./.*&page="
SecFilterSelective REQUEST_URI "/index\.php\?op=.*&(user|nome|from)=*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#Mantis File Inclusion
SecFilterSelective REQUEST_URI "/bug_sponsorship_list_view_inc\.php\?t_core_path.*((http|https|ftp)\:/|\.\.)"

#PHP iCalendar File Inclusion Vulnerability and XSS
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_phpicalendar "((http|https|ftp)\:/|\.\.)"
SecFilterSelective REQUEST_URI "phpicalendar=.*cookie_view.*(http|https)\:/"

#RSA ACE/Agent for Web "image" Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "/webauthentication\?GetPic\?image.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#honeypot
SecFilterSelective REQUEST_URI "/tiki-view_cache\.php\?url=\.\./\.\."

#Woltlab Burning Board Database Module SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/info_db\.php" chain
SecFilterSelective ARG_fileid|ARG_subkatid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#gCards "limit" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/news\.php" chain
SecFilterSelective ARG_limit "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#ATutor Multiple Vulnerabilities
SecFilterSelective REQUEST_URI "/forum\.inc\.php\?addslashes.*(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)&(asc|desc)="
SecFilterSelective REQUEST_URI "/(body_header\.inc|print)\.php\?section.*(/|\.\.)"
SecFilterSelective REQUEST_URI "admin/translate\.php" chain
SecFilterSelective ARG__base_href "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "include/html/editor_tabs/news\.inc\.php" chain
SecFilterSelective ARG__base_path "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "documentation/add_note\.php" chain
SecFilterSelective ARG_p "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#PHP config recon attack
SecFilterSelective REQUEST_URI "/php\.ini$"

#saphp Lesson add.php forumid Variable SQL Injection
SecFilterSelective REQUEST_URI "/(showcat|add)\.php\?forumid.*(UNION.*SELECT|\|)"

# SaveWebPortal menu_dx.php and menu_sx.php Multiple Variable XSS
SecFilterSelective REQUEST_URI "/menu_dx\.ph" chain
SecFilterSelective ARG_L_InsertCorrectly|ARG_L_MENUDX_Login|ARG_L_MENUDX_Username|ARG_L_MENUDX_Password|ARG_L_Ok|ARG_IMAGES_Url|ARG_L_MENUDX_Registration|ARG_BANNER_Url|ARG_L_MENUSX_Newsletter|ARG_L_MENUDX_InsertEMail "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/menu_sx\.php" chain
SecFilterSelective ARG_L_InsertNOK3Char|ARG_L_MENUSX_Channels|ARG_L_MENUSX_Home|ARG_L_MENUSX_Archive|ARG_L_Search|ARG_L_Ok|ARG_IMAGES_Url|ARG_L_MENUSX_Services|ARG_L_MENUSX_Links|ARG_L_MENUSX_Newsletter|ARG_L_MENUSX_Polls|ARG_L_MENUSX_ECards|ARG_L_MENUSX_Downloads|ARG_L_MENUSX_Community|ARG_L_MENUSX_Forum|ARG_L_MENUSX_Chat|ARG_L_MENUSX_Nicknames|ARG_L_MENUSX_Membership|ARG_L_MENUSX_Login|ARG_L_MENUSX_UserProfile|ARG_L_MENUSX_PasswordForgot|ARG_L_MENUSX_Logout|ARG_L_MENUSX_Contacts|ARG_L_MENUSX_Guestbook|ARG_L_MENUSX_ContactUs "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#phpbb xss, sql injection and PHP code injection
SecFilterSelective REQUEST_URI "usercp_register\.php" chain
SecFilterSelective ARG_error_msg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "login\.php" chain
SecFilterSelective ARG_forward_page "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "search\.php" chain
SecFilterSelective ARG_list_cat "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "usercp_register\.php" chain
SecFilterSelective ARG_signature_bbcode_uid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective ARG_signature_bbcode_uid "(<.*php|<php)"

#honeypot
SecFilterSelective REQUEST_URI "index\.php?x=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/classes\.php\?LOCAL_PATH=(http|https|ftp)\:/"

#News2Net "category" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "index\.php" chain
SecFilterSelective ARG_category "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#eyeOS Script Insertion and Exposure of User Credentials
SecFilterSelective REQUEST_URI "desktop\.php" chain
SecFilterSelective ARG_motd "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/usrinfo\.xml"

#Invision Gallery "st" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "index\.php" chain
SecFilterSelective ARG_st "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#oaboard SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "forum\.php" chain
SecFilterSelective ARG_channel|ARG_topic "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#honeypot
SecFilterSelective REQUEST_URI "/main\.php\?\*=(http|https|ftp)\:/"

#CuteNews "template" Local File Inclusion and remote code execution Vulnerabilities
SecFilterSelective REQUEST_URI "/show_archives\.php" chain
SecFilterSelective ARG_template "(/|\.\.)"
#cutenews shell injection vuln
SecFilterSelective REQUEST_URI "/inc/ipban\.mdu" chain
SecFilterSelective ARG_add_ip "(php|system)"
SecFilterSelective REQUEST_URI "/ipban\.db\.php\?cmd="


#phpWebThings "forum" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/forum\.php" chain
SecFilterSelective ARG_forum "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#PHP Handicapper Multiple Vulnerabilities
SecFilterSelective REQUEST_URI "/msg\.php" chain
SecFilterSelective ARG_msg  "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/process_signup\.php" chain
SecFilterSelective ARG_login  "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/process_signup\.php" chain
SecFilterSelective ARG_serviceid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Simple PHP Blog Cross-Site Scripting Vulnerabilities
SecFilterSelective REQUEST_URI  "/preview(_cgi|_static_cgi)\.php" chain
SecFilterSelective ARG_entry  "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI  "preview_cgi\.php" chain
SecFilterSelective ARG_blog_subject|ARG_blog_text   "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI  "/preview_static_cgi\.php" chain
SecFilterSelective ARG_blog_subject|ARG_blog_text|ARG_file_name "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI  "/colors_cgi\.php"  chain
SecFilterSelective ARG_scheme_name|ARG_bg_color "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#honeypot
SecFilterSelective REQUEST_URI  "tiki-pagehistory\.php\?page=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI  "/uniq_login\.php\?login.*(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI  "/viewtopic\.php\?t=.*&highlight=\'"

#sumthin scan
SecFilterSelective REQUEST_URI  "/sumthin"

#PHPKIT XSS Vulnerability
SecFilterSelective REQUEST_URI  "admin/admin\.php" chain
SecFilterSelective ARG_site_body "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#toendaCMS Disclosure of Sensitive Information
SecFilterSelective REQUEST_URI  "/admin\.php" chain
SecFilterSelective ARG_id_user "(\.\.|/|(http|https|ftp)\:/)"

#Phorum "forum_ids[]" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/search\.php" chain
SecFilter "forums_ids.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Tonio Gallery "galid" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/showgallery\.php" chain
SecFilterSelective ARG_galid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#ibProArcade Module "user" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_user "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#XMB "username" Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI  "/u2u\.php" chain
SecFilterSelective ARG_username "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#tikiwiki XSS
SecFilterSelective REQUEST_URI  "/tiki-view_forum_thread\.php" chain
SecFilterSelective ARG_topics_sort_mode|ARG_topics_offset "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)"

#Tikiwiki tiki-user_preferences Command Injection Vulnerability
SecFilterSelective REQUEST_URI  "/tiki-user_preferences\.php" chain
SecFilterSelective ARG_language "(/|\.\.)"

#Tikiwiki tiki-editpage Arbitrary File Exposure Vulnerability
SecFilterSelective REQUEST_URI  "/tiki-editpage\.php" chain
SecFilterSelective ARG_suck_url "(/|\.\.)"

#phpAdsNew SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/logout\.php" chain
SecFilterSelective ARG_sessiodID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Moodle "datalib.php" Remote SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/(datalib|category|info)\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/plot\.php" chain
SecFilterSelective ARG_user "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#honeypot
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_Config_absolute_path|ARG_configFile "(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI  "/error\.php\?dir=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI  "/common\.php\?pun_root=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI  "tiki-wiki_rss\.php\?ver=.*(http|https|ftp)\:/"

#Winmail Server Multiple Vulnerabilities
SecFilterSelective REQUEST_URI  "admin/main\.php" chain
SecFilterSelective ARG_sid "\.\./\.\."
SecFilterSelective REQUEST_URI  "badlogin\.php" chain
SecFilterSelective ARG_retid "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)"

#Pearl Forums SQL Injection and Local File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI  "index\.php" chain
SecFilterSelective ARG_forumsid|ARG_topicid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "index\.php" chain
SecFilterSelective ARG_mode "(\.\./\.\.|/)"

#Peel "rubid" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "index\.php" chain
SecFilterSelective ARG_rubid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#CodeGrrl Products "siteurl" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI  "protection\.php" chain
SecFilterSelective ARG_siteurl "(\.\./\.\.|/|(http|https|ftp)\:/)"

#Wizz Forum Multiple SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "ForumauthDetails\.php" chain
SecFilterSelective ARG_AuthID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI  "ForumTopicDetails\.php" chain
SecFilterSelective ARG_TopicID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#iCMS "page" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI  "ForumauthDetails\.php" chain
SecFilterSelective ARG_page "(\.\./\.\.|/|(http|https|ftp)\:/)"

#Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI  "editor_registry\.php" chain
SecFilter "xoopsConfig\[language\].*(\.\./\.\.|/|(http|https|ftp)\:/)"

#PollVote "pollname" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI  "pollvote\.php" chain
SecFilterSelective ARG_pollname "(\.\./\.\.|/|(http|https|ftp)\:/)"

#Xoops WF-Downloads Module "list" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "viewcat\.php" chain
SecFilterSelective ARG_list "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#phpwcms Disclosure of Sensitive Information and Cross-Site Scripting
SecFilterSelective REQUEST_URI  "login\.php" chain
SecFilterSelective ARG_form_lang "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI  "random_image\.php" chain
SecFilterSelective ARG_imgdir "\.\./\.\."

#OnContent // CMS "pid" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "index\.php" chain
SecFilterSelective ARG_pid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Mambo "register_globals" Emulation Layer Overwrite Vulnerability
#Mambo <= 4.5.2 Globals overwrite / remote commands execution
SecFilterSelective ARG_mosConfig_absolute_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "id:390075,rev:1,severity:2,msg:'JITP: Generic mosConfig_absolute_path File Inclusion Vulnerability'"
SecFilterSelective REQUEST_URI "\.php\?.*mosConfig_absolute_path=(http|https|ftp)\:\/" "id:390076,rev:1,severity:2,msg:'JITP: Generic mosConfig_absolute_path File Inclusion Vulnerability'"


#Arki-DB "catid" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "index\.php" chain
SecFilterSelective ARG_catid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#EkinBoard 1.0.3 config.php SQL Injection through cookie
SecFilterSelective COOKIE_username "or isnull\(1"
SecFilterSelective REQUEST_URI  "&activate=1&allow_attch=1&attch_exts=.*php&.*attch_max_size="
SecFilterSelective REQUEST_URI  "attachments/suntzu.*\?cmd="

#HPWebThings 1.4 "msg" and "forum" SQL injection
SecFilterSelective REQUEST_URI  "forum\.php\?act=.*&msg.*UNION.*SELECT.*(name|password|outfile).*forum="
SecFilterSelective REQUEST_URI  "forum\.php\?forum=.*UNION.*SELECT.*(name|password|outfile)"
SecFilterSelective REQUEST_URI  "forum\.php\?act=.*&forum.*UNION.*SELECT.*ORD"

#phpnuke query sql injection
SecFilterSelective REQUEST_URI  "modules\.php" chain
SecFilterSelective ARG_query "(\'|UNION.*SELECT)"

#Cyphor Forum SQL Injection Exploit
SecFilterSelective REQUEST_URI  "show\.php" chain
SecFilterSelective ARG_id|ARG_fid "(\'|UNION.*SELECT)"

#OTRS vulnerabilities, SQL injection and XSS
SecFilterSelective REQUEST_URI  "/index\.pl\?Action=(Login&User|AgentTicketPlain&(ArticleID|TicketID))=.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/index\.pl\?(QueueID|Action)=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#Omnistar Live SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/kb\.php" chain
SecFilterSelective ARG_id|ARG_category_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Ezyhelpdesk Multiple SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/\?mid=.*&m2id=.*page=.*(faq_id|c_id).*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/\?edit=spec_view&edit_id.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#1-2-3 Music Store "AlbumID" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/process\.php" chain
SecFilterSelective ARG_AlbumID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#PHP Labs Top Auction SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/viewcat\.php" chain
SecFilterSelective ARG_category|ARG_type "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#PHP Labs Survey Wizard "sid" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/survey\.php" chain
SecFilterSelective ARG_sid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#AFFCommerce Shopping Cart Multiple SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/subcategory\.php" chain
SecFilterSelective ARG_cl "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/(iteminfo|itemreview)\.php" chain
SecFilterSelective ARG_item_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#WSN Forum "id" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/memberlist\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Tunez SQL Injection and Cross-Site Scripting Vulnerabilities
SecFilterSelective REQUEST_URI  "/songinfo\.php" chain
SecFilterSelective ARG_songid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/search\.php" chain
SecFilterSelective ARG_searchfor "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

# PmWiki 2.0.12 Cross Site Scripting
SecFilterSelective REQUEST_URI  "/Search\?action=search.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#PHP-Post Cross-Site Scripting
SecFilterSelective REQUEST_URI  "/(profile|mail)\.php" chain
SecFilterSelective ARG_user "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#CommodityRentals "user_id" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/usersession" chain
SecFilterSelective ARG_userid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Joomla! mod_poll SQL Injection
SecFilterSelective REQUEST_URI  "/mod_poll" chain
SecFilterSelective ARG_itemid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Advanced Poll "popup.php" Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI  "/popup\.php" chain
SecFilterSelective ARG_poll_ident "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#PHP-Fusion SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/options\.php" chain
SecFilterSelective ARG_forum_id|ARG_thread_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/(viewforum|index)\.php" chain
SecFilterSelective ARG_lastvisted "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#phpComasy "id" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#honeypot
SecFilterSelective REQUEST_URI  "_head\.php\?_zb_path=(http|https|ftp)\:/"

#vTiger code inclusion attack
SecFilterSelective REQUEST_URI  "/vtigercrm\.log"

#Comdev Vote Caster "campaign_id" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_campaign_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Softbiz Web Host Directory Script SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/(search_result|browsecats)\.php" chain
SecFilterSelective ARG_cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/review\.php" chain
SecFilterSelective ARG_sbres_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/email\.php" chain
SecFilterSelective ARG_h_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Nicecoder iDesk "cat_id" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/faq\.php" chain
SecFilterSelective ARG_cat_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#IsolSoft Support Center SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/search\.php" chain
SecFilterSelective ARG_field|ARG_lorder "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#AgileBill "id" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/\?_page=product_cat\:t_" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#ActiveCampaign SupportTrio "page" Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_page "(\.\./\.\.|/(etc|tmp|var)|(http|https|ftp)\:/)"

#sNews "index.php" SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_id|ARG_category "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Online Work Order Suite Lite Edition SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/search\.php" chain
SecFilterSelective ARG_keyword "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#phpWordPress SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_poll|ARG_category|ARG_ctg "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Pdjk-support Suite Multiple SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_news_id|ARG_faq_id|ARG_rowstart "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

# freeForum 1.x "cat" and "thread" SQL inj.
SecFilterSelective REQUEST_URI  "/forum\.php" chain
SecFilterSelective ARG_cat|ARG_thread "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#ActiveCampaign KnowledgeBuilder SQL Injection
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_article "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Helpdesk Issue Manager SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/issue\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/find\.php" chain
SecFilterSelective ARG_orderdir|ARG_orderby "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/find\.php" chain
SecFilterSelective REQUEST_URI "detail\[\].*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Q-News "id" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI  "/q-news\.php" chain
SecFilterSelective ARG_id "(\.\./\.\.|/|(http|https|ftp)\:/)"

