Signature analysis

By using rules.bin the signature analysis of the Nemesida WAF Free provides basic protection for web applications against hacker attacks (scanning, unqualified attempts to search/exploit vulnerabilities). In the same time the signature analysis is not able to detect modified, complex or new types of attacks, for example:
un","ion se","lect
unIO%6e/*a*/selEC%74
(sy.(st).em)(ls)
%2f???%2f??t%20%2f???%2fp??s??
cat+/e't'c/pa'ss'wd
e'c'ho 'swd test pentest' |awk '{print "cat /etc/pas"$1}' |bash
ec'h'o 'cat /etc/examplewd' | sed 's/example/pass/g' | bash
For high-quality protection of web applications (websites, online marketplace, API etc.) including against zero-day attacks use a full-featured version of Nemesida WAF with machine learning module.

The rules.bin

Rule ID Type Signature Tag Score Match zone
1RLnwaftestOther12BODY|URL|ARGS|HEADERS
31RLx(\d+\s*,\s*){4,}SQLi4BODY|URL|ARGS|HEADERS
32RLx\W&&\WSQLi2BODY|URL|ARGS|HEADERS
33RLx\W@@\wSQLi2BODY|URL|ARGS|HEADERS
34RLx\W\|\|\WSQLi2BODY|URL|ARGS
35RLx\{\{(.+?)\}\}RCE8ARGS
36RL$(RCE2BODY|URL|ARGS|HEADERS
37RL${RCE2BODY|URL|ARGS|HEADERS
39RL/*SQLi1BODY|URL|ARGS|Cookie|User-agent
40RL*/SQLi1BODY|URL|ARGS|Cookie|User-agent
51RL;SQLi2URL|ARGS
52RL'SQLi2URL|ARGS|User-Agent
53RL?Evasion2URL|ARGS|User-agent
54RL['#RCE8URL
55RL\'%SQLi2BODY|URL|ARGS
56RL%\'SQLi2BODY|URL|ARGS
57RLx(\.)+(\\|\/)+(\.)+(\\|\/)+LFI8BODY|URL|ARGS|HEADERS
58RL=\"SQLi2BODY|URL|ARGS
59RL=\'SQLi2BODY|URL|ARGS
60RL*\'SQLi4BODY|URL|ARGS
61RL!=SQLi6URL|ARGS
66RL\\Evasion2BODY|URL|ARGS
67RL../Injection8BODY|URL|ARGS|HEADERS
68RL--SQLi2BODY|URL|ARGS|User-agent
69RL#SQLi2BODY|URL|ARGS|Cookie|User-agent
71RL..\..\LFI8BODY|URL|ARGS|HEADERS
73RL%EFEvasion0MLA
74RLx\\x[0-9a-z]{2,2}Evasion0MLA
75RLx%[01][0-9a-f]Evasion0MLA
76RLx(\\|%)u[0-9a-z]{4,}Evasion0MLA
77RL././LFI8BODY|URL|ARGS|HEADERS
78RLx%(c0|7f)Evasion0MLA
98RLx[&=<]\.0XSS6BODY|URL|ARGS
99RLx[\^<>]0\.XSS6BODY|URL|ARGS
100WLxsitemap[\w\-\.]+\.gz$WL0URL
101WLx(\d+\s*,\s*){4,}WL0Cookie|Referer
104WLxutm_referrer=https?://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}WL0ARGS
105WLx\-+\wWL0Content-Type
106WLxn--p1aiWL0BODY|URL|ARGS|HEADERS
107WLfile://WL0Origin
109WL?from=WL0ARGS
110WL<?xmlWL0BODY
111WLx\{\{[\w.]+}\}WL0ARGS
500RL/.sourceXSS12BODY|URL|ARGS
502RLx(\s|\.)src(\s|\+)*=XSS4BODY|URL|ARGS|HEADERS
504RLx(^|\W)eval\(|@eval\WXSS12BODY|URL|ARGS|HEADERS
505RLx<svg(\s|\+)XSS4BODY|URL|ARGS|HEADERS
508RLx(^|\W)alert(\.(call|apply|bind|valueof))?[\(\`\&]XSS12BODY|URL|ARGS|HEADERS
509RLsymbol.replaceXSS8BODY|URL|ARGS|HEADERS
510RLxarray\.(map|from)XSS8BODY|URL|ARGS|HEADERS
511RLx(^|\W)document(\.[a-z]+)+\(XSS12BODY|URL|ARGS|HEADERS
512RL</noscriptXSS4BODY|URL|ARGS|HEADERS
513RL</xmpXSS4BODY|URL|ARGS|HEADERS
514RL</styleXSS4BODY|URL|ARGS|HEADERS
515RL</scriptXSS12BODY|URL|ARGS|HEADERS
516RLx<img(\s|\+)XSS4BODY|URL|ARGS|HEADERS
517RLx<base(\s|\+)XSS4BODY|URL|ARGS|HEADERS
518RLx<i?frame(\s|\+)XSS6BODY|URL|ARGS|HEADERS
528RLx(^|\W)on(error|load|loadstart|cut|focus|click|begin|wheel|blur|change|input|reset|select|down|keypress|keyup|paste|copy|toggle|xonpointerenter)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
532RLxonmouse(down|enter|leave|move|out|over|up|wheel)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
534RL</titleXSS2BODY|URL|ARGS|HEADERS
535RLsvg>XSS4BODY|URL|ARGS|HEADERS
536RL<<XSS4URL|ARGS
537RLx<script(\s|\+|\/|\>)XSS12BODY|URL|ARGS|HEADERS
538RL>>XSS4URL|ARGS
540RLx(^|\W)on(aux|dbl)click(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
542RLx(^|\W)ontouchcancel(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
