Signature analysis

By using rules.bin the signature analysis of the Nemesida WAF Free provides basic protection for web applications against hacker attacks (scanning, unqualified attempts to search/exploit vulnerabilities). In the same time the signature analysis is not able to detect modified, complex or new types of attacks, for example:
un","ion se","lect
unIO%6e/*a*/selEC%74
(sy.(st).em)(ls)
%2f???%2f??t%20%2f???%2fp??s??
cat+/e't'c/pa'ss'wd
e'c'ho 'swd test pentest' |awk '{print "cat /etc/pas"$1}' |bash
ec'h'o 'cat /etc/examplewd' | sed 's/example/pass/g' | bash
For high-quality protection of web applications (websites, online marketplace, API etc.) including against zero-day attacks use a full-featured version of Nemesida WAF with machine learning module.

The rules.bin

Rule ID Type Signature Tag Score Match zone
1RLnwaftestOther12BODY|URL|ARGS|HEADERS
30RL++Injection2BODY|URL|ARGS|HEADERS
31RLx(\d+\s*,\s*){4,}Injection4BODY|URL|ARGS|HEADERS
32RLx\W&&\WInjection2BODY|URL|ARGS|HEADERS
33RLx\W@@\wInjection2BODY|URL|ARGS|HEADERS
34RLx\W\|\|\WInjection2BODY|URL|ARGS
35RLx\{\{.+\}\}Injection12ARGS
36RL$(Injection2BODY|URL|ARGS|HEADERS
37RL${Injection2BODY|URL|ARGS|HEADERS
39RL/*Injection1BODY|URL|ARGS|$HEADERS_VAR:Cookie|$HEADERS_VAR:User-Agent
40RL*/Injection1BODY|URL|ARGS|$HEADERS_VAR:Cookie|$HEADERS_VAR:User-Agent
51RL;Injection2URL|ARGS
52RL'Injection2URL|ARGS|$HEADERS_VAR:User-Agent
53RL?Injection2URL|ARGS|$HEADERS_VAR:User-Agent
54RL['#Injection12URL
55RL\'%Injection2BODY|URL|ARGS
56RL%\'Injection2BODY|URL|ARGS
57RL../../Injection12BODY|URL|ARGS|HEADERS
58RL=\"Injection2BODY|URL|ARGS
59RL=\'Injection2BODY|URL|ARGS
60RL*\'Injection4BODY|URL|ARGS
61RL*!Injection8URL|ARGS
62RLx\(\s{0,250}\)Injection6URL|ARGS|HEADERS
63RLx\(\s{0,250}\)Injection2BODY
66RL\\Injection2BODY|URL|ARGS
67RL../Injection8BODY|URL|ARGS|HEADERS
68RL--Injection2BODY|URL|ARGS|$HEADERS_VAR:Cookie|$HEADERS_VAR:User-Agent
69RL#Injection2BODY|URL|ARGS|$HEADERS_VAR:Cookie|$HEADERS_VAR:User-Agent
71RL..\..\Injection12BODY|URL|ARGS|HEADERS
72RL\NInjection2BODY|URL|ARGS|HEADERS
73RL%EFEvasion0MLA
74RLx\\x[0-9a-z]{2,2}Evasion0MLA
75RL%C0Evasion0MLA
76RLx(\\|%)u[0-9a-z]{4,}Evasion0MLA
77RL././Injection12BODY|URL|ARGS|HEADERS
98RLx[&=<]\.0XSS6BODY|URL|ARGS
99RLx[\^<>]0\.XSS6BODY|URL|ARGS
100WLsitemap.xml.gzOther1URL
101WLx=\[?(\d+\s*,\s*){4,}Other1$HEADERS_VAR:Cookie|$HEADERS_VAR:Referer
102WLxdescription|subscriptionOther1BODY|URL|ARGS|HEADERS
103WLLet's Encrypt validation serverOther1$HEADERS_VAR:User-Agent
104WLxutm_referrer=https?://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}Other1ARGS
105WLx-+\wOther1BODY|$HEADERS_VAR:Content-Type
106WLxn--p1aiOther1BODY|URL|ARGS|HEADERS
107WLxfile://$Other1$HEADERS_VAR:Origin
108WL--Other1$HEADERS_VAR:Cookie|$HEADERS_VAR:Referer
109WL?from=Other1ARGS
110WL<?xmlOther1BODY
111WLx(utm_\w+=\{\{[\w\.-]*\}\}&?)+Other1ARGS