#ADC2000 NG Pro "cat" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/adcbrowres\.php" chain
SecFilterSelective ARG_cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Enterprise Connector "messageid" SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/send\.php" chain
SecFilterSelective ARG_messageid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Softbiz Resource Repository Script SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/showcats\.php" chain
SecFilterSelective ARG_sbcat_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/(details_res|refer_friend|report_link)\.php" chain
SecFilterSelective ARG_sbres_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#PHP Doc System Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_show "(\.\./\.\.|/)"

#Netzbrett "p_entry" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_pentry "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#ShockBoard "offset" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/topic\.php" chain
SecFilterSelective ARG_offset "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#K-Search SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_id|ARG_stat|ARG_source "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#AllWeb Search "search" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_search "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Simple Document Management System SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/message\.php" chain
SecFilterSelective ARG_mid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/list\.php" chain
SecFilterSelective ARG_folder_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

# edmoBBS SQL inj. vuln.
SecFilterSelective REQUEST_URI  "/edmobbs9r\.php" chain
SecFilterSelective ARG_table|ARG_messageID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Joels Bulletin Board SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/topiczeigen\.php" chain
SecFilterSelective ARG_nr "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/(showforum|newtopic)\.php" chain
SecFilterSelective ARG_forum "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/showforum\.php" chain
SecFilterSelective ARG_zeigeseite "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/neuerbeitrag\.php" chain
SecFilterSelective ARG_tidnr "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#UGroup Multiple SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/forum\.php" chain
SecFilterSelective ARG_FORUM_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/topic\.php" chain
SecFilterSelective ARG_TOPIC_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Fantastic News "category" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/news\.php" chain
SecFilterSelective ARG_category "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#ClientExec Multiple SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_billshowid|ARG_billdetailid|ARG_frmClientID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Entergal MX SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_idcat|ARG_action "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#GuppY PHP Code Injection and Local File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI  "/error\.php" chain
SecFilterSelective REQUEST_URI  "_SERVER\[REMOTE_ADDR\].*(php|system\()"
SecFilterSelective REQUEST_URI  "/editorTypetool\.php" chain
SecFilterSelective ARG_meskin "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI  "/(archbatch|nwlmail)\.php" chain
SecFilterSelective ARG_lng "(\.\./\.\.|/|(http|https|ftp)\:/)"

#DMANews Multiple SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_id|ARG_sortorder|ARG_display_num "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#BosDates SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/calendar\.php" chain
SecFilterSelective ARG_year|ARG_category "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#Post Affiliate Pro "sortorder" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_sortorder "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#BedengPSP Multiple SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/(index|download)\.php" chain
SecFilterSelective ARG_cwhere "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/baca\.php" chain
SecFilterSelective ARG_ckode "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#randshop SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_kategorieid|ARG_katid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#SourceWell "cnt" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_cnt "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#phpGreetz Include File Bug
SecFilterSelective REQUEST_URI  "/content\.php" chain
SecFilterSelective ARG_content "(\.\./\.\.|/|(http|https|ftp)\:/)"

#Athena Include File Bug
SecFilterSelective REQUEST_URI  "/athena\.php" chain
SecFilterSelective ARG_athena_dir "(\.\./\.\.|/|(http|https|ftp)\:/)"

#Athena Include File Bug vulns
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_module "\.\./"
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective REQUEST_URI "Users\&Action.*templatename.*/"
SecFilterSelective REQUEST_URI "/index\.php\?module=uploads&action=add2db" chain
SecFilterSelective REQUEST_URI|POST_PAYLOAD  "\.php"

#Fake gif file shell attacvk
SecFilterSelective HTTP_Content-Type "image/gif"
SecFilterSelective POST_PAYLOAD "chr\("

#bogus graphics file
SecFilterSelective HTTP_Content-Disposition "\.php" chain
SecFilterSelective HTTP_Content-Type "(image/gif|image/jpg|image/png|image/bmp)"

#Post Affiliate Pro "sortorder" Remote SQL Injection and Arbitrary File Inclusion Vulnerability
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_md "(\.\./\.\.|/)"
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_sortorder "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"

#EkinBoard 1.0.3 (config.php) SQL Injection / Command Execution
SecFilterSelective REQUEST_URI  "/(index|viewforum|newtopic)\.php" chain
SecFilterSelective COOKIE_username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI  "/newtopic\.php" chain
SecFilterSelective HTTP_Content-Disposition "topic_title" chain
SecFilterSelective POST_PAYLOAD "php.*system\("

#Unclassified NewsBoard 1.5.3 patch level 3 "Datefrom" blind SQL injection
SecFilterSelective REQUEST_URI  "/forum\.php" chain
SecFilterSelective ARG_DateFrom "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#PHPNuke <= 7.8 sql injection
SecFilterSelective REQUEST_URI  "/forum\.php" chain
SecFilterSelective ARG_query "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Moodle <= 1.6dev get record()  SQL injection
SecFilterSelective REQUEST_URI  "/plot\.php" chain
SecFilterSelective ARG_user "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI  "/info\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#interesting new pattern
SecFilterSelective REQUEST_URI  "/ThisFileMustNotExist"

#honeypot
SecFilterSelective REQUEST_URI  "/tiki-backlinks\.php\?page=(http|https|ftp)\:/"

# SocketKB 1.1.x file include Vuln
SecFilterSelective REQUEST_URI "\?__f=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "\?__f=rating_add&"
SecFilterSelective ARG_art_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "\?__f=category&"
SecFilterSelective ARG_node "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Xaraya "module" Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_module "(\.\./\.\.|/)"

#N-13 News "id" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI  "/index\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Softbiz B2B Trading Marketplace Script "cid" SQL Injection
SecFilterSelective REQUEST_URI  "/(selloffers|buyoffers|products|profiles)\.php" chain
SecFilterSelective ARG_cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

# WEB-MISC mod_gzip_status access
SecFilterSelective REQUEST_URI "/mod_gzip_status" log,pass

#honeypot
SecFilterSelective REQUEST_URI "/index\.php\?main=/"

#PHP Fusion CMS SQL injection Vulnerabilities
SecFilterSelective REQUEST_URI "/viewforum\.php\?" chain
SecFilterSelective ARG_lastvisited "\'"

#Saxon XSLT command execution attacks
SecFilterSelective THE_REQUEST "xsl\:value-of select=\"run\:exec\("
SecFilterSelective THE_REQUEST "xsl.*run\:getRuntime\(\)\, \'\""

#Lore Article.PHP SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/article\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#honeypoy
SecFilterSelective REQUEST_URI "/imageviewer\.php\?filename="

#PhpX <= 3.5.9 SQL Injection -> login bypass -> remote command/code execution
SecFilterSelective REQUEST_URI "/admin/" chain 
SecFilterSelective ARG_username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM|or user_id=2)"
SecFilterSelective REQUEST_URI "files/.*\.php\.menu\?cmd="

#NetClassifieds Multiple SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/(ViewCat|gallery)\.php" chain
SecFilterSelective ARG_Catid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/ViewItem\.php" chain
SecFilterSelective ARG_ItemNum "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Coppermine Photo Gallery "relocate_server.php" Exposure of Configuration
SecFilterSelective REQUEST_URI "/relocate_server\.php"

#WebCalendar HTTP Response Splitting and SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/edit_report_handler\.php" chain
SecFilterSelective ARG_time_range "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/layers_toggle\.php" chain
SecFilterSelective ARG_ret "HTTP"

#Instant Photo Gallery SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/portfolio\.php" chain
SecFilterSelective ARG_cat_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/content\.php" chain
SecFilterSelective ARG_cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Lore "id" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/article\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#DotClear "dc_xd" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/session\.php" chain
SecFilterSelective COOKIE_cd_xd "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#DotClear "dc_xd" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_x "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#O-Kiraku Nikki "day_id" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/nikki\.php" chain
SecFilterSelective ARG_day_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

# AltantisFAQ SQL inj. vuln.
SecFilterSelective REQUEST_URI "/search\.php" chain
SecFilterSelective ARG_searchStr "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#FAQRing "id" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/answer\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#WSN Knowledge Base SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_catid|ARG_perpage|ARG_ascdesc|ARG_orderlinks "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/(comments|memberlist)\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Softbiz FAQ Script SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/(faq_qanda|refer_friend|print_article|add_comment)\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#OmniStar KBase SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/comments\.php" chain
SecFilterSelective ARG_article_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/kb\.php" chain
SecFilterSelective ARG_category_id|ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#FAQ System SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/viewFAQ\.php" chain
SecFilterSelective ARG_FAQ_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_CATEGORY_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#KBase Express SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/category\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Orca Knowledgebase "qid" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/knowledgebase\.php" chain
SecFilterSelective ARG_qid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Survey System "SURVEY_ID" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/survey\.php" chain
SecFilterSelective ARG_SURVEY_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Orca Blog SQL inj. vuln.
SecFilterSelective REQUEST_URI "/blog\?msg=((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Orca Ringmaker "start" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/ringmaker\.php" chain
SecFilterSelective ARG_start "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#ltwCalendar "id" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/calendar\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Nephp Publisher SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.html" chain
SecFilterSelective ARG_id|ARG_nnet_catid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Zainu SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_start|ARG_term "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Babe Logger "gal" and "id" SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_gal "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/comments\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Zen Cart Input Validation Hole in 'password_forgotten.php' sql injection
SecFilterSelective REQUEST_URI "admin/password_forgotten\.php" chain
SecFilterSelective ARG_admin_email "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO)"

#Sugar Suite "beanFiles[1]" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "acceptDecline\.php" chain
SecFilterSelective REQUEST_URI "beanFiles\[1\].*(http|https|ftp)\:/"

#phpMyAdmin register_globals Emulation "import_blacklist" Manipulation
SecFilterSelective REQUEST_URI "/grab_globals\.php" chain
SecFilterSelective ARG_import_blacklist "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/)"

#Magic Forum Personal Cross-Site Scripting and SQL Injection
SecFilterSelective REQUEST_URI "/view_forum\.cfm" chain
SecFilterSelective ARG_ForumID|ARG_Thread|ARG_ThreadID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO)"
SecFilterSelective REQUEST_URI "/search_forums\.cfm" chain
SecFilterSelective ARG_Words "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#Magic List Pro "ListID" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/view_archive\.cfm" chain
SecFilterSelective ARG_ListID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO)"

#CF_Nuke Directory Traversal and Cross-Site Scripting Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.cfm" chain
SecFilterSelective ARG_sector|ARG_page "\.cfm"

#phpForumPro SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_parent|ARG_day "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Cars Portal SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_page|ARG_car "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#PluggedOut Blog "index.php" SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_categoryid|ARG_entryid|ARG_year|ARG_month|ARG_day "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#PluggedOut Nexus SQL Injection and Cross-Site Scripting
SecFilterSelective REQUEST_URI "/search\.php" chain
SecFilterSelective ARG_firstname|ARG_lastname|ARG_location "(((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>)"
SecFilterSelective REQUEST_URI "/search_forums\.cfm" chain
SecFilterSelective ARG_Words "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#honeypot
SecFilterSelective REQUEST_URI "/tiki-view_forum_thread\.php" "chain,id:390083,rev:1,severity:2,msg:'JITP: tikiwiki XSS Vulnerability'"
SecFilterSelective ARG_comments_parentId|ARG_forumId|ARG_topics_offset "(<+(script|about|applet|activex|chrome)|onmouseover=\'javascript)"
SecFilterSelective REQUEST_URI "/tiki-view_forum_thread\.php" "chain,id:390082,rev:1,severity:2,msg:'JITP: tikiwiki Remote File Inclusion Vulnerability'"
SecFilterSelective ARG_comments_parentId|ARG_forumId|ARG_topics_offset "(ht|f)tps?\:/" 

#wormsign
SecFilterSelective REQUEST_URI "Hacked.*by.*member.*of.*SCC"

#phpMyAdmin Cross-Site Scripting Vulnerabilities
SecFilterSelective ARG_HTTP_HOST "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)"

#Web4Future eCommerce Products SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/view\.php" chain
SecFilterSelective ARG_prod|ARG_brid  "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/viewbrands\.php" chain
SecFilterSelective ARG_bid  "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_grp|ARG_cat  "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#DoceboLMS Information Disclosure 
SecFilterSelective REQUEST_URI "/connector\.php" chain
SecFilterSelective ARG_Type  "\.\."

#Web4Future Affiliate Manager Pro "pid" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/functions\.php" chain
SecFilterSelective ARG_pid  "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#PHP-addressbook "view.php" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/view\.php" chain
SecFilterSelective ARG_id  "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Blog System SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/blog\.php" chain
SecFilterSelective ARG_note  "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_cat  "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Multiple vendor vulnerability
#Amazon Search Directory "search.cgi" Cross-Site Scripting
#Warm Links "search.cgi" Cross-Site Scripting Vulnerability
#Hot Links SQL "search.cgi" Cross-Site Scripting Vulnerability
#Hot Links Pro "search.cgi" Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "/search\.cgi" chain
SecFilterSelective ARG_search "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#1-Search "1search.cgi" Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "/1search\.cgi" chain
SecFilterSelective ARG_q "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#Easy Search System "search.cgi" Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "/search\.cgi" chain
SecFilterSelective ARG_q "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#phpYellow SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/search_result\.php" chain
SecFilterSelective ARG_haystack  "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/print_me\.php" chain
SecFilterSelective ARG_ckey  "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Relative Real Estate Systems "mls" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_mls  "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#LandShop SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/ls\.php" chain
SecFilterSelective ARG_search_order|ARG_search_type|ARG_search_area|ARG_keyword  "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Widget Imprint "product_id" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/create\.php" chain
SecFilterSelective ARG_product_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Widget Property SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/property\.php" chain
SecFilterSelective ARG_property_id|ARG_zip_code|ARG_property_type_id|ARG_price|ARG_city_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Web4Future Portal Solutions Information Disclosure and SQL Injection
SecFilterSelective REQUEST_URI "/comentarii\.php" chain
SecFilterSelective ARG_idp "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/archiva\.php" chain
SecFilterSelective ARG_dir  "\.\."