543RLx(^|\W)set(Timeout|Interval|Immediate)\(XSS12BODY|URL|ARGS|HEADERS
544RLx(^|\W)execscript\(XSS12BODY|URL|ARGS|HEADERS
545RLcrypto.generateCRMFRequestXSS12BODY|URL|ARGS|HEADERS
548RLRange.createContextualFragmentXSS12BODY|URL|ARGS|HEADERS
549RLxwindow[?]?\.(location|alert|name)XSS12BODY|URL|ARGS|HEADERS
550RLxdocument\.(location|domain|cookie)XSS12BODY|URL|ARGS|HEADERS
551RLx(^|\W)location(\.[a-z]+)+\(XSS12BODY|URL|ARGS|HEADERS
552RLx(^|\W)history(\.[a-z]+)+\(XSS12BODY|URL|ARGS|HEADERS
553RLx(^|\W)(local|session)Storage\(XSS12BODY|URL|ARGS|HEADERS
554RL<svg/ontoggleXSS12BODY|URL|ARGS|HEADERS
555RLx(^|\W)createElement\(XSS12BODY|URL|ARGS|HEADERS
1000RLx[^-:=\.\w\|]where[^-:=\.\w\|]SQLi3BODY|URL|ARGS|HEADERS
1001RLx[^-:=\.\w\|]update[^-:=\.\w\|]SQLi3BODY|URL|ARGS|HEADERS
1002RLx[^-:=\.\w\|]table[^-:=\.\w\|]SQLi3BODY|URL|ARGS|HEADERS
1003RLxgroup[^-:=\.\w\|/]+bySQLi2BODY|URL|ARGS|HEADERS
1005RLxorder[^-:=\.\w\|]+bySQLi3BODY|URL|ARGS|HEADERS
1006RLx[^-:=\.\w\|]limit[^-:=\.\w\|]SQLi3BODY|URL|ARGS|HEADERS
1007RLx[^-:=\.\w\|]select[^-:=\.\w\|]SQLi4BODY|URL|ARGS|HEADERS
1008RLx[^-:=\.\w\|]insert[^-:=\.\w\|]SQLi3BODY|URL|ARGS|HEADERS
1010RLx[^-:=\.\w\|]truncate[^-:=\.\w\|]SQLi3BODY|URL|ARGS|HEADERS
1011RLx(^|\W)benchmark\(SQLi4BODY|URL|ARGS|HEADERS
1012RLx(^|\W)((var)?char|chr)\W*[(@]+[\d\s]SQLi12BODY|URL|ARGS|HEADERS
1016RLx[^-:=\.\w\|]if[^-:=\.\w\|]SQLi2BODY|URL|ARGS|HEADERS
1021RLxselect[^-:=\.\w\|]{1,50}(.|\s){0,50}fromSQLi8BODY|URL|ARGS|HEADERS
1023RLextractvalueSQLi4BODY|URL|ARGS|HEADERS
1024RLx(^|\W)concat\(SQLi12BODY|URL|ARGS|HEADERS
1025RLupdatexmlSQLi4BODY|URL|ARGS|HEADERS
1026RLx(^|\W)system\(RCE8BODY|URL|ARGS|HEADERS
1027RLx(^|\W)extractvalue\(SQLi6BODY|URL|ARGS|HEADERS
1028RLx(^|\W)elt\(SQLi6BODY|URL|ARGS|HEADERS
1031RLx(encode|decode)\W*[\(\)]SQLi12BODY|URL|ARGS|HEADERS
1032RLgroup_concatSQLi4BODY|URL|ARGS|HEADERS
1033RLx\Wrlike\(SQLi6BODY|URL|ARGS|HEADERS
1034RLx[^-:=\.\w\|]database[^-:=\.\w\|]SQLi4BODY|URL|ARGS|HEADERS
1035RLsystem_userSQLi6BODY|URL|ARGS|HEADERS
1036RLversion()SQLi8BODY|URL|ARGS|HEADERS
1037RLx(^|\W)not\W+in\(SQLi6BODY|URL|ARGS|HEADERS
1038RLxjson(_\w+){1,2}\(SQLi6BODY|URL|ARGS|Cookie
1039RLx[^-:=\.\w\|]contains[^-:=\.\w\|]SQLi4BODY|URL|ARGS|HEADERS
1040RLx[^-:=\.\w\|]sleep[^-:=\.\w\|]SQLi6BODY|URL|ARGS|HEADERS
1042RLtable_nameSQLi6BODY|URL|ARGS
1043RLx\`\`\s*\`\`SQLi2BODY|URL|ARGS
1044RLtable.nameSQLi6BODY|URL|ARGS
1045RLisnullSQLi2BODY|URL|ARGS|HEADERS
1046RLx_(en|de)crypt\(SQLi6BODY|URL|ARGS|HEADERS
1049RLcreate_digestSQLi6BODY|URL|ARGS|HEADERS
1050RLxlog\d+\W*(\(|\))SQLi8URL|ARGS
1053RLx/(bin|sbin)/Other4BODY|URL|ARGS|HEADERS
1055RLto_base64SQLi6BODY|URL|ARGS|HEADERS
1056RLx[^-:=\.\w\|]replace[^-:=\.\w\|]SQLi4BODY|URL|ARGS|HEADERS
1057RLmaster_pos_waitSQLi8URL|ARGS
1059RLstr_replaceSQLi8BODY|ARGS
1060RLuser_metaSQLi8BODY|URL|ARGS
1061RLregexpSQLi2BODY|ARGS
1063RLx\d+[\'\`]SQLi8URL
1064RLwp_commentSQLi8BODY|URL|ARGS
1065RLwp_usermetaSQLi8BODY|URL|ARGS
1066RLwp_postSQLi8BODY|URL|ARGS
1067RLwp_termSQLi8BODY|URL|ARGS
1068RLwp_userSQLi8BODY|ARGS
1069RLwp_optionsSQLi8BODY|ARGS
1072RLx(^|\W)print(_r|ln)?\(SQLi12BODY|URL|ARGS|HEADERS
1075RLx\d\'\s*\w+=(\d+|\')SQLi12URL|ARGS
1077RLx=(\-\w+|\w+[\'\)\"])(.|\s){0,30}\s+where\s+(.|\s){0,30}\s+(OR|AND)SQLi12BODY|URL|ARGS|HEADERS
1078RLxctx=web\&cache_filename=.+\.php.+IMresizedData=\<\?phpSQLi12BODY
1081RLx\w+=\d+\'($|\s)SQLi12URL|ARGS
1085RLx\d+[\'\`]SQLi2BODY|ARGS|HEADERS
1086RLx(\b(m(s(ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)\b|s(ys(\.database_name|aux)\b|chema(\W*\(|_name\b)|qlite(_temp)?_master\b)|d(atabas|b_nam)e\W*\(|information_schema\b|pg_(catalog|toast)\b|northwind\b|tempdb\b))SQLi8BODY|URL|ARGS|HEADERS
1087RLxsleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.{0,50}?),(.{0,50}?)\)SQLi12BODY|URL|ARGS|HEADERS
1088RLx(((select|;)\s+(benchmark|if|sleep)\s*?\(\s*?\(?\s*?\w+))SQLi12BODY|URL|ARGS|HEADERS
1090RLx((alter\s*?\w+.{0,50}?(character|char)\s+set\s+\w+)|([\"'`];*?\s*?waitfor\s+(time|delay)\s+[\"'`])|([\"'`];.{0,50}\s*?\Wgoto\W))SQLi8BODY|URL|ARGS|HEADERS
1091RLx(^|\W)union(.|\s){1,50}select(.|\s){1,50}from\WSQLi12BODY|URL|ARGS|HEADERS
1092RLx((select\s*?pg_sleep)|(waitfor\s*?delay\s?[\"'`]+\s?\d)|(;\s*?shutdown\s*?(;|--|#|/\*|{)))SQLi8BODY|URL|ARGS|HEADERS
1093RLx((\[\$(ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))SQLi12BODY|URL|ARGS|HEADERS
1094RLx((procedure\s+analyse\s*?\()|(;\s*?(declare|open)\s+[\w-]+)|(create\s+(procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-)|(declare[^\w]+[@#]\s*?\w+)|(exec\s*?\(\s*?@))SQLi8BODY|URL|ARGS|HEADERS
1096RLxxp_(servicecontrol|regread|regwrite|regdeletevalue|regdeletekey|fileexist|enumerrorlogs|readerrorlogs|enumdsn|enumgroups|ntsec_enumdomains)SQLi12BODY|URL|ARGS|HEADERS
1099RLx(^|&)src=[^&]*?(http|ftp)SQLi12URL
1100RLx[?&]home=[^&]*?(http|ftp)Other12URL
1102RLx[?&]size=[^&]*?\x3bSQLi12ARGS
1104RLaction=getTopicSQLi8BODY
1105RLx\[\#markup\]\=\S+\s+\S+RCE12BODY|URL|ARGS
1107RLfound_rowsSQLi8URL|ARGS
1108RLtcelesSQLi4URL|ARGS|Cookie
1109RLxinformation(_|\.)schemaSQLi12BODY|URL|ARGS|HEADERS
1110RLx(\s|\+)(infile|outfile|dumpfile)(\s|\+)SQLi8BODY|URL|ARGS|HEADERS
1111RLnoinuSQLi4URL|ARGS
1112RLsubstring%SQLi8BODY|URL|ARGS|HEADERS
1115RL@@versionSQLi8BODY|URL|ARGS|HEADERS
1116RLschemaSQLi6URL|ARGS
1117RLdatadirSQLi8BODY|URL|ARGS|HEADERS
1118RLhostnameSQLi4BODY|URL|ARGS|HEADERS
1119RLrowcountSQLi4BODY|URL|ARGS|HEADERS
1120RLx\s;\sSQLi8URL|ARGS
1121RLcoercibilitySQLi8URL|ARGS
1123RLCOLLATIONSQLi8URL|ARGS
1124RLCONNECTION_IDSQLi8URL|ARGS
1125RLcurrent_userSQLi8URL|ARGS
1126RLlast_insert_idSQLi8URL|ARGS
1127RLrow_countSQLi8URL|ARGS
1128RLsession_userSQLi8URL|ARGS
1129RL@userSQLi8URL|ARGS
1130RLx/%?\*(.|\s){0,50}\*%?/SQLi6URL|ARGS
1131RLx/%?\*(.|\s){0,50}\*%?/SQLi2BODY
1132RLx((/%?\*(.|\s){0,50}\*%?/)(.|\s){0,50}){3,}SQLi12BODY|URL|ARGS|HEADERS
1133RLxname\[\d+.{20,}\]SQLi12BODY
1134RLxadmin(istrator)?'--SQLi12BODY|URL|ARGS|HEADERS
1136RLx^(file|ftps?|https?)://(.{0,500})$SQLi8ARGS
1137RLx%0(.|\s){0,50}([a-z]%){3,}SQLi12BODY|URL|ARGS|HEADERS
1138RLx(%\w%.{0,50}){5,}SQLi8BODY|URL|ARGS|HEADERS
1139RLvalidate_password_strengthSQLi8URL|ARGS
1141RLlibraryContentSQLi8BODY
1142RLbase64_decodeSQLi8BODY
1143RLglobals[RCE8BODY|URL|ARGS
1144RLx(^|\W)response\.(write|flush|clear)\(Injection12BODY|URL|ARGS|HEADERS
1145RLx\w=\/?\.{1,2}(\\|\/)LFI8BODY|ARGS|Referer
1311RL<?RCE4BODY
1312RL?>RCE4BODY
1313RL<?phpRCE12BODY|URL|ARGS|HEADERS
1314RLx\$_\w+\[Other12BODY|URL|ARGS|HEADERS
1316RLget_defined_functionsRCE12BODY|URL|ARGS|HEADERS
1317RL_PHPLIB[libdir]Other8BODY|URL|ARGS|HEADERS
1318RLxauto_prepend_file|auto_append_fileRFI12URL|ARGS
1322RLburpcollaborator.netScanner12BODY|URL|ARGS|HEADERS
1324RLconstructor.constructorOther8BODY
1352RLXAttacker.phpOther12BODY|URL|ARGS
1359RLx\%0(0|A|D)Evasion12URL|ARGS
1397RLxinclude.?dir\x3DOther12URL
1398RLxpath=(https?|ftps?|php)Other12URL
1399RLxphp\?goto=(https?|ftps?|php)RFI12URL
1431RLx/(admin/addcontent\.inc|images/psg)\.phpOther12URL
1433RL$padd = str_repeat(|22|A|22|, 196)Other8BODY|URL|ARGS|HEADERS
1434RL$evil = $padd.$payloadOther8BODY|URL|ARGS|HEADERS
1459RLsvg>XSS3BODY
1491RLx[^-:\.\w\|]exec[^-:\.\w\|/]Injection12BODY|URL|ARGS|HEADERS