#HobSR "view.php" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/view\.php" chain
SecFilterSelective ARG_arrange "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Web4Future eDating Professional SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_s|ARG_pg|ARG_sortb "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/(gift|fq)\.php" chain
SecFilterSelective ARG_cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/articles\.php" chain
SecFilterSelective ARG_cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#FileLister "searchwhat" Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "/definesearch\.jsp" chain
SecFilterSelective ARG_searchwhat "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#PHP-Fusion "srch_text" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/messages\.php" chain
SecFilterSelective ARG_srch_text "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Nortel SSL VPN Web Interface  XSS
SecFilterSelective REQUEST_URI "/tunnelform\.yaws" chain
SecFilterSelective ARG_a "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#Scout Portal Toolkit Possible Sql Injection..and XSS
SecFilterSelective REQUEST_URI "BrowseResources\.php\?ParentId=\'"
SecFilterSelective REQUEST_URI "SPT\-\-UserLogin\.php" chain
SecFilterSelective ARG_F_UserName|ARG_F_Password "(\'|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"
SecFilterSelective REQUEST_URI "SPT\-\-FullRecord\.php" chain
SecFilterSelective ARG_ResourceId "(\'|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"
SecFilterSelective REQUEST_URI "SPT\-\-BrowseResources\.php" chain
SecFilterSelective ARG_ParentId "(\'|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"
SecFilterSelective REQUEST_URI "SPT\-\-Home\.php" chain
SecFilterSelective ARG_ResourceOffset "(\'|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"
SecFilterSelective REQUEST_URI "SPT\-\-QuickSearch\.php" chain
SecFilterSelective ARG_ss|ARG_F_SearchString "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"
SecFilterSelective REQUEST_URI "SPT\-\-BrowseResources\.php" chain
SecFilterSelective ARG_ParentId "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"
SecFilterSelective REQUEST_URI "SPT\-\-AdvancedSearch\.php" chain
SecFilterSelective ARGS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#Magic Book v2.0 Professional XSS Vuln
SecFilterSelective REQUEST_URI "/book\.cfm\?StartRow.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#flatnuke remote shell
SecFilterSelective REQUEST_URI "verify\.php" chain
SecFilterSelective THE_REQUEST "mod=modcont&from=index\.php&body=.*\<\?php.*&file=forum.*users.*\.php"
SecFilterSelective REQUEST_URI "forum/users/.*\.php\?cmd="

#Netref "cat" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#milliscripts Redirection "domainname" Cross-Site Scripting
SecFilterSelective REQUEST_URI "register\.php" chain
SecFilterSelective ARG_domainname "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#phpnuke exploit
SecFilterSelective REQUEST_URI "/modules\.php\?name=Search&type=comments&query=.*&instory=.*UNION.*SELECT.*pwd.*FROM.*nuke_authors"

#limbo exploit
SecFilterSelective REQUEST_URI "index2\.php\?cmd.*\&_SERVER\[\]=\&_SERVER\[REMOTE_ADDR\]=" chain
SecFilterSelective THE_REQUEST "system"

#Plogger '/admin/plog-admin-functions.php' Include File Bug Lets Remote Users Execute
SecFilterSelective REQUEST_URI "admin/plog-admin-functions\.php\?config\[basedir\]=(http|https|ftp)\:/"

#PHPGedView <= 3.3.7 remote commands execution
SecFilterSelective REQUEST_URI "help_text_vars\.php\?.*=.*PGV_BASE_DIRECTORY=./index/pgv.*\.log"
SecFilterSelective REQUEST_URI "help_text_vars\.php\?suntzu="

#AlstraSoft EPay Enterprise Script Insertion Vulnerabilities
SecFilterSelective REQUEST_URI "(profile|card|bank|subscriptions|send|request|forgot|escrow|donations|products)\.htm" chain
SecFilterSelective ARGS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#PHP-Fusion Multiple Vulnerabilities
SecFilterSelective REQUEST_URI "members\.php" chain
SecFilterSelective ARG_sortby "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"
SecFilterSelective REQUEST_URI "ratings_include\.php" chain
SecFilterSelective ARG_rating "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#e-publish Cross-Site Scripting and SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "printer_friendly\.cfm" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "show\.cfm" chain
SecFilterSelective ARG_obcatid|ARG_comid "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#eggblog "q" Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "search\.php" chain
SecFilterSelective ARG_q "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

# SyntaxCMS XSS vuln.
SecFilterSelective REQUEST_URI "/search/\?search_query=*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#SPIP Cross-Site Scripting Vulnerabilities
SecFilterSelective REQUEST_URI "spip_(login|pass)\.php3" chain
SecFilterSelective ARGS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#SiteSage "norelay_highlight_words" Cross-Site Scripting Vulnerability
SecFilterSelective ARG_norelay_highlight_words "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#OpenEdit Cross-Site Scripting Vulnerabilities
SecFilterSelective REQUEST_URI "results\.html" chain
SecFilterSelective ARG_oe-action|ARG_page "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

#Portfolio NetPublish "template" Disclosure of Sensitive Information
SecFilterSelective REQUEST_URI "server\.np\?base&site=\[.*\]&catalog=.*&template=*\.\./"

#Papoo SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "(index|guestbook)\.php" chain
SecFilterSelective ARG_menuid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "print\.php" chain
SecFilterSelective ARG_forumid|ARG_reporeid_print "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#phpSlash "story_id" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "article\.php" chain
SecFilterSelective ARG_story_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#PhpGedView File Inclusion and PHP Code Injection Vulnerabilities
SecFilterSelective REQUEST_URI "authenticate\.php" chain
SecFilterSelective ARG_user_language|ARG_user_email|ARG_user_gedcomid  "\<.*php"

#Miraserver SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "index\.php" chain
SecFilterSelective ARG_page "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "newsitem\.php" chain
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "article\.php" chain
SecFilterSelective ARG_cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Information Call Center "CallCenterData.mdb" Exposure of User Credentials
SecFilterSelective REQUEST_URI "CallCenterData\.mdb" 

#phpBB <= 2.0.17 remote command execution exploit
SecFilterSelective REQUEST_URI "profile\.php\?GLOBALS\[signature_bbcode_uid\]=\(\.\x2B\)/e\x00"
SecFilterSelective REQUEST_URI|POST_PAYLOAD "r57phpBB2017xpl"
SecFilterSelective POST_PAYLOAD "_bill_gates@microsoft\.com"

#phpDocumentor File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI "Documentation/tests/bug-559668\.php"  chain
SecFilterSelective ARG_FORUM\[LIB\] "(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "docbuilder/file_dialog\.php" chain
SecFilterSelective ARG_root_dir "(http|https|ftp)\:/"

#honeypot
SecFilterSelective REQUEST_URI "/tiki-index\.php\?page=(\||/|\.)"
SecFilterSelective REQUEST_URI "/tech_o\.php\?absolute_path=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "moblog_lib\.php\?basedir=(cmd|(http|https|ftp)\:/)"

#FlatCMS <=1.01 Remote Command Execution Exploit
SecFilterSelective REQUEST_URI "/admin/cijfer\.php\?cij="
SecFilterSelective REQUEST_URI "/admin/file_editor\.php" chain
SecFilter "\?save_file=cijfer\.php&f_content="
SecFilterSelective REQUEST_URI "/admin/file_editor\.php" chain
SecFilterSelective REQUEST_URI  "\x3C\x3F\x24"
#the specific payload, if you prefer
#SecFilterSelective REQUEST_URI  "\x3C\x3F\x24handle\x3Dpopen\x5C\x28\x24_GET\x5Bcij\x5D\x2C\x22r\x22\x29\x3Bwhile\x28\x21feof\x28\x24handle\x29\x29\x7B\x24line\x3Dfgets\x28\x24handle\x29\x3Bif\x28strlen\x28\x24line\x29\x3E\x3D1\x29\x7Becho\x22\x24line\x22\x3B\x7D\x7Dpclose\x28\x24handle\x29\x3B\x3F\x3E"

#Valdersoft Shopping Cart <=3.0 Remote Command Execution Exploit
SecFilterSelective REQUEST_URI  "/include/templates/categories/default\.php\?.*\;echo"
SecFilterSelective REQUEST_URI  "/include/templates/categories/default\.php\?.*<\?passthru\(\$_GET\[cmd\]\)\;\?>"
SecFilterSelective ARG_catalogDocumentRoot  "(https|http|ftp)\:/"

#honeypot
SecFilterSelective REQUEST_URI "index\.php\?p=(http|https|ftp)\:/"

#Phgstats "phgdir" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "phgstats\.inc\.php" chain
SecFilterSelective ARG_phgdir "(http|https|ftp)\:/"

#VenomBoard SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "post\.php3" chain
SecFilterSelective ARG_topic_id|ARG_root|ARG_parent "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

# PHPNuke EV 7.7 'search' module 'query' variable SQL injection
SecFilterSelective REQUEST_URI "/modules\.php\?name=Search" chain
SecFilter "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#honeypot
SecFilterSelective REQUEST_URI "/admin\.php\?op=AddAuthor&add_aid=.*&add_name=.*&add_pwd=.*&add_email=r00t_System@hush\.com"

#Etomite "cij" shell command backdoor
SecFilterSelective REQUEST_URI "manager/includes/todo\.inc\.php"

#openSRS exploit
SecFilterSelective REQUEST_URI "mod_opensrs/mod_config\.php\?this_mod_opensrs_config.*=.*&DIR=(http|https|ftp)\:/"

#honeypot
SecFilterSelective REQUEST_URI "/index\.php" chain
SecFilterSelective ARG_lp "(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "\.php\?forum=.*union.*select.*password,password,null,null"
SecFilterSelective REQUEST_URI "/wwForum\.mdb"

#ImpExData.php?systempath=
SecFilterSelective REQUEST_URI "/ImpExData\.php" chain
SecFilterSelective ARG_systempath "(http|https|ftp)\:/"

#SQuery <= 4.5 Remote File Inclusion Exploit
SecFilterSelective REQUEST_URI "lib/(armygame|ase|devi|doom3|et|flashpoint.php|gameSpy|gameSpy2|gore|gsvari|halo|hlife|hlife2|igi2|main.lib|netpanzer|old_hlife|pkill|q[23]a|qworlp|rene|rvbshld|savage|simracer|sof1|sof2|unreal|ut2004|vietcong)\.php" chain
SecFilterSelective ARG_libpath "(http|https|ftp)\:/"

#MonAlbum Multiple SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "index\.php" chain
SecFilterSelective ARG_pc "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "image_agrandir.php" chain
SecFilterSelective ARG_pnom|ARG_pcourriel "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#PHPNuke-Clan "vwar_root" File Inclusion Vulnerability
#VWar <= 1.5.0 R12 Remote File Inclusion Exploit
SecFilterSelective REQUEST_URI "(/includes/functions_(common|install)|/includes/get_header)\.php" "chain,id:390039,rev:2,severity:2,msg:'JITP: vwar_root remote/local file inclusion'"
SecFilterSelective ARG_vwar_root "((http|https|ftp)\:/|\.\./\.\.)"

#gtd-php Cross-Site Scripting and Script Insertion Vulnerabilities
SecFilterSelective REQUEST_URI "new(Project|List|WaitingOn|ChecklistContext|Category.php|Goal)\.php" chain
SecFilterSelective ARGS  "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "listReport\.php" chain
SecFilterSelective ARG_listTitle "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "projectReport\.php" chain
SecFilterSelective ARG_projectName "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "checklistReport\.php" chain
SecFilterSelective ARG_checklistTitle "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#aWebBB Multiple Vulnerabilities
SecFilterSelective REQUEST_URI "post\.php" "chain,id:390001,rev:1,severity:2,msg:'JITP: aWebBB XSS attack on post.php'"
SecFilterSelective ARG_tname|ARG_fpost "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "editac\.php" "chain,id:390002,rev:1,severity:2,msg:'JITP: aWebBB XSS attack on editac.php'"
SecFilterSelective ARG_fullname|ARG_emailadd|ARG_country|ARG_sig|ARG_otherav "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "register\.php" "chain,id:390003,rev:1,severity:2,msg:'JITP: aWebBB XSS attack on register.php'"
SecFilterSelective ARG_fullname|ARG_emailadd|ARG_country "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "(accounts|changep|editac|feedback|fpass|login|post|reply|reply_log)\.php" "chain,id:390004,rev:1,severity:2,msg:'JITP: aWebBB XSS attack'"
SecFilterSelective ARG_Username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "dpost\.php" "chain,id:390004,rev:1,severity:2,msg:'JITP: aWebBB SQL attack'"
SecFilterSelective ARG_p "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "(ndis|list)\.php" "chain,id:390005,rev:1,severity:2,msg:'JITP: aWebBB SQL attack'"
SecFilterSelective ARG_c "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "search\.php" "chain,id:390005,rev:1,severity:2,msg:'JITP: aWebBB SQL attack'"
SecFilterSelective ARG_q "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#phpBB "cur_password" Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "profile\.php" "chain,id:390006,rev:1,severity:2,msg:'JITP: phpBB cur_password XSS attack'"
SecFilterSelective ARG_cur_password "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit
SecFilterSelective REQUEST_URI "modules/vWar_Account/includes/functions_(common|front)\.php" "chain,id:390007,rev:2,severity:2,msg:'JITP: PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit'"
SecFilterSelective ARG_vwar_root2 "(http|https|ftp)\:/"

#Claroline <= 1.7.4 scormExport.inc.php remote command vuln
SecFilterSelective REQUEST_URI "scormExport\.inc\.php" "chain,id:390008,rev:1,severity:2,msg:'JITP: Claroline <= 1.7.4 scormExport.inc.php remote command vuln'"
SecFilterSelective ARG_includePath "((http|https|ftp)\:/|\.\./\.\.)"
SecFilterSelective REQUEST_URI "scormExport\.inc\.php\?cmd=" "id:390009,rev:1,severity:2,msg:'JITP: Claroline <= 1.7.4 scormExport.inc.php remote command vuln'"

#Claroline <= 1.7.4 XSS and recursion attack
SecFilterSelective REQUEST_URI "rqmkhtml\.php" "chain,id:390010,rev:1,severity:2,msg:'JITP: Claroline <= 1.7.4 XSS attack'"
SecFilterSelective ARG_cmd "(rqEdit|rwEditHtml)" chain
SecFilterSelective ARG_file "(><|\.\./\.\.)"

#aWebNews Multiple Vulnerabilities
SecFilterSelective REQUEST_URI "visview\.php" "chain,id:390011,rev:1,severity:2,msg:'JITP: aWebNews XSS attack'"
SecFilterSelective ARG_yname|ARG_emailadd|ARG_subject|ARG_comment "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "(login|fpass)\.php" "chain,id:390012,rev:1,severity:2,msg:'JITP: aWebBBNewsSQL attack'"
SecFilterSelective ARG_user123 "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "visview\.php" "chain,id:390013,rev:1,severity:2,msg:'JITP: aWebBBNewsSQL attack'"
SecFilterSelective ARG_cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#WebAPP Cross-Site Scripting Vulnerabilities
SecFilterSelective REQUEST_URI "index\.cgi" "chain,id:390014,rev:1,severity:2,msg:'JITP: aWebAPP XSS attack'"
SecFilterSelective ARG_action|ARG_id|ARG_num|ARG_board|ARG_cat|ARG_writer|ARG_viewcat|ARG_img|ARG_curcatname|ARG_vsSD "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#qliteNews "loginprocess.php" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "loginprocess\.php" "chain,id:390015,rev:1,severity:2,msg:'JITP: qliteNEws SQL injection attack'"
SecFilterSelective ARG_username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#RedCMS SQL Injection and Script Insertion Vulnerabilities
SecFilterSelective REQUEST_URI "login\.php" "chain,id:390016,rev:1,severity:2,msg:'JITP: RedCMS SQL Injection'"
SecFilterSelective ARG_username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "profile\.php" "chain,id:390017,rev:1,severity:2,msg:'JITP: RedCMS SQL Injection'"
SecFilterSelective ARG_u "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "register\.php" "chain,id:390018,rev:1,severity:2,msg:'JITP: RedCMS XSS attack'"
SecFilterSelective ARG_Email|ARG_Location|ARG_Website "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#Oxygen "fid" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "post\.php" "chain,id:390019,rev:1,severity:2,msg:'JITP: Oxygen SQL Injection'"
SecFilterSelective ARG_fid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Mantis Cross-Site Scripting Vulnerabilities
SecFilterSelective REQUEST_URI "view_set_all\.php" "chain,id:390020,rev:1,severity:2,msg:'JITP: Mantis XSS attack'"
SecFilterSelective ARG_start_day|ARG_start_year|ARG_start_month "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#vCounter "url" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "vCounter\.php" "chain,id:390021,rev:1,severity:2,msg:'JITP: Oxygen SQL Injection'"
SecFilterSelective ARG_url "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#PHP Classifieds "searchword" Cross-Site Scripting Vulnerability
SecFilterSelective REQUEST_URI "search\.php" "chain,id:390022,rev:1,severity:2,msg:'JITP: Mantis XSS attack'"
SecFilterSelective ARG_searchword "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#PHPCollab v2.x / NetOffice v2.x sendpassword.php SQL Injection
SecFilterSelective REQUEST_URI "/sendpassword\.php\?action=send" "chain,id:390023,rev:1,severity:2,msg:'JITP: PHPCollab v2.x / NetOffice v2.x sendpassword.php SQL Injection'"
SecFilterSelective POST_PAYLOAD "UNION SELECT.*concat.*password.*admin\.php"