1493RLx(^|\W)die\(RCE12BODY|URL|ARGS|HEADERS
1494RLaction=after_upload_completeOther8BODY|ARGS
1497RLx(.{1,50}\(.{1,50}\)){3,}Other12URL
1500RLx\.(.{0,250})~($|\s)UWA12URL
1501RLxsrc=https?\x3a\x2f[^\x26\x20]*?(\x24\x28|%24%28)UWA12URL|ARGS
1502RL.vscodeOther12URL
1505RLx\.(gemfile|gemfile|rb|irbrc)($|\s|\:)UWA12URL
1506RLx\.(bzr|project|sublime(-workspace)?|md|svn|gitkeep|s3cfg|(git|hg|cvs)(ignore)?|subversion|csproj|(ftp)?config|cfg|atom|vb|vscode|circleci|npmrc)($|\s|\/|\:)UWA12URL
1512RLx\.php[^3-7\/s][\w\-\_~]*(\.\w+)?$UWA12URL
1513RLx\.(py|pl|cgi)($|\s|\:)UWA8URL
1515RL.ds_storeUWA12URL
1516RLx\.(jar|jsp|jspx|jspf|java|coffee|war|yml|cfm)($|\s|\:)UWA12URL
1517RLx\.(conf|ssh|ini|inc|env|inc|viminfo|properties|dead\.letter|passwd|schema)($|\s|\:)UWA8URL
1518RLx\.(phpinc|save|sav|swp|swo|lock|old|orig|log|tmp|temp|restore|suspected)($|\s|\:)UWA12URL
1519RLx\.(bz2|gz|tar|xz|lzma)($|\s|\:)UWA4URL
1521RLsftp-config.jsonUWA12URL
1522RL.idea/UWA12URL
1523RLx^/wp-content/plugins/($|\s)UWA12URL
1524RLx/wp-content/plugins/.{1,50}/cache/UWA12URL
1526RLx\.(mdb|db|sqlite|sql)($|\s|\:)UWA12URL
1528RLxid_(rsa|dsa)\.ppk($|\s|\:)UWA12URL
1559RLxetc/(passwd|shadow)UWA12BODY|URL|ARGS|HEADERS
1560RLsystem.iniUWA12URL
1561RLx\.(ksh|rsh|tcsh|csh|zsh|zshrc|bash|bash_profile|rksh|sh_history)($|\s|\:)UWA12URL
1562RLx\.(bat|exe|dll|dat)($|\s|\:)UWA12URL
1808RLcomposer.jsonUWA8URL
1810RLx%commonprogramfiles%|%programdata%|%programfiles%UWA12URL|ARGS
1811RLx%psmodulepath%|%public%|%appdata%|%localappdata%UWA12URL|ARGS
1812RLx%allusersprofile%|%userdata%|%username%|%userprofile%UWA12URL|ARGS
1813RLx%homedrive%|%homepath%UWA12URL|ARGS
1814RLx%homedrive%|%homepath%UWA12URL|ARGS
1816RLx%systemdrive%|%systemroot%|%windir%|%comspec%UWA12URL|ARGS
1818RLx%PATH%|%PATHEXT%UWA8URL|ARGS
1819RLx%COMPUTERNAME%|%LOGONSERVER%|%PROMPT%|%USERDOMAIN%UWA8URL|ARGS
1820RLdb_details_importdocsql.phpUWA8URL
1821RLx/(global|dnewsweb|swsrv|ikonboard)\.cgiUWA8URL
1822RL/math_sum.mscgiUWA8URL|ARGS
1823RLx/(ksh|rsh|tcsh|csh|zsh|zshrc|bash|bash_profile|rksh)($|\s)UWA12URL|ARGS
1826RLx\/(math_sum.mscgi|htsearch|printenv|db2www|document.d2w)UWA12URL
1827RL/admentor/admin/admin.aspUWA8URL
1830RL/timthumb.phpUWA4URL
1831RL/timthumbdir/cacheUWA4URL
1832RL/w3tc/dbcacheUWA8URL
1834RLphp://UWA12BODY|URL|ARGS|HEADERS
1835RLftp://UWA12BODY|URL|ARGS|HEADERS
1836RLzlib://UWA12BODY|URL|ARGS|HEADERS
1837RLdata://UWA12BODY|URL|ARGS|HEADERS
1838RLglob://UWA12BODY|URL|ARGS|HEADERS
1839RLphar://UWA12BODY|URL|ARGS|HEADERS
1840RLfile://UWA8BODY|URL|ARGS|HEADERS
1841RL/cfide/componentutilsUWA12URL
1842RL/mysqldumperUWA12URL
1843RLxphp(pg|my)adminUWA12URL
1845RL/bin/shUWA12BODY|URL|ARGS|HEADERS
1846RL.htpasswdUWA12URL|ARGS
1847RL.htaccessUWA12URL|ARGS
1848RLwhitelist.pacUWA12URL
1849RLproxy.pacUWA12URL
1850RL(?p=b)((?p=b)(?j:(?p<b>c)(?p<b>a(?p=b)))>wgxcredits)UWA12BODY|ARGS|HEADERS
1851RL0000::1UWA12X-Forward-For
1852RL127.0.0UWA12X-Forward-For
1853RL(?j:(?|(:(?|(?'r')(\k'r')|((?'r')))h'rk'rf)|s(?'r'))))UWA12HEADERS
1854RL/var/www/UWA12URL|ARGS
1856RL/philboard_admin.aspUWA12URL|ARGS
1857RL/cgi-bin/lsUWA8URL|ARGS
1860RL/wp-includes/rss-functions.phpUWA12URL
1861RL/wp-content/themes/RightNow/includes/uploadify/upload_settings_image.phpUWA12BODY
1866RLxstdin|stdout|stderrUWA4BODY|URL|ARGS|HEADERS
1868RLX-Pingback-Forwarded-For:UWA8X-Forward-For
1869RLx/dev/(tcp|udp)UWA12BODY|ARGS|HEADERS
1870RL/sqlite/main.phpUWA12URL|ARGS
1871RLx(^|\W)phpinfo\(Injection12BODY|URL|ARGS|HEADERS
1872RLx/~(root|ftp|nobody)UWA12BODY|URL|ARGS
1873RL/htmlscriptUWA12URL
1876RL/post-queryUWA8URL
1877RL%COMMONPROGRAMFILES|40|x86|41|%UWA12URL|ARGS