#Sourceworkshop newsletter "email" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "/newsletter\.php" "chain,id:390024,rev:1,severity:2,msg:'JITP: Sourceworkshop newsletter SQL Injection Vulnerability'"
SecFilterSelective ARG_newsletteremail "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#X-Changer SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/index\.php" "chain,id:390025,rev:1,severity:2,msg:'JITP: X-Changer SQL Injection Vulnerability'"
SecFilterSelective ARG_from|ARG_into|ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Cholod Mysql based message board Script Insertion and SQL Injection
SecFilterSelective REQUEST_URI "/mb\.cgi" "chain,id:390025,rev:1,severity:2,msg:'JITP: X-Changer SQL Injection Vulnerability'"
SecFilterSelective ARG_topicnumber|ARG_threadnumber "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/mb\.cgi" "chain,id:390026,rev:1,severity:2,msg:'JITP: X-Changer XSS Vulnerability'"
SecFilterSelective ARG_Name|ARG_Subject|ARG_Message "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#Null news Multiple SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "/(sub|unsub)\.php" "chain,id:390027,rev:1,severity:2,msg:'JITP: Null news Multiple SQL Injection Vulnerabilities'"
SecFilterSelective ARG_user_username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "/lostpass\.php" "chain,id:390028,rev:1,severity:2,msg:'JITP: Null news Multiple SQL Injection Vulnerabilities'"
SecFilterSelective ARG_user_email "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#VSNS Lemon SQL injection Vulnerabilities
SecFilterSelective REQUEST_URI "/functions/final_functions\.php" "chain,id:390029,rev:1,severity:2,msg:'JITP: Null news Multiple SQL Injection Vulnerabilities'"
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#PHPLiveHelper 1.8 remote command execution Xploit
SecFilterSelective REQUEST_URI "initiate\.php" "chain,id:390030,rev:1,severity:2,msg:'JITP: PHPLiveHelper 1.8 remote command execution Xploit'"
SecFilterSelective ARG_abs_path "(http|https|ftp)\:/"

#Pixel Motion Blog SQL Injection Vulnerabilities
SecFilterSelective REQUEST_URI "admin/index\.php" "chain,id:390031,rev:1,severity:2,msg:'JITP: Pixel Motion Blog SQL Injection Vulnerabilities'"
SecFilterSelective ARG_user|ARG_pass "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "index\.php" "chain,id:390032,rev:1,severity:2,msg:'JITP: Pixel Motion Blog SQL Injection Vulnerabilities'"
SecFilterSelective ARG_date "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Nuked-Klan "m" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "index\.php" "chain,id:390033,rev:1,severity:2,msg:'JITP: Nuked-Klan SQL Injection Vulnerability'"
SecFilterSelective ARG_m "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#TFT Gallery "passwd" Exposure of User Credentials
SecFilterSelective REQUEST_URI "admin/passwd$" "id:390035,rev:1,severity:2,msg:'JITP: TFT Gallery passwd Exposure of User Credentials'"

#PHP Ticket "frm_search_in" SQL Injection Vulnerability
SecFilterSelective REQUEST_URI "search\.php" "chain,id:390036,rev:1,severity:2,msg:'JITP: Nuked-Klan SQL Injection Vulnerability'"
SecFilterSelective ARG_frm_search_in "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#WEBalbum Local File Inclusion Vulnerability
SecFilterSelective COOKIE_skin2 "\.\." "id:390037,rev:1,severity:2,msg:'JITP: WEBalbum Local File Inclusion Vulnerability'"

#G-Book "g_message" Script Insertion Vulnerability
SecFilterSelective REQUEST_URI "/guestbook\.php" "chain,id:390038,rev:1,severity:2,msg:'JITP: G-Book g_message Script Insertion Vulnerability'"
SecFilterSelective ARG_g_message "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

#PHPMyChat exploit
SecFilterSelective REQUEST_URI "messagesL\.php.?\?L=.*R=.*N=.*&T=.*cmd=" "id:390039,rev:1,severity:2,msg:'JITP: PHPMyChat exploit'"

#Horde Help Module Remote Execution
SecFilterSelective REQUEST_URI "/services/help/\?show=.*&module=;\"" "id:390040,rev:1,severity:2,msg:'JITP: Horde Help Module Remote Execution'"

#Internet PhotoShow Remote File Inclusion Exploit
SecFilterSelective REQUEST_URI "index\.php?page=(ht|f)tps?:/.*\?&[a-z]+=[a-z]" "id:390041,rev:1,severity:2,msg:'JITP: Internet PhotoShow Remote File Inclusion Exploit'"

#Censtore.cgi exploit
SecFilterSelective REQUEST_URI "/censtore\.cgi\?page=\|" "id:390042,rev:1,severity:2,msg:'JITP: Censtore.cgi exploit'"

#quizz.pl exploit
SecFilterSelective REQUEST_URI "quizz\.pl/ask/\;" "id:390043,rev:1,severity:2,msg:'JITP: quizz.pl exploit'"

#phpinfo.cgi command execution
SecFilterSelective REQUEST_URI "/phpinfo\.php\?cmd=" "id:390044,rev:1,severity:2,msg:'JITP: phpinfo.cgi command execution'"

#phpRaid "phpbb_root_path" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "auth/auth_phpbb\.php" "chain,id:390045,rev:1,severity:2,msg:'JITP: phpRaid phpbb_root_path File Inclusion Vulnerability'"
SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?:/|\.\./\.\.)"

#openEngine "template" Parameter Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "website\.php" "chain,id:390046,rev:1,severity:2,msg:'JITP: openEngine template Parameter Local File Inclusion Vulnerability'"
SecFilterSelective ARG_template "\.\./\.\."

#ISPConfig "go_info[server][classes_root]" File Inclusion
SecFilterSelective REQUEST_URI "lib/session\.inc\.php" "chain,id:390047,rev:1,severity:2,msg:'JITP: ISPConfig go_info[server][classes_root] File Inclusion'"
SecFilterSelective REQUEST_URI "go_info\[server\]\[classes_root\].*((ht|f)tps?:/|\.\./\.\.)"

#ManageEngine OpManager "searchTerm" Cross-Site Scripting
SecFilterSelective  REQUEST_URI "search\.do" "chain,id:390048,rev:1,severity:2,msg:'JITP: ManageEngine OpManager searchTerm Cross-Site Scripting'"
SecFilterSelective ARG_searchTerm "(javascript|script|about|applet|activex|chrome)*\>"

#AliPAGER "ubild" Cross-Site Scripting and SQL Injection
SecFilterSelective  REQUEST_URI "inc/elementz\.php" "chain,id:390049,rev:1,severity:2,msg:'JITP: AliPAGER ubild Cross-Site Scripting and SQL Injection'"
SecFilterSelective ARG_ubild "((javascript|script|about|applet|activex|chrome)*\>|((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM))"

#MxBB Portal pafileDB Module "module_root_path" File Inclusion
SecFilterSelective  REQUEST_URI "includes/pafiledb_constants\.php" "chain,id:390050,rev:1,severity:2,msg:'JITP: MxBB Portal pafileDB Module module_root_path File Inclusion'"
SecFilterSelective ARG_module_root_path "((ht|f)tps?:/|\.\./\.\.)"

#Jadu CMS "register.php" Cross-Site Scripting Vulnerabilities
SecFilterSelective  REQUEST_URI "site/scripts/register\.php" "chain,id:390051,rev:1,severity:2,msg:'JITP: Jadu CMS register.php Cross-Site Scripting Vulnerabilities'"
SecFilterSelective ARG_forename|ARG_surname|ARG_reg_email|ARG_email_conf|ARG_company|ARG_city|ARG_postcode|ARG_telephone "(javascript|script|about|applet|activex|chrome|php)*\>"

#OpenFAQ "q" Parameter Script Insertion Vulnerability
SecFilterSelective  REQUEST_URI "search\.php" "chain,id:390052,rev:1,severity:2,msg:'JITP: OpenFAQ q Parameter Script Insertion Vulnerability'"
SecFilterSelective ARG_q "(javascript|script|about|applet|activex|chrome)*\>"

#phpBB foing Module "phpbb_root_path" File Inclusion
SecFilterSelective  REQUEST_URI "(index|faq|song|list|gen_m3u|playlist)\.php" "chain,id:390053,rev:1,severity:2,msg:'JITP: phpBB foing Module phpbb_root_path File Inclusion'"
SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?:/|\.\./\.\.)"

#Sugar Suite "sugarEntry" Parameter Security Bypass
SecFilterSelective  REQUEST_URI "/modules/.*/.*\.php\?GLOBALS\[sugarEntry\].*((ht|f)tps?:/|\.\./\.\.)" "id:390054,rev:1,severity:2,msg:'JITP: Sugar Suite sugarEntry Parameter Security Bypass'"
SecFilterSelective  REQUEST_URI "/modules/.*/.*\.php\?cmd=.*GLOBALS\[sugarEntry\].*((ht|f)tps?:/|\.\./\.\.)" "id:390055,rev:1,severity:2,msg:'JITP: Sugar Suite sugarEntry Parameter Security Bypass'"
SecFilterSelective  REQUEST_URI "/modules/.*/.*\.php" "chain,id:390056,rev:1,severity:2,msg:'JITP: Sugar Suite sugarEntry Parameter Security Bypass'"
SecFilterSelective  POST_PAYLOAD "\?GLOBALS\[sugarEntry\].*((ht|f)tps?:/|\.\./\.\.)"

#Sugar Suite exploit
SecFilterSelective  REQUEST_URI "modules/Administration/RebuildAudit\.php\?cmd=" "id:390057,rev:1,severity:2,msg:'JITP: Sugar Suite exploit'"

#TikiWiki Multiple Cross-Site Scripting Vulnerabilities
SecFilterSelective  REQUEST_URI "tiki-lastchanges\.php" "chain,id:390058,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'"
SecFilterSelective ARG_days|ARG_offset "(javascript|script|about|applet|activex|chrome)+.?\>"
SecFilterSelective  REQUEST_URI "tiki-orphan_pages\.php" "chain,id:390059,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'"
SecFilterSelective ARG_find "(javascript|script|about|applet|activex|chrome)+.?\>"
SecFilterSelective  REQUEST_URI "tiki-listpages\.php" "chain,id:390060,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'"
SecFilterSelective ARG_offset|ARG_initial "(javascript|script|about|applet|activex|chrome)+.?\>"
SecFilterSelective  REQUEST_URI "tiki-remind_password\.php" "chain,id:390061,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'"
SecFilterSelective ARG_username "(javascript|script|about|applet|activex|chrome)+.?\>"
SecFilterSelective  REQUEST_URI "tiki-(admin_(rssmodules|notifications|content_templates|chat)|syslog)\.php" "chain,id:390062,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'"
SecFilterSelective ARG_offset "(javascript|script|about|applet|activex|chrome)+.?\>"
SecFilterSelective  REQUEST_URI "tiki-adminusers\.php" "chain,id:390063,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'"
SecFilterSelective ARG_numrows "(javascript|script|about|applet|activex|chrome)+.?\>"
SecFilterSelective  REQUEST_URI "tiki-searchindex\.php" "chain,id:390095,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'"
SecFilterSelective ARG_highlist "(javascript|script|about|applet|activex|chrome)+.?\>"

#Wordpress shell injection Vulnerability
SecFilterSelective  REQUEST_URI "/cache/user.*/.*\.php\?cmd=" "id:390064,rev:1,severity:2,msg:'JITP: Wordpress shell injection Vulnerability'"

#Nucleus <= 3.22 arbitrary remote inclusion exploit
SecFilterSelective  REQUEST_URI "PLUGINADMIN\.php\?GLOBALS\[DIR_LIBS\]=((ht|f)tps?\:/|/tmp|/opt|/etc|/export|/var|/home|/usr|\.\.)" "id:390065,rev:1,severity:2,msg:'JITP: Nucleus arbitrary remote inclusion exploit'"

#Horde passthru protection
SecFilterSelective REQUEST_URI "/services/help(/)?\?(.*)?\&module=.*passthru\(.*\)" "id:390066,rev:1,severity:2,msg:'JITP: Horde passthru exploit'"

#CMS-Bandits "spaw_root" File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI "dialogs/(img|td|table)\.php" "chain,id:390067,rev:2,severity:2,msg:'JITP: CMS-Bandits spaw_root File Inclusion Vulnerability'"
SecFilterSelective ARG_spaw_root "(ht|f)tps?\:/"

#phpBB Blend Portal System Module "phpbb_root_path" File Inclusion
SecFilterSelective REQUEST_URI "dialogs/(img|td)\.php" "chain,id:390068,rev:1,severity:2,msg:'JITP: phpBB Blend Portal System Module phpbb_root_path File Inclusion'"
SecFilterSelective ARG_phpbb_root_path "(ht|f)tps?\:/"

#Admanager Pro exploit
SecFilterSelective REQUEST_URI "common\.php" "chain,id:390069,rev:1,severity:2,msg:'JITP: Admanager Pro exploit'"
SecFilterSelective ARG_ipath "((ht|f)tps?\:/|\.\./)"

#Bible Portal Project destination File Inclusion Vulnerability'
SecFilterSelective REQUEST_URI "Admin/rtf_parser\.php" "chain,id:390071,rev:1,severity:2,msg:'JITP: Bible Portal Project destination File Inclusion Vulnerability'"
SecFilterSelective ARG_destination "((ht|f)tps?\:/|\.\./)"

#Flipper Poll "root_path" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "poll\.php" "chain,id:390072,rev:1,severity:2,msg:'JITP: Flipper Poll root_path File Inclusion Vulnerability'"
SecFilterSelective ARG_root_path "((ht|f)tps?\:/|\.\./)"

#PictureDis Products "lang" Parameter File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "(thumstbl|wpfiles|wallpapr)\.php" "chain,id:390073,rev:1,severity:2,msg:'JITP: PictureDis Products lang Parameter File Inclusion Vulnerability'"
SecFilterSelective ARG_lang "((ht|f)tps?\:/|\.\./)"

#Joomla and Mambo 'Weblinks' blind SQL injection / admin credentials EXPLOIT
SecFilterSelective REQUEST_URI "index\.php" "chain,id:390074,rev:1,severity:2,msg:'JITP: Joomla/Mambo Weblinks blind SQL injection'"
SecFilterSelective ARG_title "(users[[:space:]]+WHERE[[:space:]]+usertype|UNION[[:space:]]+SELECT[[:space:]]+IF|insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" chain
SecFilterSelective ARG_task "save"

#new pattern
SecFilterSelective REQUEST_URI "index\.php\?mod=files&action=view&where=-1+UNION+SELECT+users_nick,0,users_pwd"

#phpBB Mail2Forum Module "m2f_root_path" File Inclusion
SecFilterSelective ARG_m2f_root_path "((ht|f)tps?\:/|\.\./)" "id:390076,rev:1,severity:2,msg:'JITP: Generic m2f_root_path File Inclusion Vulnerability'"

#
SecFilterSelective REQUEST_URI "downloads\.php" "chain,id:390077,rev:1,severity:2,msg:'JITP: Generic PHP download incddir File Inclusion Vulnerability'"
SecFilterSelective ARG_incdir "((ht|f)tps?\:/|\.\./)"

#SiteDepth CMS "SD_DIR" Parameter Handling Remote File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "constants\.php" "chain,id:390078,rev:1,severity:2,msg:'JITP: SiteDepth CMS SD_DIR Parameter Handling Remote File Inclusion Vulnerability'"
SecFilterSelective ARG_SD_DIR "((ht|f)tps?\:/|\.\./)"

#PhpLinkExchange "page" Parameter Handling Remote File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "index\.php" "chain,id:390079,rev:1,severity:2,msg:'JITP: PhpLinkExchange page Parameter Handling Remote File Inclusion Vulnerability'"
SecFilterSelective ARG_page "((ht|f)tps?\:/|\.\./)"

#test for valid X-forearded header
SecFilterSelective HTTP_X_FORWARDED_FOR "!^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|)|unknown),?(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|)|unknown)?" "id:390080,rev:1,severity:2,msg:'Test: Checking for valid X-Forwarded header',log,pass"

#authldap 
SecFilterSelective REQUEST_URI "authldap\.php" "chain,id:390081,rev:1,severity:2,msg:'JITP: authldap Remote File Inclusion Vulnerability'"
SecFilterSelective ARG_includePath "((ht|f)tps?\:/|\.\./)"