1879RLx[^/]https?:/UWA12URL
1882RLjavascript:XSS12BODY|URL|ARGS
1883RL/DatabaseFunctions.phpUWA8URL
1884RL/GlobalFunctions.phpUWA8URL
1885RL/UpdateClasses.phpUWA8URL
1886RL/scripts/setup.phpUWA12URL
1887RLx(phpinfo|phpsysinfo)\.phpUWA12URL
1888RL/server_sync.phpUWA12URL
1891RLPageServicesUWA8URL|ARGS
1892RL/htgrepUWA8URL
1893RL/WEB-INFUWA6URL
1894RL/proc/self/UWA12BODY|URL|ARGS
1895RLphpb8b5f2a0-3c92-11d3-a3a9-4c7b08c10000UWA4ARGS
1896RLxphpe9568f3(4|5|6)-d428-11d2-a769-00aa001acf42UWA4ARGS
1897RLx/_vti_(adm|bin)/UWA12URL
1898RL/_vti_rpcUWA12URL
1899RL/server-statusUWA12URL
1900RL/balancer-managerUWA12URL
1901RL/host-manager/UWA12URL
1902RLfx29shcookUWA8URL
1903RLxact=\S+&(d|f)=UWA12BODY|ARGS
1904RLxact=(fxmailselfremove|encoder|eval|sql|phpinfo)UWA12BODY|ARGS
1905RLx_act=(execute|list\s+files|upload)UWA12BODY|ARGS
1906RLcmd_txt=1UWA8ARGS
1907RLc99.phpUWA12URL
1908RLx(\s|\+|#)cmd=UWA12BODY|URL|ARGS|HEADERS
1909RLxc999sh_surl|c999shvarsUWA12Cookie
1910RLwebconfig.txt.phpUWA12URL
1911RLwpad.datUWA12URL
1913RLcomposer.pharUWA8URL
1914RLxadminer.*\.phpUWA12URL
1915RLx(wso|r57|r57shell)\.phpUWA12URL
1917RL/admin/templates/header.phpUWA8URL
1918RL/soapcaller.bsUWA12URL
1919RL/plugin_googlemap2_proxy.phpUWA12URL
1920RL/images/stories/story.phpUWA12URL
1921RLx/plugins/system/.{1,50}\.phpUWA12URL
1922RL/.ssh/UWA12URL
1923RL/known_hostsUWA12URL
1924RL/authorized_keysUWA12URL
1925RLx\.(key|pem|id_rsa|id_dsa)($|\s)UWA12URL
1926RLx\.(sh|bash|nano|irb|psql|mysql)_history($|\s)UWA12URL
1927RLx\.(bac|bak|bkp|bkf|bkp|back|backup|bakup)($|\s)UWA12URL
1928RLx\.(history|histfile)($|\s)UWA12URL
1929RLproftpdpasswdUWA12URL
2100RLxnessus|acunetix|nmap|sqlmap|[nw]ikto|dirbuster|gobuster|w3af|webster|openvas|meterpreter|network-services-auditor|wpscan|hydra|XSpider|Nuclei|l9exploreScanner12User-agent
2101RLxabsinthe|autogetcolumn|bsqlbf|cisco-torch|crimscanner|appscan_fingerprint|amiga-aweb|digimarc webreaderScanner12User-agent
2102RLxsql\s+power\s+injector|dav\.pm|prog.customcrawler|whcc|grendel-scan|masscanScanner12User-agent
2103RLxshellshock-scan|thanks-rob|WebCruiser|webinspect|whisker|chinaclaw|whatweb|wordpress hash grabberScanner12User-agent
2104RLxmysqloit|netsparker|paros|pavuk|uil2pn|friendly-scanner|sundayddr|zmeu|sqlspider|EvasionsScanner12User-agent
2105RLxapachebench|datacha0s|nv32ts|brutus|arachni|synapse|havij|sucuri|sitelock|scanalertScanner12User-agent
2106RLxhttp_get_vars|n-stealth|picscout|t34mh4k|webshag|mozilla/\d+\.\d+\s+sfScanner12User-agent
2107RL++++++++resultScanner12URL
2112RL/jmx-console/htmladaptorScanner12URL
2115RLxphp/\d+\.|python-httplib|winhttprequest|pymills-spider/|^\.Scanner1User-agent
2116RLinternal dummy connectionScanner12User-agent
2400RLbase64Evasion4URL|ARGS
2401RLcghwaw5mbygpoyagEvasion12BODY|URL|ARGS|HEADERS
2402RLhttp://http://Other12HEADERS
2403RLxboundary=\S+[,|;]Evasion12HEADERS
2404RLmid%Evasion8URL|ARGS
2405RLdualEvasion2URL|ARGS
2406RLstrcmp(RCE8URL|ARGS
2407RLx(\\[0-7]{1,3}){3,}Evasion8BODY|URL|ARGS|HEADERS
2409RLx(&#\d+;?){3,}Evasion12BODY|URL|ARGS|HEADERS
2411RLx(&#x[2-7]\w;(.|\s){0,50}){5,}Evasion12BODY|URL|ARGS|HEADERS
2413RLx(file|ftps?|https?)://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})Evasion12ARGS
2414RLx((merge.{0,50}?using\s*?\()|(execute\s*?immediate\s*?[\"'`])|(match\s*?[\w(),+-]+\s*?against\s*?\())RCE8ARGS|Cookie
2415RLdata:imageEvasion12URL
2416RLx(^|\W)(un)?hex\(Evasion12BODY|URL|ARGS|HEADERS
2700RL.exec(RCE12BODY|ARGS|Content-Type
2702RL/invoker/ejbinvokerservletOther12BODY|URL
2703RLservice:wanipconnection:Other12BODY
2704RL/struts2-blank/RCE12URL
2705RLx<[\s\+]*![\s\+]*ENTITY[\s\+]+%*[\s\+]*[a-zA-Z1-9_-]*[\s\+]+SYSTEMOther12BODY
2706RLxmultipart/form-data;\s*boundary=[a-zA-Z0-9_-]{4000,}Other12Content-Type
2707RLjava.beans.eventhandlerRCE12BODY|ARGS
2708RLjava.lang.RCE12BODY|ARGS
2709RLtypo3_confOther12ARGS
2711RLx\(\s{0,50}\)\s{0,50}\{\s{0,50}\:Other12BODY|ARGS|HEADERS
2712RLname[0%20Other12BODY
2716RLxscript_fields.{0,50}import.{0,50}java\.utilRCE12BODY|ARGS
2717RLjava.io.RCE12BODY|ARGS
2718RLjava.util.RCE12BODY|ARGS
2719RLfill 'urlOther12BODY|URL|ARGS
2720RL$mftOther8BODY|ARGS
2721RLx\.\./|phpOther12ARGS|$URL:/components/com_hdflvplayer/hdflvplayer/download.php
2722RL.phOther12$URL:/uploader/server/php/
2723RLswp_url=httpOther12ARGS|$URL:/wp-admin/admin-post.php
2725RLsystem.listmethodsOther12$URL:/xmlrpc.php|BODY
2726RLsystem.getcapabilitiesOther12$URL:/xmlrpc.php|BODY
2727RLpingback.pingUWA12$URL:/xmlrpc.php|BODY
2728RLx['"`)][\s\+]*(OR|AND|\|\||\&\&)(\s+NOT)?[\s\+]+(.{1,25})[\s\+]*([\!\<\>]?\=|\<|\>)[\s\+]*(.{1,25})SQLi12BODY|URL|ARGS|User-agent
2729RLx(^|\W)((var)?char|chr)\W*=\W*["']SQLi12BODY|URL|ARGS|HEADERS
2730RLx(^|\W)name_const\(SQLi12BODY|URL|ARGS|HEADERS
2731WL%C0WL0Cookie
2732WL%EFWL0Cookie
2733RLx\.([~-][\w]?|\$+)($|\s|\:)UWA12URL
2734RLx\w=\/(etc|usr|var|bin|sbin|lib|lib64|run|sys|dev|root|home|opt|srv|mnt)\/Other12BODY|ARGS
2735RLx(^|\W)draggable(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2736WLxFBCR\/(\&\#\d+\-)+WL0User-agent
2737RLxfilename\s*=\s*.+\.(php|pht|py|js\W|rb|pl|pm|cgi|aspx)Other8Content-Disposition
2738RLx(^|\W)xbshell\WOther12BODY|URL|ARGS|HEADERS
2739RLx(^|\W)union(\s|\+)+(all(\s|\+)+)?select\WSQLi12BODY|URL|ARGS|HEADERS
2740RLdeployment-config.jsonUWA12URL
2741RLftpsync.settingsUWA12URL
2742RLx(^|\W)convert\(SQLi12BODY|URL|ARGS|HEADERS
2743RLx(^|\W)(md5|crc32|sha1|hash|crypt)\(SQLi12BODY|URL|ARGS|HEADERS
2744RLx(^|\W)HashBytes\(SQLi12BODY|URL|ARGS|HEADERS
2745RLx(^|\W)extractvalue\(SQLi12BODY|URL|ARGS|HEADERS
2746RLxwaitfor(\s|\+)+delay\WSQLi12BODY|URL|ARGS|HEADERS
2747RLximg(\s|\+)*src=\"?(https?\:\/\/)?[\w|\.|\-|\/]+\.(txt|php|py|cgi|asp)RFI12BODY
2748RLeval-stdin.phpUWA12URL
2749RLx\s(OR|\|\||AND|\&\&)(\s*not)?\s*(['")]\w*['"(]|\w*)\s*[!]?=\s*(['")]\w*['"(]|\w*)\s*\-\-SQLi12BODY|URL|ARGS|User-agent
2750RL@pdiscoveryioScanner12User-agent
2751RLx(^|\W)function\(XSS12BODY|URL|ARGS|HEADERS
2752RLx(sql|old|bkp|bck|bckp|back|backup|archive)\.(zip|rar|7zip|bz2|gz|xz|lzma|tar|gz|tar\.gz)($|\s|\:)UWA12URL
2753RLx(^|\W)includecomponent\(RCE12BODY
2754RLx(^|\W)__schema\W*\{Other12BODY|ARGS
2755RLx\/\.\.[\;\+]UWA12URL
2756RLx(^|\W)script[\s\+]+xmlnsXSS12BODY|URL|ARGS|HEADERS
2757RLx(^|\W)tostring\(XSS12BODY|URL|ARGS|HEADERS
2758RLx(^|\W)shell_exec\(SQLi12BODY|URL|ARGS|HEADERS
2759RLx\=[\s\+]*\$\{\w+[\+\-\*\/]\w+\}RCE12BODY|ARGS
2760RLx(^|\W)nslookup\WRCE12BODY|URL|ARGS|HEADERS
2761RLx\|[\s\+]*([\/]*(\w|\.)+[\/]+)?(bash|perl|python|php)\WRCE8BODY|URL|ARGS|HEADERS
2762RLx(^|\W)gethostbyname\(RCE12BODY|URL|ARGS|HEADERS
2763RLx['"`)][\s\+]*(OR|AND|\|\||\&\&)(\s+NOT)?[\s\+\"\'\(\)]+(.{1,25})[\s\+\"\'\(\)]+([\!\<\>]?\=|\<|\>)[\s\+\"\'\(\)]+(.{1,25})SQLi12BODY|URL|ARGS|User-agent
2764WLx\w\-\-\wWL0BODY|URL|ARGS|HEADERS
2766RLxbxss\W*\.meScanner12BODY|URL|ARGS|HEADERS
2767RLsysdate(Injection12BODY|URL|ARGS|HEADERS