#honeypot
SecFilterSelective REQUEST_URI "global_header\.php" "chain,id:390082,rev:1,severity:2,msg:'JITP: globalheader domain variable Remote File Inclusion Vulnerability'"
SecFilterSelective ARG_domain "((ht|f)tps?\:/|\.\./)"

#Generic phpbb_root_path inclusion
SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?:/|\.\./\.\.)" "id:390083,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path variable Remote File Inclusion Vulnerability'"

#Generic BBCodeFile variable remote file include
SecFilterSelective ARG_BBCodeFile "((ht|f)tps?:/|\.\./\.\.)" "id:390084,rev:1,severity:2,msg:'JITP: Generic BBCodeFile variable Remote File Inclusion Vulnerability'"

#Generic wb_class_dir variable remote file include
SecFilterSelective ARG_wb_class_dir "((ht|f)tps?:/|\.\./\.\.)" "id:390085,rev:1,severity:2,msg:'JITP: Generic wb_class_dir variable Remote File Inclusion Vulnerability'"

#Generic component_dir variable remote file include
SecFilterSelective ARG_component_dir "((ht|f)tps?:/|\.\./\.\.)" "id:390086,rev:1,severity:2,msg:'JITP: Generic component_dir variable Remote File Inclusion Vulnerability'"

#Generic da_path variable remote file include
SecFilterSelective ARG_da_path "((ht|f)tps?:/|\.\./\.\.)" "id:390087,rev:1,severity:2,msg:'JITP: Generic da_path variable Remote File Inclusion Vulnerability'"

#Generic spaw_root variable remote file include
SecFilterSelective ARG_spaw_root "((ht|f)tps?:/|\.\./\.\.)" "id:390088,rev:1,severity:2,msg:'JITP: Generic spaw_root variable Remote File Inclusion Vulnerability'"

#Generic sitee variable remote file include
SecFilterSelective ARG_sitee "((ht|f)tps?:/|\.\./\.\.)" "id:390089,rev:1,severity:2,msg:'JITP: Generic sitee variable Remote File Inclusion Vulnerability'"

#Generic default_path variable remote file include
SecFilterSelective REQUEST_URI "\.php" "chain,id:390092,rev:1,severity:2,msg:'JITP: PHP default_path variable Remote File Inclusion Vulnerability'"
SecFilterSelective ARG_default_path "((ht|f)tps?:/|\.\./\.\.)" 

#file_upload sbp remote file inclusion vuln
SecFilterSelective REQUEST_URI "file_upload\.php" "chain,id:390090,rev:1,severity:2,msg:'JITP: file_upload sbp variable Remote File Inclusion Vulnerability'"
SecFilterSelective ARG_sbp "((ht|f)tps?\:/|\.\./)"

#viewtopic sid remote file inclusion vuln
SecFilterSelective REQUEST_URI "viewtopic\.php" "chain,id:390091,rev:1,severity:2,msg:'JITP: viewtopic sid variable Remote File Inclusion Vulnerability'"
SecFilterSelective ARG_sid "((ht|f)tps?\:/|\.\./)"

#get_infochannel root_path remote file inclusion vuln
SecFilterSelective REQUEST_URI "get_infochannel\.inc\.php" "chain,id:390093,rev:1,severity:2,msg:'JITP: get_infochannel root_path variable Remote File Inclusion Vulnerability'"
SecFilterSelective ARG_root_path "((ht|f)tps?\:/|\.\./)"

#Generic root_path variable remote file include
SecFilterSelective ARG_root_path "((ht|f)tps?:/|\.\./\.\.)" "id:390094,rev:1,severity:2,msg:'JITP: Generic root_path variable Remote File Inclusion Vulnerability'"

#Generic default_path variable remote file include
SecFilterSelective REQUEST_URI "\.php" "chain,id:390096,rev:1,severity:2,msg:'JITP: PHP glConf variable Remote File Inclusion Vulnerability'"
SecFilterSelective REQUEST_URI "glConf\[path_library\].*((ht|f)tps?:/|\.\./\.\.)" 

#MyNewsGroups :) "myng_root" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "layersmenu\.inc\.php" "chain,id:390097,rev:1,severity:2,msg:'JITP: MyNewsGroups myng_root Remote File Inclusion Vulnerability'"
SecFilterSelective ARG_myng_root "((ht|f)tps?:/|\.\./\.\.)" 

#Joomla invalid arguments check
#SecFilterSelective "joomla/" "chain,id:390098,rev:1,severity:2,msg:'JITP: Joomla invalid character Vulnerability'"
#SecFilterSelective ARG_from|ARG_fromname|ARG_subject "[\x00-\x1F\x7F]" 

#TikiWiki jhot.php upload exploit
SecFilterSelective REQUEST_URI  "img/wiki/"  "chain,id:390099,rev:1,severity:2,msg:'JITP: TikiWiki non-image upload exploit'"
SecFilterSelective REQUEST_URI  "\.!(jpe?g|gif|png|bmp)" 

#pageheaderdefault sysSessionPath upload exploit
SecFilterSelective REQUEST_URI  "pageheaderdefault\.inc\.php\?" "chain,id:390100,rev:1,severity:2,msg:'JITP: pageheaderdefault sysSessionPath upload exploit'"
SecFilterSelective REQUEST_URI  "_sysSessionPath=((ht|f)tps?:/|\.\./\.\.)"

#new pattern
SecFilterSelective REQUEST_URI "\.php\?" "chain,id:390101,rev:1,severity:2,msg:'JITP: possible vulnscan6 exploit'"
SecFilterSelective REQUEST_URI "(CONFIG_EXT\[LANGUAGES_DIR\]|dir\[inc\])=((ht|f)tps?:/|\.\./\.\.)"

#Socketwiz Bookmarks "root_dir" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "smarty_config\.php" "chain,id:390102,rev:1,severity:2,msg:'JITP: Socketwiz Bookmarks root_dir File Inclusion Vulnerability'"
SecFilterSelective ARG_root_dir "((ht|f)tps?:/|\.\./\.\.)"

#MyABraCaDaWeb "base" File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI "(index|pop)\.php" "chain,id:390103,rev:1,severity:2,msg:'JITP: MyABraCaDaWeb base File Inclusion Vulnerabilities'"
SecFilterSelective ARG_base "((ht|f)tps?:/|\.\./\.\.)"

#Vivvo Article Management CMS SQL Injection and File Inclusion
SecFilterSelective REQUEST_URI "pdf_version\.php" "chain,id:390104,rev:1,severity:2,msg:'JITP: Vivvo Article Management CMS SQL Injection'"
SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#Vivvo Article Management classified_path file inclusion
SecFilterSelective ARG_classified_path "((ht|f)tps?:/|\.\./\.\.)" "id:390105,rev:1,severity:2,msg:'JITP: Vivvo Article Management CMS File Inclusion'"

#RaidenHTTPD "SoftParserFileXml" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "raidenhttpd-admin/slice/check\.php" "chain,id:390106,rev:1,severity:2,msg:'JITP: RaidenHTTPD SoftParserFileXml File Inclusion Vulnerability'"
SecFilterSelective ARG_SoftParserFileXml "((ht|f)tps?:/|\.\./\.\.)"

#mcGalleryPRO "path_to_folder" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "random2\.php" "chain,id:390107,rev:1,severity:2,msg:'JITP: mcGalleryPRO path_to_folder File Inclusion Vulnerability'"
SecFilterSelective ARG_path_to_folder "((ht|f)tps?:/|\.\./\.\.)"

#Timesheet PHP "username" Parameter SQL Injection
SecFilterSelective REQUEST_URI "username\.php" "chain,id:390108,rev:1,severity:2,msg:'JITP: Timesheet PHP username Parameter SQL Injection'"
SecFilterSelective ARG_username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"

#CCleague Pro "language" Parameter Local File Inclusion
SecFilterSelective ARG_language "((ht|f)tps?:/|\.\./\.\.)" "id:390109,rev:1,severity:2,msg:'JITP: CCleague Pro language Parameter Local File Inclusion'"

#TWiki "filename" Parameter Disclosure of Sensitive Information
SecFilterSelective REQUEST_URI "/TWiki/" "chain,id:390110,rev:1,severity:2,msg:'JITP: TWiki filename Parameter Disclosure of Sensitive Information'"
SecFilterSelective ARG_filename "\.\./\.\."

#photokorn "dir_path" File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI "(includes/cart\.inc\.php|extras/ext_cat\.php)" "chain,id:390111,rev:1,severity:2,msg:'JITP: photokorn dir_path File Inclusion Vulnerabilities'"
SecFilterSelective ARG_dir_path "((ht|f)tps?:/|\.\./\.\.)"

#Somery "skindir" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "admin/system/include\.php" "chain,id:390112,rev:1,severity:2,msg:'JITP: Somery skindir File Inclusion Vulnerability'"
SecFilterSelective ARG_skindir "((ht|f)tps?:/|\.\./\.\.)"

#DokuWiki "TARGET_FN" Directory Traversal Vulnerability
SecFilterSelective REQUEST_URI "bin/dwpage\.php" "chain,id:390113,rev:1,severity:2,msg:'JITP: DokuWiki TARGET_FN Directory Traversal Vulnerability'"
SecFilterSelective ARG_TARGET_FN "((ht|f)tps?:/|\.\./\.\.)"

#Fantastic News "CONFIG[script_path]" File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI "(archive|headlines)\.php" "chain,id:390114,rev:1,severity:2,msg:'JITP: Fantastic News CONFIG[script_path] File Inclusion Vulnerabilities'"
SecFilterSelective REQUEST_URI "CONFIG\[script_path\]=((ht|f)tps?:/|\.\./\.\.)"

#BP News "bnrep" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "bp_ncom\.php" "chain,id:390115,rev:1,severity:2,msg:'JITP: BP News bnrep File Inclusion Vulnerability'"
SecFilterSelective ARG_bnrep "((ht|f)tps?:/|\.\./\.\.)"

#Akarru Social BookMarking Engine "bm_content" File Inclusion
SecFilterSelective REQUEST_URI "akarru\.gui/main_content\.php" "chain,id:390116,rev:1,severity:2,msg:'JITP: Akarru Social BookMarking Engine bm_content File Inclusion'"
SecFilterSelective ARG_bm_content "((ht|f)tps?:/|\.\./\.\.)"

#Beautifier "BEAUT_PATH" Parameter File Inclusion Vulnerability
#phpCodeGenie "BEAUT_PATH" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "Beautifier/Core\.php" "chain,id:390117,rev:1,severity:2,msg:'JITP: Beautifier BEAUT_PATH Parameter File Inclusion Vulnerability'"
SecFilterSelective ARG_BEAUT_PATH "((ht|f)tps?:/|\.\./\.\.)"

#phpFullAnnu "repmod" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "modules/home\.module\.php" "chain,id:390118,rev:1,severity:2,msg:'JITP: phpFullAnnu repmod File Inclusion Vulnerability'"
SecFilterSelective ARG_repmod "((ht|f)tps?:/|\.\./\.\.)"

#Sponge News "sndir" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "news\.php" "chain,id:390119,rev:1,severity:2,msg:'JITP: Sponge News sndir File Inclusion Vulnerability'"
SecFilterSelective ARG_sndir "((ht|f)tps?:/|\.\./\.\.)"

#ACGV News "PathNews" File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI "\.php\?" "chain,id:390120,rev:1,severity:2,msg:'JITP: ACGV News PathNews File Inclusion Vulnerabilities'"
SecFilterSelective ARG_PathNews "((ht|f)tps?:/|\.\./\.\.)"

#MySpeach "my_ms[root]" Parameter File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "jscript\.php\?" "chain,id:390121,rev:1,severity:2,msg:'JITP: MySpeach my_ms[root] Parameter File Inclusion Vulnerability'"
SecFilterSelective REQUEST_URI "my_ms\[root\]=((ht|f)tps?:/|\.\./\.\.)"

#annoncesV "page" Parameter File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "annonce\.php\?" "chain,id:390122,rev:1,severity:2,msg:'JITP: annoncesV page Parameter File Inclusion Vulnerability'"
SecFilterSelective ARG_page "((ht|f)tps?:/|\.\./\.\.)"

#GrapAgenda "page" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "index\.php\?" "chain,id:390123,rev:1,severity:2,msg:'JITP: GrapAgenda page File Inclusion Vulnerability'"
SecFilterSelective ARG_page "((ht|f)tps?:/|\.\./\.\.)"

#C-News "path" File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI "/affichage/.*\.php\?" "chain,id:390124,rev:1,severity:2,msg:'JITP: C-News path File Inclusion Vulnerabilities'"
SecFilterSelective ARG_path "((ht|f)tps?:/|\.\./\.\.)"

#PhpCommander "Directory" Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "download\.php\?" "chain,id:390125,rev:1,severity:2,msg:'JITP: PhpCommander Directory Local File Inclusion Vulnerability'"
SecFilterSelective ARG_Directory "((ht|f)tps?:/|\.\./\.\.)"

#dyncms "x_admindir" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "0_admin/modules/Wochenkarte/frontend/index\.php" "chain,id:390126,rev:1,severity:2,msg:'JITP: dyncms x_admindir File Inclusion Vulnerability'"
SecFilterSelective ARG_x_admindir "((ht|f)tps?:/|\.\./\.\.)"

#MyBace Light Skript File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI "includes/login_check\.php" "chain,id:390127,rev:1,severity:2,msg:'JITP: MyBace Light Skript File Inclusion Vulnerabilities'"
SecFilterSelective ARG_hauptverzeichniss "((ht|f)tps?:/|\.\./\.\.)"
SecFilterSelective REQUEST_URI "dmin/login/content/user_daten\.php" "chain,id:390128,rev:1,severity:2,msg:'JITP: MyBace Light Skript File Inclusion Vulnerabilities'"
SecFilterSelective ARG_template_back "((ht|f)tps?:/|\.\./\.\.)"

#YACS "context[path_to_root]" File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI "\.php" "chain,id:390129,rev:1,severity:2,msg:'JITP: YACS context[path_to_root] File Inclusion Vulnerabilities'"
SecFilterSelective REQUEST_URI "context\[path_to_root\]=((ht|f)tps?:/|\.\./\.\.)"

#Pheap "lpref" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "lib/config\.php" "chain,id:390130,rev:1,severity:2,msg:'JITP: Pheap lpref File Inclusion Vulnerability'"
SecFilterSelective ARG_lpref "((ht|f)tps?:/|\.\./\.\.)"

#phpECard "include_path" File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI "functions\.php" "chain,id:390131,rev:1,severity:2,msg:'JITP: phpECard include_path File Inclusion Vulnerabilities'"
SecFilterSelective ARG_include_path "((ht|f)tps?:/|\.\./\.\.)"

#MiniBill "config[include_dir]" Parameter File Inclusion
SecFilterSelective REQUEST_URI "actions/ipn\.php" "chain,id:390132,rev:1,severity:2,msg:'JITP: MiniBill config[include_dir] File Inclusion Vulnerabilities'"
SecFilterSelective REQUEST_URI "config\[include_dir\]=((ht|f)tps?:/|\.\./\.\.)"

#phpGroupWare Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "alendar/inc/class.holidaycalc\.inc\.php" "chain,id:390133,rev:1,severity:2,msg:'JITP: phpGroupWare Local File Inclusion Vulnerabilities'"
SecFilterSelective REQUEST_URI "phpgw_info\[user\]\[preferences\]\[common\]\[country\]=\.\./\.\."

#ExBB Italia "exbb[home_path]" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "modules/userstop/userstop\.php" "chain,id:390134,rev:1,severity:2,msg:'JITP: ExBB Italia exbb[home_path] File Inclusion Vulnerability'"
SecFilterSelective REQUEST_URI "exbb\[home_path\]=((ht|f)tps?:/|\.\./\.\.)"