2768RLx(^|\W)on(waiting|pause|show|start|unload|activate|drop|submit|close|afterprint|afterscriptexecute|end|contextmenu)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2769RLx(^|\W)on(cuechange|deactivate|finish|fullscreenchange|hashchange|invalid|keydown|message|repeat)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2770RLx(^|\W)on(resize|scroll|search|seeked|seeking|timeupdate|touchend|touchmove|touchstart|volumechange)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2771RLx(^|\W)on(mozfullscreenchange|pagehide|pageshow|popstate|progress|readystatechange|transitioncancel|transitionrun|transitionstart|unhandledrejection)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2772RLx(^|\W)onwebkitanimation(end|iteration|start|end)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2773RLx(^|\W)onbefore(cut|activate|copy|deactivate|paste|print|scriptexecute|unload|bounce|canplay|canplaythrough|drag|play)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2774RLx(^|\W)onpointer(down|enter|leave|move|out|over|rawupdate|up)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2775RLx(^|\W)onanimation(cancel|iteration|start|end)(\s|\+)*\=XSS12BODY|URL|ARGS|HEADERS
2776RLx(^|\W)strrev\(RCE12BODY|URL|ARGS|HEADERS
2777RLx(djy|qpy)l18\.comOther12ARGS
2778RLx(^|\W)execute\(RCE12BODY|URL|ARGS|HEADERS
2779RLx(^|\W)(atob|btoa)\(XSS12BODY|URL|ARGS|HEADERS
2780RLFuzz FasterScanner12User-agent
2781RLx(^|\W)get(Runtime|Response|Writer|Property|InputStream)\(RCE12BODY|Content-Type
2782RL.start(RCE12BODY|Content-Type
2783RLX-Scanner: NetsparkerScanner12X-Scanner
2784RLcodepoints-to-string(Injection12BODY|URL|ARGS|HEADERS
2785RLx(^|\W)substring\(Injection8BODY|URL|ARGS|HEADERS
2786RLstring-length(Injection12BODY|URL|ARGS|HEADERS
2787RLx(^|\W)starts-with\(Injection12BODY|URL|ARGS|HEADERS
2788RLx(^|\W)contains\(Injection8BODY|URL|ARGS|HEADERS
2789RLdb.collection.find(Injection12BODY|URL|ARGS|HEADERS
2790RLx(^|\W)match\(Injection8BODY|URL|ARGS|HEADERS
2791RLx(^|\W)document\[('|"|`)\w+('|"|`)\]XSS12BODY|URL|ARGS|HEADERS
2792RLknoxss.meScanner12BODY|URL|ARGS|HEADERS
2793RLx(^|\W)confirm(\.call)?\(XSS12BODY|URL|ARGS|HEADERS
2794RLx(^|\W)array\(RCE8BODY|URL|ARGS|HEADERS
2795RLarray_map(Injection12BODY|URL|ARGS|HEADERS
2796RLbase_convert(Injection12BODY|URL|ARGS|HEADERS
2797RLscaninfo@expanseinc.comScanner12User-agent
2798RL.xss.htScanner12BODY|URL|ARGS|HEADERS
2799RLx\$\{\d+\W\d+\}Injection8BODY|ARGS
2800RLload_file(SQLi12BODY|URL|ARGS|HEADERS
2801RLx(^|\W)start-sleep[\s\+]+\-RCE12BODY|URL|ARGS|HEADERS
2802RLx(^|\W)passthru\(RCE12BODY|URL|ARGS|HEADERS
2803RLx(^|\W)sleep\(RCE12BODY|URL|ARGS|HEADERS
2804RLx(^|\W)typeof\(RCE12BODY|URL|ARGS|HEADERS
2805RLx\Wisfinite\(RCE12BODY|URL|ARGS|HEADERS
2806RLx(^|\W)sleep[\s\+]+\dInjection8BODY|URL|ARGS|HEADERS
2807RLx(^|\W)prompt(\.call)?\(XSS12BODY|URL|ARGS|HEADERS
2808RLx(^|\W)substr\(RCE8BODY|URL|ARGS|HEADERS
2809RLx(^|\W)ord\(Injection8BODY|URL|ARGS|HEADERS
2810RLx(^|\W)mid\(SQLi8BODY|URL|ARGS|HEADERS
2811RLx(^|\W)ifnull\(SQLi12BODY|URL|ARGS|HEADERS
2812RLx(^|\W)cast\(SQLi8BODY|URL|ARGS|HEADERS
2813RLx(^|\W)database\(SQLi8BODY|URL|ARGS|HEADERS
2814RLscaninfo@paloaltonetworks.comScanner12User-agent
2815RLx(^|\W)require\(Injection8BODY|URL|ARGS|HEADERS
2816RLx(^|\W)endianness\(RCE12BODY|URL|ARGS|HEADERS
2817RLcharCodeAt(XSS12BODY|URL|ARGS|HEADERS
2818RLx(^|\W)fillrect\(XSS12BODY|URL|ARGS|HEADERS
2819RLfromcharcode(XSS12BODY|URL|ARGS|HEADERS
2820RLx@Grab(Config|Resolver)?\(RCE12BODY|URL|ARGS|HEADERS
2821RLx(^|\W)r87\.(com|me)\WScanner12BODY|URL|ARGS|HEADERS
2822RLx(^|\W)echo(\s|\+)+\$\(OSCI8BODY|URL|ARGS|HEADERS
2823RLx\;\W*echo(\s|\+)+(\-\w+(\s|\+)+)?[\'\"]OSCI8BODY|URL|ARGS|HEADERS
2824RLx(database|db|dump)\.tar(\.gz)?($|\s|\:)UWA12URL
2826RLx(^|\W)alert\.name\WXSS12BODY|URL|ARGS|HEADERS
2827RL.newInstance(SQLi12BODY|URL|ARGS|HEADERS
2828RL.forName(SQLi12BODY|URL|ARGS|HEADERS