#Web3news "PHPSECURITYADMIN_PATH" File Inclusion
SecFilterSelective REQUEST_URI "security/include/_class\.security\.php" "chain,id:390135,rev:1,severity:2,msg:'JITP: Web3news PHPSECURITYADMIN_PATH File Inclusion Vulnerabilities'"
SecFilterSelective ARG_PHPSECURITYADMIN_PATH "((ht|f)tps?:/|\.\./\.\.)"

#phpCOIN "_CCFG[_PKG_PATH_INCL]" File Inclusion
SecFilterSelective REQUEST_URI "\.php\?" "chain,id:390136,rev:1,severity:2,msg:'JITP: phpCOIN _CCFG[_PKG_PATH_INCL] File Inclusion'"
SecFilterSelective REQUEST_URI "_CCFG\[_PKG_PATH_INCL\]=((ht|f)tps?:/|\.\./\.\.)"

#Wikepage "lng" Local File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "index\.php" "chain,id:390137,rev:1,severity:2,msg:'JITP: Wikepage lng Local File Inclusion Vulnerability'"
SecFilterSelective ARG_lng "((ht|f)tps?:/|\.\./\.\.)"

#Empire CMS "check_path" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "e/class/CheckLevel\.php" "chain,id:390138,rev:1,severity:2,msg:'JITP: Empire CMS check_path File Inclusion Vulnerability'"
SecFilterSelective ARG_check_path "((ht|f)tps?:/|\.\./\.\.)"

#Dolphin "dir[inc]" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "templates/tmpl_dfl/scripts/index.php" "chain,id:390139,rev:1,severity:2,msg:'JITP: Dolphin dir[inc] File Inclusion Vulnerability'"
SecFilterSelective REQUEST_URI "dir\[inc\]=((ht|f)tps?:/|\.\./\.\.)"

#SportsPHool "mainnav" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "includes/layout/plain\.footer\.php" "chain,id:390140,rev:1,severity:2,msg:'JITP: SportsPHool mainnav File Inclusion Vulnerability'"
SecFilterSelective ARG_mainnav "((ht|f)tps?:/|\.\./\.\.)"

#NES Game & NES System "phphtmllib" File Inclusion
SecFilterSelective REQUEST_URI "\.php\?" "chain,id:390141,rev:1,severity:2,msg:'JITP: NES Game & NES System phphtmllib File Inclusion'"
SecFilterSelective ARG_phphtmllib "((ht|f)tps?:/|\.\./\.\.)"

#PHlyMail Lite "_PM_[path][handler]" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "handlers/email/mod.listmail.php" "chain,id:390142,rev:1,severity:2,msg:'JITP: PHlyMail Lite _PM_[path][handler] File Inclusion Vulnerability'"
SecFilterSelective REQUEST_URI "_PM_\[path\]\[handler\]=((ht|f)tps?:/|\.\./\.\.)"

#Sonium Enterprise Adressbook "folder" File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI "/plugins/(1_Adressbuch/new|2_Branchen/edit|3_Typ/delete)\.php\?" "chain,id:390143,rev:1,severity:2,msg:'JITP: Sonium Enterprise Adressbook folder File Inclusion Vulnerabilities'"
SecFilterSelective ARG_folder "((ht|f)tps?:/|\.\./\.\.)"

#ff_compath remote file inclusion
SecFilterSelective ARG_ff_compath "((ht|f)tps?:/|\.\./\.\.)" "id:390150,rev:1,severity:2,msg:'JITP: ff_compath File Inclusion Vulnerabilities'"

#phpBB "avatar_path" PHP Code Execution Vulnerability
SecFilterSelective REQUEST_URI "/admin/admin_board\.php\?" "chain,id:390151,rev:1,severity:2,msg:'JITP: phpBB avatar_path PHP Code Execution Vulnerability'"
SecFilterSelective ARG_avatar_path "((ht|f)tps?:/|\.\./\.\.)"

#phpMyProfiler "pmp_rel_path" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/functions\.php\?" "chain,id:390152,rev:1,severity:2,msg:'JITP: phpMyProfiler pmp_rel_path File Inclusion Vulnerability'"
SecFilterSelective ARG_pmp_rel_path "((ht|f)tps?:/|\.\./\.\.)"

#Servlet auth attack
SecFilterSelective REQUEST_URI "/servlet/admin\?category=server\&method=listAll\&Authorization" "id:390153,rev:1,severity:2,msg:'JITP: Servlet Auth exposure Vulnerability'"

#Eazy Cart Multiple Vulnerabilities
SecFilterSelective REQUEST_URI "easycart\.php" "chain,id:390154,rev:1,severity:2,msg:'JITP: Eazy Cart SQL injection'"
SecFilterSelective ARG_price "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
SecFilterSelective REQUEST_URI "admin/config/customer\.dat" "id:390155,rev:1,severity:2,msg:'JITP: Eazy Cart Customer Data Access'"
SecFilterSelective REQUEST_URI  "easycart\.php" "chain,id:390156,rev:1,severity:2,msg:'JITP: Eazy Cart XSS ATTACK'"
SecFilterSelective ARGS "<[[:space:]]*(script|about|applet|activex|chrome).*(script|about|applet|activex|chrome)[[:space:]]*>"

#WebYep "webyep_sIncludePath" File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI "webyep-system/program/((lib|elements)/|webyep\.php)" "chain,id:390157,rev:1,severity:2,msg:'JITP: WebYep webyep_sIncludePath File Inclusion Vulnerabilities'"
SecFilterSelective ARG_webyep_sIncludePath "((ht|f)tps?:/|\.\./\.\.)"

#Travelsized CMS "setup_folder" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "frontpage\.php" "chain,id:390158,rev:1,severity:2,msg:'JITP: Travelsized CMS setup_folder File Inclusion Vulnerabilities'"
SecFilterSelective ARG_setup_folder "((ht|f)tps?:/|\.\./\.\.)"

#VideoDB "config[pdf_module]" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "core/pdf\.php" "chain,id:390159,rev:1,severity:2,msg:'JITP: VideoDB File Inclusion Vulnerabilities'"
SecFilterSelective REQUEST_URI "config\[pdf_module\].*((ht|f)tps?:/|\.\./\.\.)"

#AllMyGuests "_AMGconfig[cfg_serverpath]" File Inclusion
SecFilterSelective REQUEST_URI "signin\.php" "chain,id:390160,rev:1,severity:2,msg:'JITP: AllMyGuests File Inclusion Vulnerabilities'"
SecFilterSelective REQUEST_URI "_AMGconfig\[cfg_serverpath\].*((ht|f)tps?:/|\.\./\.\.)"

#OpenBiblio Local File Inclusion and SQL Injection
SecFilterSelective REQUEST_URI "shared/(header|help)\.php" "chain,id:390161,rev:1,severity:2,msg:'JITP: OpenBiblio File Inclusion Vulnerabilities'"
SecFilterSelective ARGS "(((ht|f)tps?:/|\.\./\.\.)|((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM))"

#BasiliX "BSX_LIBDIR" File Inclusion Vulnerabilities
SecFilterSelective REQUEST_URI "\.php" "chain,id:390162,rev:1,severity:2,msg:'JITP: BasiliX BSX_LIBDIR File Inclusion Vulnerabilities'"
SecFilterSelective ARG_BSX_LIBDIR "((ht|f)tps?:/|\.\./\.\.)" 

#PowerPortal "file_name[]" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "index\.php" "chain,id:390163,rev:1,severity:2,msg:'JITP: Powerportal File Inclusion Vulnerabilities'"
SecFilterSelective REQUEST_URI "file_name\[\].*((ht|f)tps?:/|\.\./\.\.)" 

#DeluxeBB "templatefolder" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/templates/.*/.*/.*\.php" "chain,id:390164,rev:1,severity:2,msg:'JITP: DeluxeBB teplatefolder File Inclusion Vulnerabilities'"
SecFilterSelective ARG_templatefolder "((ht|f)tps?:/|\.\./\.\.)" 

#TagIt! Tagboard "page" File Inclusion Vulnerability
SecFilterSelective REQUEST_URI "/index\.php" "chain,id:390165,rev:1,severity:2,msg:'JITP: Tagit page File Inclusion Vulnerabilities'"
SecFilterSelective ARG_page "(ht|f)tps?:/" 

#
SecFilterSelective ARG_doc_directory "(ht|f)tps?:/" 
# http://www.gotroot.com/mod_security+rules
# Gotroot.com ModSecurity rules
# Proxy Protection Security Rules
# NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
# Visit http://www.gotroot.com to download up to date and supported rules
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/proxy.conf
#
# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Version: N-20051213-01
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.


#--------------------------------
# notes
#--------------------------------
# NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
# Visit http://www.gotroot.com to download up to date and supported rules


#--------------------------------
#start rules
#--------------------------------
SecFilterSelective THE_REQUEST "(http|https|ftp)\:/*217\.106\.232\.38"
SecFilterSelective THE_REQUEST "(http|https|ftp)\:/*65\.54\.190\.230"
SecFilterSelective THE_REQUEST "(http|https|ftp)\:/*66\.96\.85\.136"
SecFilterSelective THE_REQUEST "msa-mx.*\.hinet\.net"
SecFilterSelective THE_REQUEST "^POST (http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "^GET (http|https|ftp)\:/"
#Web Proxy GET Request
SecFilter "^GET (http|https|ftp)\:/"

#Web Proxy HEAD Request
SecFilter "^HEAD (http|https|ftp)\:/"

#Proxy POST Request
SecFilter "^POST (http|https|ftp)\:/"

#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "

# http://www.gotroot.com/mod_security+rules
# Gotroot.com ModSecurity rules
# Search Engine Recon/Google Hacks Security Rules
# NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
# Visit http://www.gotroot.com to download up to date and supported rules
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/recons.conf
#
# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.

# NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
# Visit http://www.gotroot.com to download up to date and supported rules


SecFilterSelective HTTP_Referer  "Powered by Gravity Board" "id:350000,rev:1,severity:2,msg:'Gravity Board Google Recon attempt'"
SecFilterSelective HTTP_Referer  "Powered by SilverNews" "id:350001,rev:1,severity:2,msg:'SilverNews Google Recon attempt'"
SecFilterSelective HTTP_Referer  "Powered.*PHPBB.*2\.0\.\ inurl\:" "id:350002,rev:1,severity:2,msg:'PHPBB 2.0 Google Recon attempt'"
SecFilterSelective HTTP_Referer  "PHPFreeNews inurl\:Admin\.php" "id:350003,rev:1,severity:2,msg:'PHPFreeNews Google Recon attempt'"
SecFilterSelective HTTP_Referer  "inurl.*/cgi-bin/query" "id:350004,rev:1,severity:2,msg:'/cgi-bin/guery Google Recon attempt'"
SecFilterSelective HTTP_Referer  "inurl.*tiki-edit_submission\.php" "id:350005,rev:1,severity:2,msg:'tiki-edit Google Recon attempt'"
SecFilterSelective HTTP_Referer  "inurl.*wps_shop\.cgi" "id:350006,rev:1,severity:2,msg:'wps_shop.cgi Google Recon attempt'"
SecFilterSelective HTTP_Referer  "inurl.*edit_blog\.php.*filetype\:php" "id:350007,rev:1,severity:2,msg:'edit_blog.php Google Recon attempt'"
SecFilterSelective HTTP_Referer  "inurl.*passwd.txt.*wwwboard.*webadmin" "id:350008,rev:1,severity:2,msg:'passwd.txt Google Recon attempt'"
SecFilterSelective HTTP_Referer  "inurl.*admin\.mdb" "id:350008,rev:1,severity:2,msg:'admin.mdb Google Recon attempt'"
SecFilterSelective HTTP_Referer  "filetype:sql \x28\x22passwd values.*password values.*pass values"
SecFilterSelective HTTP_Referer  "filetype.*blt.*buddylist"
SecFilterSelective HTTP_Referer  "File Upload Manager v1\.3.*rename to"
SecFilterSelective HTTP_Referer  "filetype\x3Aphp HAXPLORER .*Server Files Browser"
SecFilterSelective HTTP_Referer  "inurl.*passlist\.txt"
SecFilterSelective HTTP_Referer  "wwwboard WebAdmininurl\x3Apasswd\.txt wwwboard\x7Cwebadmin"
SecFilterSelective HTTP_Referer  "Enter ip.*inurl\x3A\x22php-ping\.php\x22"
SecFilterSelective HTTP_Referer  "intitle\.*PHP Shell.*Enable stderr.*filetype\.php"
SecFilterSelective HTTP_Referer  "inurl\.*install.*install\.php"
SecFilterSelective HTTP_Referer  "Powered by PHPFM.*filetype\.php -username"
SecFilterSelective HTTP_Referer  "inurl\.*phpSysInfo.*created by phpsysinfo"
SecFilterSelective HTTP_Referer  "SquirrelMail version 1\.4\.4.*inurl:src ext\.php"
SecFilterSelective HTTP_Referer  "inurl\.*webutil\.pl"
# http://www.gotroot.com/mod_security+rules
# Known rootkits, remote toolkits, etc. signatures
# NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
# Visit http://www.gotroot.com to download up to date and supported rules
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/rootkits.conf
#
# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Version: N-20061009-02
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.

SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"

SecFilterSelective REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
SecFilterSelective THE_REQUEST "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
SecFilterSelective REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecFilterSelective REQUEST_URI "/\.it/viewde"
SecFilterSelective REQUEST_URI "/cmd\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
SecFilterSelective REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecFilterSelective REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecFilterSelective REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"

#Known rootkits
SecFilterSelective THE_REQUEST "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecFilterSelective THE_REQUEST "\./xkernel\;"
SecFilterSelective THE_REQUEST "/kaiten\.c"
SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)"

#Generic remote perl execution with .pl extension
SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl"

#Known rootkit Defacing Tool 2.0
SecFilterSelective REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="

#other known tools
SecFilterSelective REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecFilterSelective REQUEST_URI "/(ssh2?|sfdg2)\.php"

#New kit
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)"
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"

#new kir
SecFilterSelective REQUEST_URI "/dblib\.php\?&(cmd|command)="

#suntzu
SecFilterSelective THE_REQUEST|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="

#proxysx.gif?
SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"

#phpbackdoor
SecFilterSelective THE_REQUEST "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="

#new unknown kit
SecFilterSelective REQUEST_URI "/oops?&"

# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecFilterSelective THE_REQUEST   "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecFilterSelective THE_REQUEST   "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecFilterSelective REQUEST_URI   "/phpterm"

#Frantastico worm
SecFilterSelective THE_REQUEST "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"

#new unknown kits
SecFilterSelective REQUEST_URI   "/iblis\.htm\?" 
SecFilterSelective REQUEST_URI   "/gif\.gif\?" 
SecFilterSelective REQUEST_URI   "/go\.php\.txt\?" 
SecFilterSelective REQUEST_URI   "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecFilterSelective REQUEST_URI   "/iys\.(gif|jpe?g|txt|bmp|png)\?" 
SecFilterSelective REQUEST_URI   "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecFilterSelective REQUEST_URI   "/zehir\.asp"
SecFilterSelective REQUEST_URI   "/aflast\.txt\?"
SecFilterSelective REQUEST_URI   "/sikat\.txt\?&cmd" 
SecFilterSelective REQUEST_URI   "/t\.gif\?" 
SecFilterSelective REQUEST_URI   "/phpbb_patch\?&"
SecFilterSelective REQUEST_URI   "/phpbb2_patch\?&"
SecFilterSelective REQUEST_URI   "/lukka\?&"

#new kit
SecFilterSelective REQUEST_URI   "/c99shell\.txt"
SecFilterSelective REQUEST_URI   "/c99\.txt\?"

#remote bash shell
SecFilterSelective REQUEST_URI "/shell\.php\&cmd="
SecFilterSelective ARGS "/shell\.php\&cmd="

#zencart exploit
SecFilterSelective REQUEST_URI "/ipn\.php\?cmd="

#new pattern
SecFilterSelective REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "dsoul/tool\?"

#generic suntzu payload
SecFilterSelective THE_REQUEST   "HiMaster\!\<\?php system\("
SecFilterSelective THE_REQUEST   "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecFilterSelective REQUEST_URI   "help_text_vars\.php\?suntzu="

#25dec new one
SecFilterSelective REQUEST_URI   "anggands\.(gif|jpe?g|txt|bmp|png)\?"

#26dec new kit
SecFilterSelective REQUEST_URI   "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI   "/vsf\.vsf\?&"

#27dec
SecFilterSelective REQUEST_URI   "/scan1\.0/scan/"
SecFilterSelective REQUEST_URI   "test\.txt\?&"

#30dec
SecFilterSelective REQUEST_URI   "\.k4ka\.txt\?"
#31dec
SecFilterSelective REQUEST_URI   "/php\.txt\?"

#1 jan
SecFilterSelective REQUEST_URI   "/sql\.txt\?"
SecFilterSelective REQUEST_URI   "bind\.(gif|jpe?g|txt|bmp|png)\?"

#22feb
SecFilterSelective REQUEST_URI   "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI   "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"

#24mar
SecFilterSelective REQUEST_URI   "/docLib/cmd\.asp"
SecFilterSelective REQUEST_URI   "\.asp\?pageName=AppFileExplorer"
SecFilterSelective REQUEST_URI   "\.asp\?.*showUpload&thePath="
SecFilterSelective REQUEST_URI   "\.asp\?.*theAct=inject&thePath="

#some broken attack program
SecFilterSelective THE_REQUEST "PUT /.*_@@RNDSTR@@"
SecFilterSelective THE_REQUEST "trojan\.htm"

SecFilterSelective REQUEST_URI "/r57en\.php"

#c99 rootshell
SecFilterSelective REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"

#generic shell
SecFilterSelective REQUEST_URI "shell\.txt"

#bad scanner
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"

#wormsign
SecFilterSelective POST_PAYLOAD "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"

#New SEL attack seen
SecFilterSelective THE_REQUEST "select.*from.*information_schema\.tables"

#New SQL attack seen
SecFilterSelective REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
# http://www.gotroot.com/mod_security+rules
# Gotroot.com ModSecurity rules
# Application Security Rules
#
# modsecurity is trademark of Thinking Stone, Ltd.
#
# Version: N-20061013-02
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/rules.conf
#
# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS 
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 
# THE POSSIBILITY OF SUCH DAMAGE.

#--------------------------------
# notes
#--------------------------------
# Rules work with modsecurity 1.9.x and above only

#--------------------------------
#start rules
#--------------------------------
SecFilterSelective REQUEST_URI ".*" "id:330000,rev:1,pass,log,severity:1,msg:'Notice:  The rules you are running are extremely out of date, visit http://www.gotroot.com to download supported and up to date rules.'"

#Enforce proper HTTP requests
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "id:340000,rev:1,severity:1,msg:'Bad HTTP Protocol'"

# Only accept request encodings we know how to handle
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST|PUT|PROPFIND|OPTIONS)$" "chain,id:340001,rev:1,severity:2,msg:'Restricted HTTP function'"
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" 

#Block WebDav PUTS
#Comment this rule out if you need WebDAV
SecFilterSelective REQUEST_METHOD "^PUT$" "id:340002,rev:1,severity:2,msg:'Restricted HTTP function'"

#Generic rule for allowed characters, adjust for your site before activating
#SecFilterSelective REQUEST_URI "!^[-a-zA-z0-9\.\+_/\-\?\=]+$" "chain,id:390002,rev:1,severity:2,msg:'Restricted HTTP character set'"


# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" "chain,id:340003,rev:1,severity:2,msg:'Content Length not provided with POST'"
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'"

#HTTP response spilting generic sigs
SecFilter "Content-Length\:.*Content-Type\:.*Content-Type\:" "id:340005,rev:1,severity:2,msg:'HTTP response splitting'"

#HTTP response spilting generic sigs
SecFilter "Content-Length\:" "chain,id:340006,rev:1,severity:2,msg:'HTTP response splitting'"
SecFilter "Content-Type\:" chain
SecFilter "Content-Type\:"

#deny TRACE method
SecFilterSelective REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'"

#XSS insertion into Content-Type
SecFilterSelective THE_REQUEST "Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" "id:300002,rev:1,severity:2,msg:'XSS attack in Content-type header'"


#Don't accept chunked encodings
#modsecurity can not look at these, so this is a hole
#that can bypass your rules, the rule before this one
#should cover this, but hey paranoia is cheap
SecFilterSelective HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'"

#Code injection via content length
SecFilterSelective HTTP_Content-Length "\;(system|passthru|exec)\(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'"

#broad cross site scripting rule
#False alarms are a problem with this, use with caution
#SecFilterSelective THE_REQUEST "<(.|\n)+>"

##generic recursion signatures
SecFilterSelective REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'"
SecFilterSelective REQUEST_URI "\.\./\.\./"
#generic path recurision sig


#generic recursion signatures
SecFilterSelective THE_REQUEST "\.\|\./\.\|\./\.\|" "id:300005,rev:1,severity:2,msg:'Generic Path Recursion denied'"

#generic bogus path sigs
SecFilterSelective THE_REQUEST "\.\.\./" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'"
SecFilterSelective POST_PAYLOAD "[[:space:]]+\.\.\.+\;" "id:300007,rev:1,severity:2,msg:'Bogus Path denied'"

#Generic PHP exploit signatures
SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#Generic PHP exploit signatures
SecFilterSelective POST_PAYLOAD|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#slightly tighter rules with narrower focus
SecFilterSelective REQUEST_URI|POST_PAYLOAD "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#generic XSS PHP attack types
SecFilterSelective REQUEST_URI "\.php\?" "chain,id:300010,rev:1,severity:2,msg:'Generic PHP XSS exploit pattern denied'"
SecFilter "(javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)|onmouseover=\'javascript)"


#Prevent SQL injection in cookies
SecFilterSelective COOKIE_VALUES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'"

#Prevent command injection through cookies
SecFilterSelective COOKIE_VALUES "\; cmd="

#Prevent SQL injection in UA
SecFilterSelective HTTP_USER_AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300012,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'"

#simple buffer overflow protection
#there is an issue with positives with this, so use with care
#SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7f]+$" "id:300013,rev:1,severity:2,msg:'Generic Simple Buffer Overflow protection'"

# Generic filter to prevent SQL injection attacks
# Understand that all SQL filters are very limited and are very difficult 
# to prevent false postives and negatives.  
# Pplease report false positives/negatives to mike@gotroot.com
SecFilterSelective REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)" "chain,id:300013,rev:1,severity:2,msg:'Generic SQL injection protection'"
SecFilter "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"

#Generic SQL sigs
SecFilterSelective ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL injection protection'"

#Generic SQL sigs
SecFilterSelective ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"

#Generic SQL sigs
SecFilterSelective REQUEST_URI "!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)" "chain,id:300016,rev:2,severity:2,msg:'Generic SQL injection protection'"
SecFilterSelective ARGS "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)" 

#Meta character SQL injection
SecFilterSelective REQUEST_URI "\'.*(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)|and.*char\(.*\)"  "id:380015,rev:1,severity:2,msg:'Generic SQL metacharacter URI injection protection'"

#Generic command line attack filter
SecFilterSelective REQUEST_URI "!(/Count\.cgi)" "chain,id:300017,rev:1,severity:2,msg:'Generic command line attack filter'"
SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|"

#Generic PHP bad functions protection
#PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html
SecFilterSelective ARGS_VALUES compress\.zlib:

#Generic XSS filter
#please report false positives
SecFilterSelective REQUEST_URI "!/mt\.cgi" chain
SecFilter "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#XSS in referrer and UA headers
SecFilterSelective HTTP_REFERER|HTTP_USER_AGENT "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#PHP Injection Attack generic signature
SecFilterSelective REQUEST_URI  "\.php" chain
SecFilter "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"

#PHP Injection Attack generic signature
SecFilterSelective REQUEST_URI  "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))"

#Generic PHP remote file inclusion attack signature
SecFilterSelective REQUEST_URI "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Generic PHP remote file inclusion attack signature with command
SecFilterSelective REQUEST_URI "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#really broad furl_fopen attack sig
#tune this for your system
SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'"
SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
SecFilterSelective ARGS "(ht|f)tps?:/"  chain
SecFilterSelective HTTP_Referer "!/imp/login\.php"
SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'"
SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/"  chain
SecFilterSelective HTTP_Referer "!/imp/login\.php"


#Genenric PHP body attack
SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecFilterSelective POST_PAYLOAD "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Generic PHP remote file injection
SecFilterSelective REQUEST_URI "!(/do_command)" chain
SecFilterSelective REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="

#script, perl, etc. code in HTTP_Referer string
SecFilterSelective HTTP_Referer "\#\!.*/"

#generic command line attack
SecFilterSelective REQUEST_URI|ARGS "\|*id\;echo*\|"

#remote file inclusion generic attack signature
SecFilterSelective THE_REQUEST  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecFilter "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"

#remote file inclusion generic attack signature
SecFilterSelective THE_REQUEST  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|command|inc|name)="

#remote file inclusion generic attack signature
SecFilterSelective ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecFilter "\?\&(cmd|inc|name)="

#remote file inclusion generic attack signature
SecFilterSelective ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="

#remote file inclusion generic attack signature
SecFilterSelective REQUEST_URI  "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="

#Bogus file extensions generic signature
SecFilterSelective THE_REQUEST  "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt"

#PHP remote path attach generic signature
SecFilterSelective REQUEST_URI  "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI  "\.php.*path=(http|https|ftp)\:/"

#generic attack sig
SecFilterSelective THE_REQUEST "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"

# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST "uname" chain
SecFilter "\x20-a" 

#Generic argument protection rule against bad meta characters
#SecFilterSelective "ARGS" "!^[A-Za-z0-9.&/?@_%=:;, -]*$"

#generic php attack sigs
SecFilterSelective REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"

# WEB-ATTACKS xterm command attempt
SecFilterSelective THE_REQUEST "/usr/X11R6/bin/xterm"

# WEB-ATTACKS /etc/shadow access
SecFilterSelective THE_REQUEST "/etc/shadow"

# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"

# WEB-ATTACKS /usr/bin/id command attempt
SecFilterSelective THE_REQUEST  "/usr/bin/id" chain
SecFilter "\x20" 

# WEB-ATTACKS echo command attempt
SecFilterSelective THE_REQUEST  "/bin/echo" chain
SecFilter "\x20" 

# WEB-ATTACKS kill command attempt
SecFilterSelective THE_REQUEST  "/bin/kill" chain
SecFilter "\x20" 

# WEB-ATTACKS chmod command attempt
SecFilterSelective THE_REQUEST  "/bin/chmod" chain
SecFilter "\x20" 

# WEB-ATTACKS chsh command attempt
SecFilterSelective THE_REQUEST   "/usr/bin/chsh"

# WEB-ATTACKS gcc command attempt
SecFilterSelective THE_REQUEST  "gcc" chain
SecFilter "x20-o" 

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilterSelective THE_REQUEST  "/usr/bin/cc" chain
SecFilter "\x20" 

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilterSelective THE_REQUEST  "/usr/bin/cpp" chain
SecFilter "\x20" 

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilterSelective THE_REQUEST  "/usr/bin/g\+\+" chain
SecFilter "\x20" 

# WEB-ATTACKS g++ command attempt
SecFilterSelective THE_REQUEST  "g\+\+\x20" chain
SecFilter "\x20" 

# WEB-ATTACKS bin/python access attempt
SecFilterSelective THE_REQUEST  "bin/python" chain
SecFilter "\x20" 

# WEB-ATTACKS python access attempt
#SecFilter "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecFilterSelective THE_REQUEST "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecFilterSelective THE_REQUEST "tclsh8\x20"

# WEB-ATTACKS bin/nasm command attempt
SecFilterSelective THE_REQUEST "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecFilterSelective THE_REQUEST "nasm\x20"

# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilterSelective THE_REQUEST "/usr/bin/perl"

# WEB-ATTACKS traceroute command attempt
SecFilterSelective THE_REQUEST  "traceroute" chain
SecFilter "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 

# WEB-ATTACKS ping command attempt
SecFilterSelective THE_REQUEST  "/bin/ping" chain
SecFilter "\x20" 

# WEB-ATTACKS X application to remote host attempt
SecFilterSelective THE_REQUEST "\x20-display\x20"

# WEB-ATTACKS mail command attempt
SecFilterSelective THE_REQUEST  "/bin/mail" chain
SecFilter "\x20" 

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls" chain
SecFilter "\x20" 

# WEB-ATTACKS /etc/inetd.conf access
SecFilterSelective THE_REQUEST  "/etc/inetd\.conf"

# WEB-ATTACKS /etc/motd access
SecFilterSelective THE_REQUEST  "/etc/motd"
# WEB-ATTACKS conf/httpd.conf attempt
SecFilterSelective THE_REQUEST  "conf/httpd\.conf"

# WEB-MISC .htpasswd access
SecFilterSelective THE_REQUEST  "\.htpasswd" 

# WEB-MISC /etc/passwd access
SecFilterSelective REQUEST_URI  "/etc/passwd" 

# WEB-MISC nessus 1.X 404 probe
SecFilterSelective REQUEST_URI "/nessus_is_probing_you_" 

# WEB-MISC nessus 2.x 404 probe
SecFilterSelective REQUEST_URI "/NessusTest" 

# WEB-MISC ls%20-l
SecFilterSelective THE_REQUEST  "ls" chain
SecFilter "\x20-l" 

# WEB-MISC apache directory disclosure attempt
SecFilterSelective THE_REQUEST "////////" 

#musicat empower attempt
SecFilterSelective REQUEST_URI "/empower\?DB="

# WEB-MISC Apache Chunked-Encoding worm attempt
SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

# WEB-MISC *%0a.pl access
SecFilterSelective REQUEST_URI "/*\x0a\.pl" 

#PHPBB worm sigs
SecFilterSelective REQUEST_URI "!(tiki-searchindex\.php)" chain
SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"

#PHP defenses
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" 

#PHP defenses
SecFilterSelective ARGS_NAMES "^(globals($|\[)|php:/)"

#PHP defenses
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

#PHP defenses
SecFilterSelective COOKIE_sessionid "!^[0-9a-z\.]*$"

# Web-attacks chdir
SecFilterSelective REQUEST_URI "&(cmd|command)=chdir\x20"

# TIKIWIKI
SecFilterSelective REQUEST_URI  "/tiki-map.phtml\?mapfile=\.\./\.\./"

#SMTP redirects
SecFilterSelective THE_REQUEST ^(http|https)\:/.+:25 

#These are VERY experiemental, please report false positives/negatives, etc.
#very experimental generic remote download sig
#foo IP or FQDN, or foo http/https/ftp://whatever
SecFilterSelective THE_REQUEST "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 

#Command inline detection
SecFilterSelective THE_REQUEST "( |\;|/|\'|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 

#very experimental connect command sig
SecFilterSelective THE_REQUEST "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"

#Commands, also need a major rework, these also have issues
SecFilterSelective REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" 
#SecFilterSelective THE_REQUEST "echo\x20" 
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-(charset|width) "
SecFilterSelective THE_REQUEST "links (http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "links -source "
#SecFilterSelective THE_REQUEST "mkdir\x20" 
SecFilterSelective THE_REQUEST "cd\x20/(tmp|/var/tmp)" 

SecFilterSelective THE_REQUEST "cd \.\." 
SecFilterSelective THE_REQUEST "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$" 

#generic block for fwrite fopen uploads
SecFilterSelective THE_REQUEST "fwrite" chain
SecFilterSelective THE_REQUEST "fopen" 

#generic sig for more bad PHP functions
SecFilterSelective THE_REQUEST "chr\(([0-9]{1,3})\)"
SecFilterSelective ARGS_NAMES "^php:/"