2829RLxconfig\.inc(\.(bz2|gz|xz|tar(\.(bz2|gz|lzma|xz))?))?($|\s|\:)UWA12URL
2830RLxconfig\.(bz2|gz|xz|tar(\.(bz2|gz|lzma|xz))?)($|\s|\:)UWA12URL
2831WLOpen BSDWL0User-agent
2832RLx(^|\W)db.bz2($|\s|\:)UWA12URL
2833RLconfig_db.phpUWA12URL
2834RLx(^|\W)cat_code\WSQLi8BODY|URL|ARGS|HEADERS
2835RLx-wvs-idScanner12HEADERS
2836RLx(^|\W)(un)?escape\WXSS6BODY|URL|ARGS|HEADERS
2837WLx\$\{(ad_id|platform|campaign_id)\}WL0BODY|ARGS|HEADERS
2838RLx(^|\W)updatexml\(SQLi12BODY|URL|ARGS|HEADERS
2839RLx(^|\W)valueOf\W*(\(|\'|\"|.)XSS8BODY|URL|ARGS|HEADERS
2840RLJSON.stringify(XSS8BODY|URL|ARGS|HEADERS
2841RLx(^|\W)window\.[a-z]XSS4BODY|URL|ARGS|HEADERS
2842RLx(^|\W)(global|window)eventhandlers\.[a-z]XSS8BODY|URL|ARGS|HEADERS
2843RLx(^|\W)globalthis\WXSS6BODY|URL|ARGS|HEADERS
2844RLx(^|\W)fopen\(RCE6BODY|URL|ARGS|HEADERS
2845RLx(^|\W)f(write|puts)\(RCE6BODY|URL|ARGS|HEADERS
2846RLx(^|\W)printenv\WOSCI8BODY|URL|ARGS|HEADERS
2847WLgpg.keyWL0URL
2848RLx(^|\W)ini_set\(RCE12BODY|URL|ARGS|HEADERS
2849RLset_time_limit(RCE12BODY|URL|ARGS|HEADERS
2850RLx(^|\W)isset\(RCE8BODY|URL|ARGS|HEADERS
2851RL/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.phpUWA12URL
2852RL.interact.shScanner12BODY|URL|ARGS|HEADERS
2853RLreflect.apply(XSS8BODY|URL|ARGS|HEADERS
2854RLpromise.all(XSS8BODY|URL|ARGS|HEADERS
2855RL.then(alertXSS8BODY|URL|ARGS|HEADERS
2856RL/backup/UWA12URL
2857RL0x00Evasion4BODY|URL|ARGS|HEADERS
2858RLstring.fromcodepoint(XSS12BODY|URL|ARGS|HEADERS
2859RL.tolowercase(XSS8BODY|URL|ARGS|HEADERS
2860RLnetsystemsresearch.comScanner12User-agent
2861RLinternet-structure-research-project-botScanner12User-agent
2862RL/config.bak.phpUWA12URL
2863RLanonymousfox.coScanner12Referer
2864RLsystem.multicallOther12BODY|$URL:/xmlrpc.php
2865RLx\/wp-config\.(orig|txt|php[._](bak|old|new))UWA12URL
2866RLxjndi\:(dns|rmi|iiop|ldap)\:\/\/RCE12BODY|URL|ARGS|HEADERS
2867RLx\$\{(lower|upper)\:RCE8BODY|URL|ARGS|HEADERS
2868RLx\$[\\]?\{\:\:\-[jndilaprmso][\\]?\}RCE8BODY|URL|ARGS|HEADERS
2869RLx\$[\\]?\{env\:ENV_NAME\:\-[jndilaprmso][\\]?\}RCE8BODY|URL|ARGS|HEADERS
2870RLstr_pad(RCE8BODY|URL|ARGS|HEADERS
2871RLmysqli::RCE8BODY|URL|ARGS|HEADERS
2872RL/.aws/credentialsUWA12URL
2873RLx\.pydevproject($|\s|\:)UWA12URL
2874RLBluechipBacklinksScanner12User-agent
2875RLrookee.botScanner12User-agent
2876RLx(alfa_data|alfacgiapi|cgialfa)\/.{0,50}\.alfa($|\s|\/|\:)UWA8URL
2877RL.httpservletresponseRCE8BODY|Content-Type
2878RLx\/(db|backup|config)\d*\.(bz2|gz|tar|xz|lzma)($|\s|\:)UWA8URL
2879RLx(^|\W)var_dump\(RCE8BODY|URL|ARGS|HEADERS
2880RLwp_is_mobileScanner12User-agent
2881RLPHP/{5|6|7}Scanner8User-agent
2882RLclass.classloader.resources.dircontext.docbaseRCE8ARGS
2883RLgithub.com/gocollyScanner12User-agent
2884RL.get_host_address(SQLi12BODY|URL|ARGS|HEADERS
2885RLxCensysInspect|censys\.ioScanner12User-agent
2886RLx\.(git|svn)UWA8URL
2887RL.touppercase(XSS8BODY|URL|ARGS|HEADERS
2888RL0x[]RCE8BODY
2889RL0x[]=androxgh0stRCE12BODY
2890RLxwhile\s*\(RCE4BODY|URL|ARGS|HEADERS
2891RL.equals(RCE4BODY|URL|ARGS|HEADERS
2892RLclass.module.classLoaderRCE12BODY|URL|ARGS|HEADERS
2893RL.getInputStream(RCE8BODY|URL|ARGS|HEADERS
2894RL.getRuntime(RCE8BODY|URL|ARGS|HEADERS
2895RL.getParameter(RCE8BODY|URL|ARGS|HEADERS
2896RLx\.queryselector(all)?\(XSS8BODY|URL|ARGS|HEADERS
2897RLspringframework.context.support.FileSystemXmlApplicationContextRCE8BODY|URL|ARGS|HEADERS

Description:
RL - a blacklist rule ("x" - with regular expression).
WL - a whitelist rule ("x" - with regular expression).


Nemesida WAF
Protecting Š¾nline stores, web portals, API and other web applications against hacker attacks using the Nemesida AI.