# WEB-MISC Tomcat view source attempt
SecFilterSelective THE_REQUEST "\x252ejsp"

# WEB-MISC whisker HEAD/./
#SecFilter "HEAD/./"

# WEB-FRONTPAGE .... request
SecFilterSelective THE_REQUEST "\.\.\.\./"

#experimental CSS rule
#SecFilterSelective REQUEST_URI "/(\x3C|<)(\x2F|\/)*[a-z0-9\%]+(\x3E|>)"

#Generic attack rules pcre format
#cross site scripting attempt IMG onerror or onload
SecFilterSelective THE_REQUEST "\<IMG.*/\bonerror\b[\s]*="

#cross site scripting attempt TYPE + JAVASCRIPT
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/javascript"

#cross site scripting attempt STYLE + JAVASCRIPT
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-javascript"

#cross site scripting attempt STYLE + JSCRIPT
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/jscript"

# cross site scripting attempt STYLE + VBSCRIPT
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/vbscript"

#cross site scripting attempt STYLE + VBSCRIPT
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-vbscript"

#cross site scripting attempt STYLE + ECMACRIPT
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/ecmascript"

# cross site scripting attempt STYLE + EXPRESSION
SecFilterSelective THE_REQUEST "STYLE[\s]*=[\s]*[^>]expression[\s]*\("

#cross site scripting attempt STYLE + EXPRESSION
SecFilterSelective THE_REQUEST "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>"

# cross site scripting attempt using XML
SecFilterSelective THE_REQUEST "<!\[CDATA\[<\]\]>SCRIPT"

#cross site scripting attempt executing hidden Javascript
SecFilterSelective THE_REQUEST "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)"

#cross site scripting attempt executing hidden Javascript
SecFilterSelective THE_REQUEST "window\.execScript[\s]*\("

#cross site scripting attempt to execute Javascript code
SecFilterSelective THE_REQUEST "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]"

#cross site scripting stealth attempt to execute Javascript code
#may false alarm for some language sets
SecFilterSelective REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain
SecFilter "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"

#cross site scripting HTML Image tag set to javascript attempt
SecFilterSelective THE_REQUEST "img src=javascript"

#Apache /server-info accessible
SecFilterSelective REQUEST_URI   "/server-info" chain
SecFilterSelective REMOTE_ADDR "!^127\.0\.0\.1$"

#Apache /server-status accessible
#Modified so apache-protect can run
SecFilterSelective REQUEST_URI "^/server-status/$" chain
SecFilterSelective REMOTE_ADDR "!^127\.0\.0\.1$"

#generic Common HTTP vulnerability
SecFilterSelective THE_REQUEST "/\?cwd=/"

#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecFilterSelective THE_REQUEST "\.php\?" chain
SecFilter "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]"

#Experimental XML-RPC generic attack sigs
SecFilter "\'\,\'\'\)\)\;"
SecFilter "\<param\>\<name\>.*\'\)\;"

#XML-RPC generic attack sigs
SecFilterSelective POST_PAYLOAD "^Content-Type\: application/xml" chain
SecFilter "(\<xml|\<.*xml)" chain
SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" chain
SecFilter "methodCall\>"

#Specific XML-RPC attacks on xmlrpc.php
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain
SecFilter "(\<xml|\<.*xml)" chain
SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"

#Too generic, unless you know you won't see this in any of the fields of an XMLRPC message on your system
#SecFilterSelective THE_REQUEST "/xmlrpc\.php" chain
#SecFilter "(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"

#XML-RPC SQL injection generic signature
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain
SecFilter "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>"

#generic remote file inclusion vulns
SecFilterSelective THE_REQUEST "/index\.php\?do=.*&page=(http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "/index\.php\?libDir=http://xxxxxxxx"
SecFilterSelective THE_REQUEST "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/"

#Virus HTTP Challenge/Reponse Auth
SecFilterSelective THE_REQUEST "^Authorization\: Negotiate" chain
SecFilter "YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB"

#catch smuggling attacks
SecFilter "^(GET|POST).*Host:.*^(GET|POST)" 

#Drupal remote command execution vulnerability exploit signature
#This is already covered in another generic signature, but just in case you leave it out, here it is
#again with a slightly tigher regexp
SecFilter "\<.*php .*\(.*\)\;system\(.*\).*php*\>"
#Slightly stronger version of the above
SecFilter "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"

#Generic PHP attack sig
SecFilterSelective THE_REQUEST "system\(getenv\(HTTP_PHP\)\)"

#Generic Nessus request filter
SecFilterSelective THE_REQUEST "NessusTest*\.html"

#Generic PHP payload command injection and upload vulnerabilities
SecFilterSelective POST_PAYLOAD "<\?php" chain
SecFilter  "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
SecFilter "\<\?php"

#Generic XML RPC attack sig
SecFilterSelective POST_PAYLOAD "\'(______BEGIN______|_____FIM_____)\'\;"

#HTTP header PHP code injection attacks
SecFilterSelective HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)"
#wormsign
SecFilter "XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+"
SecFilterSelective THE_REQUEST "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC"

#phpbb wormsign
SecFilterSelective THE_REQUEST "echo _GHC/RST_"

#Generic PHP avatar upload exploits
SecFilterSelective REQUEST_URI "\.php" chain
SecFilterSelective POST_PAYLOAD "Content-Disposition\: form-data\; name=\"avatar\"\;" chain
SecFilter "\<\?php" chain
SecFilter "\?>"

#Fake image file shell attacvk
SecFilterSelective HTTP_Content-Type "image/.*"
SecFilterSelective POST_PAYLOAD "chr\("

#bogus graphics file
SecFilterSelective HTTP_Content-Disposition "\.php" chain
SecFilterSelective HTTP_Content-Type "(image/gif|image/jpg|image/png|image/bmp)"

#wormsign
SecFilterSelective REQUEST_URI "Hacked.*by.*member.*of.*SCC"

#Special account protection
SecFilterSelective THE_REQUEST "/~(root|ftp|bin|nobody|named|guest|logs|sshd)(/\S*)? HTTP/(0\.9|1\.[01])$"
SecFilterSelective REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"

#Generic PHP fopen sig
SecFilterSelective THE_REQUEST "fp=fopen\("
# http://www.gotroot.com/mod_security+rules
# Gotroot.com ModSecurity rules
# User Agent Security Rules
# NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
# Visit http://www.gotroot.com to download up to date and supported rules
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/useragents.conf
#
# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
# Copyright 2005 and 2006 by the Michael Shinn and the Prometheus Group, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Version: N-20061014-01
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.

# NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
# Visit http://www.gotroot.com to download up to date and supported rules



#Comment spam header line
SecFilter "x-aaaaaa.*"
SecFilterSelective POST_PAYLOAD "X-AAAAAA.*"

#check for bad meta characters in User-Agent field
#SecFilterSelective HTTP_USER_AGENT ".*\'"

#XSS in the UA field
SecFilterSelective HTTP_USER_AGENT "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)"

#PHP code injection attack
SecFilterSelective HTTP_USER_AGENT "(<\?php|<[[:space:]]*\?[[:space:]]*php)" 
SecFilterSelective HTTP_USER_AGENT ".*HTTP_GET_VARS"

#recursion attack in UA field
SecFilterSelective HTTP_USER_AGENT "\.\./\.\."

#May cause false positives with some software, comment out if it does
#SecFilterSelective REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Suspicious Automated or Manual Request'"
#SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST|HTTP_Accept" "^$"

#Exploit agent
SecFilterSelective HTTP_USER_AGENT "Mosiac 1\.*"

#Bad agent
SecFilterSelective HTTP_USER_AGENT "Brutus/AET"

#CGI vuln scan tool
SecFilterSelective HTTP_USER_AGENT cgichk
SecFilterSelective HTTP_USER_AGENT "DataCha0s/2\.0"

#Damn fine UA
SecFilterSelective HTTP_USER_AGENT ".*THIS IS AN EXPLOIT*"
SecFilterSelective HTTP_USER_AGENT "Morzilla"

#CIRT.DK Webroot auditing tool
SecFilterSelective HTTP_USER_AGENT ".*WebRoot "

#Exploit UA
SecFilterSelective HTTP_USER_AGENT ".*T H A T \' S  G O T T A  H U R T*"

#XML RPC exploit tool
SecFilterSelective HTTP_USER_AGENT "xmlrpc exploit*"

#A friendly little exploit banner for a WP vuln
SecFilterSelective HTTP_USER_AGENT "Wordpress Hash Grabber"

#Blocks scripts
SecFilterSelective HTTP_USER_AGENT lwp

#Web leaches
SecFilterSelective HTTP_USER_AGENT "Web Downloader"
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT WebCopier
SecFilterSelective HTTP_USER_AGENT Webster
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT WebStripper
SecFilterSelective HTTP_USER_AGENT "teleport pro"
SecFilterSelective HTTP_USER_AGENT combine
SecFilterSelective HTTP_USER_AGENT "Black Hole"
SecFilterSelective HTTP_USER_AGENT "SiteSnagger" 
SecFilterSelective HTTP_USER_AGENT "ProWebWalker" 
SecFilterSelective HTTP_USER_AGENT "CheeseBot" 

#Bogus Mozilla UA lines
SecFilterSelective HTTP_USER_AGENT "Mozilla/(4|5)\.0$"
SecFilterSelective HTTP_USER_AGENT "Mozilla/3\.Mozilla/2\.01$"

#Bogus IE UA line
SecFilterSelective HTTP_USER_AGENT "Microsoft Internet Explorer/5\.0$"

#Bogus UA
SecFilterSelective HTTP_USER_AGENT "FooBar/42"

#Nessus Vuln scanner UA
SecFilterSelective HTTP_USER_AGENT "Mozilla.*Nessus"

#Nikto vuln scanner UA
SecFilterSelective HTTP_USER_AGENT ".*Nikto"

#BAd/Bogus UAs
SecFilterSelective HTTP_USER_AGENT "Indy Library"
SecFilterSelective HTTP_USER_AGENT "Faxobot"
SecFilterSelective HTTP_USER_AGENT ".*SAFEXPLORER TL"

#Spam spinder UAs
SecFilterSelective HTTP_USER_AGENT ".*fantomBrowser"
SecFilterSelective HTTP_USER_AGENT ".*fantomCrew Browser"

#VB development library used by many spammers, might block legite VBscripts
#comment out if you have problems
SecFilterSelective HTTP_USER_AGENT "Crescent Internet ToolPak"

#Borland Delphi signature, as above, comment out if it gives you problems
#spammers sometimes use these UAs
SecFilterSelective HTTP_USER_AGENT "NEWT ActiveX\; Win32"
SecFilterSelective HTTP_USER_AGENT "Mozilla.*NEWT"

#Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if
#it causes problems, comment out.  If you are a member of the Microsoft Site 
#Builder Network, you probably do NOT want to block this ID.
#SecFilterSelective HTTP_USER_AGENT "Microsoft URL Control"
#SecFilterSelective HTTP_USER_AGENT  "^Microsoft URL"

#e-mail collectors and spammers
SecFilterSelective HTTP_USER_AGENT "WebBandit"
SecFilterSelective HTTP_USER_AGENT "WEBMOLE"
SecFilterSelective HTTP_USER_AGENT "Telesoft*"
SecFilterSelective HTTP_USER_AGENT "WebEMailExtractor"
SecFilterSelective HTTP_USER_AGENT "CherryPicker*"
SecFilterSelective HTTP_USER_AGENT NICErsPRO
SecFilterSelective HTTP_USER_AGENT "Advanced Email Extractor*"
SecFilterSelective HTTP_USER_AGENT EmailSiphon
SecFilterSelective HTTP_USER_AGENT Extractorpro
SecFilterSelective HTTP_USER_AGENT webbandit
SecFilterSelective HTTP_USER_AGENT EmailCollector
SecFilterSelective HTTP_USER_AGENT "WebEMailExtrac*"
SecFilterSelective HTTP_USER_AGENT EmailWolf

#Spiders that eat up bandwidth for their customers
#Not a spammer, just a spider, comment out if you like
SecFilterSelective HTTP_USER_AGENT "CopyRightCheck"
SecFilterSelective HTTP_USER_AGENT "CopyGuard"
SecFilterSelective HTTP_USER_AGENT "Digimarc WebReader"

#MArketing spiders
SecFilterSelective HTTP_USER_AGENT  "Zeus .*Webster Pro*"

#Poker spam
SecFilterSelective HTTP_USER_AGENT  "8484 Boston Project"

#collectors
SecFilterSelective HTTP_USER_AGENT  "autoemailspider"
SecFilterSelective HTTP_USER_AGENT  "ecollector"
SecFilterSelective HTTP_USER_AGENT  "grub crawler"

#referrer spam, not the real weblogs
SecFilterSelective HTTP_USER_AGENT  "^www\.weblogs\.com"

#spam bots
SecFilterSelective HTTP_USER_AGENT  "DTS Agent"
SecFilterSelective HTTP_USER_AGENT  "POE-Component-Client"
SecFilterSelective HTTP_USER_AGENT  "WISEbot"
SecFilterSelective HTTP_USER_AGENT  "^Shockwave Flash"
SecFilterSelective HTTP_USER_AGENT  "Missigua"

#comment spam sign
SecFilterSelective HTTP_USER_AGENT  "compatible \; MSIE"

#Some regexps to catch silly bots
SecFilterSelective REQUEST_URI "!/ps(zones\|comp).txt1" chain
SecFilterSelective HTTP_USER_AGENT "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$"
SecFilterSelective HTTP_USER_AGENT "^(Mozilla( [0-9.]+)?[ ]?\((Windows|Linux|(IE )?Compatible)\))$"
SecFilterSelective HTTP_USER_AGENT "^Mozilla/5\.0 \(X11; U; Linux i686; en-US; rv\:0\.9\.6\+\) Gecko/2001112$"
SecFilterSelective HTTP_USER_AGENT "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$"
SecFilterSelective HTTP_USER_AGENT "^Mozilla/.+[. ]+$"

#spammer
SecFilterSelective HTTP_USER_AGENT "Butch__2\.1\.1"
SecFilterSelective HTTP_USER_AGENT "agdm79@mail\.ru"

#Fake Gameboy UA
SecFilterSelective HTTP_USER_AGENT "GameBoy\, Powered by Nintendo"

#bogus amiga UA
SecFilterSelective HTTP_USER_AGENT "Amiga-AWeb/3\.4"

#exploit UA
SecFilterSelective HTTP_USER_AGENT "Internet Ninja x\.0"

#bogus googlebot UA
SecFilterSelective HTTP_USER_AGENT "Nokia-WAPToolkit.* googlebot.*googlebot"

#recently caught sending spam referrals, from their actual crawler IP
SecFilterSelective HTTP_USER_AGENT "BecomeBot"

#Suverybot
#SecFilterSelective HTTP_USER_AGENT "SurveyBot"

#exploit
SecFilterSelective HTTP_USER_AGENT "S\.T\.A\.L\.K\.E\.R\."
SecFilterSelective HTTP_USER_AGENT "NeuralBot/0\.2"
SecFilterSelective HTTP_USER_AGENT "Kenjin Spider"

#WebvulnScan
SecFilterSelective HTTP_USER_AGENT "WebVulnScan"

#broken spam tool
SecFilterSelective HTTP_USER_AGENT "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$"

#PHPBB worm UA
SecFilterSelective HTTP_USER_AGENT "INTERNET EXPLOITER SUX"

#fake UA
SecFilterSelective HTTP_USER_AGENT "Windows-Update-Agent"

#exploit
SecFilterSelective HTTP_USER_AGENT "Internet-exprorer"

# Bad Spider
SecFilterSelective HTTP_USER_AGENT "hl_ftien_spider"

# PMAFind 
SecFilterSelective HTTP_USER_AGENT "PMAFind"

#MS WebDav
#If you do not allow webdav, this is useful to catch some webdav PUT attacks
SecFilterSelective HTTP_USER_AGENT "Microsoft Data Access Internet Publishing Provider"