500RL/.sourceXSS8BODY|URL|ARGS
502RLx\ssrc\s*=XSS4BODY|URL|ARGS|HEADERS
504RLx\Weval\W*\(XSS8BODY|URL|ARGS|HEADERS
505RLx<svg\sXSS4BODY|URL|ARGS|HEADERS
507RLx/onload\s*=XSS12BODY|URL|ARGS|HEADERS
508RLx\Walert\W*\(XSS12BODY|URL|ARGS|HEADERS
509RLsymbol.replaceXSS8BODY|URL|ARGS|HEADERS
510RLxarray\.(map|from)XSS8BODY|URL|ARGS|HEADERS
511RLx\Wdocument(\.[a-z]+)+\W*\(XSS12BODY|URL|ARGS|HEADERS
512RL</noscriptXSS4BODY|URL|ARGS|HEADERS
513RL</xmpXSS4BODY|URL|ARGS|HEADERS
514RL</styleXSS4BODY|URL|ARGS|HEADERS
515RL</scriptXSS4BODY|URL|ARGS|HEADERS
516RLx<img\sXSS4BODY|URL|ARGS|HEADERS
517RLx<base\sXSS4BODY|URL|ARGS|HEADERS
518RLx<i?frame\sXSS6BODY|URL|ARGS|HEADERS
526RLUser-Agent|3A| <SCRIPT>XSS12$HEADERS_VAR:User-Agent
527RLx\WOnPointerEnter\W*\(XSS12BODY|URL|ARGS|HEADERS
528RLx\Won(error|load|cut|focus|click|begin)\s*=XSS12BODY|URL|ARGS|HEADERS
532RLx\Wonmouse(down|enter|leave|move|out|over|up)\s*=XSS12BODY|URL|ARGS|HEADERS
534RL</titleXSS2BODY|URL|ARGS|HEADERS
535RLsvg>XSS4BODY|URL|ARGS|HEADERS
536RL<<XSS4URL|ARGS
537RL<scriptXSS4BODY|URL|ARGS|HEADERS
538RL>>XSS4URL|ARGS
539RLx\Wontoggle\s*=XSS12BODY|URL|ARGS|HEADERS
540RLx\Won(aux|dbl)click\s*=XSS12BODY|URL|ARGS|HEADERS
541RLx\Woncontextmenu\s*=XSS12BODY|URL|ARGS|HEADERS
542RLx\Wontouchcancel\s*=XSS12BODY|URL|ARGS|HEADERS
543RLx\Wset(Timeout|Interval|Immediate)\W*\(XSS12BODY|URL|ARGS|HEADERS
544RLx\WexecScript\W*\(XSS12BODY|URL|ARGS|HEADERS
545RLcrypto.generateCRMFRequestXSS12BODY|URL|ARGS|HEADERS
548RLRange.createContextualFragmentXSS12BODY|URL|ARGS|HEADERS
549RLwindow.locationXSS12BODY|URL|ARGS|HEADERS
550RLdocument.locationXSS12BODY|URL|ARGS|HEADERS
551RLx\Wlocation(\.[a-z]+)+\W*\(XSS12BODY|URL|ARGS|HEADERS
552RLx\Whistory(\.[a-z]+)+\W*\(XSS12BODY|URL|ARGS|HEADERS
553RLx\W(local|session)Storage\W*\(XSS12BODY|URL|ARGS|HEADERS
554RL<svg/ontoggleXSS12BODY|URL|ARGS|HEADERS
555RLx\WcreateElement\W*\(XSS8BODY|URL|ARGS|HEADERS
1000RLx[^-:=\.\w\|]where[^-:=\.\w\|]Injection3BODY|URL|ARGS|HEADERS
1001RLx[^-:=\.\w\|]update[^-:=\.\w\|]Injection3BODY|URL|ARGS|HEADERS
1002RLx[^-:=\.\w\|]table[^-:=\.\w\|]Injection3BODY|URL|ARGS|HEADERS
1003RLxgroup[^-:=\.\w\|/]+byInjection2BODY|URL|ARGS|HEADERS
1005RLxorder[^-:=\.\w\|]+byInjection3BODY|URL|ARGS|HEADERS
1006RLx[^-:=\.\w\|]limit[^-:=\.\w\|]Injection3BODY|URL|ARGS|HEADERS
1007RLx[^-:=\.\w\|]select[^-:=\.\w\|]Injection4BODY|URL|ARGS|HEADERS
1008RLx[^-:=\.\w\|]insert[^-:=\.\w\|]Injection3BODY|URL|ARGS|HEADERS
1009RLx(char|chr)\W*[(@]Injection6BODY|URL|ARGS|HEADERS
1010RLx[^-:=\.\w\|]truncate[^-:=\.\w\|]Injection3BODY|URL|ARGS|HEADERS
1011RLx\Wbenchmark\WInjection4BODY|URL|ARGS|HEADERS
1012RLx((char|chr)\W*[(@]+.{1,100}){3,}Injection12BODY|URL|ARGS|HEADERS
1016RLx[^-:=\.\w\|]if[^-:=\.\w\|]Injection2BODY|URL|ARGS|HEADERS
1021RLxselect[^-:=\.\w\|]{1,250}(.|\s){0,250}fromInjection8BODY|URL|ARGS|HEADERS
1022RLxunion[^-:=\.\w\|]{1,250}(.|\s){0,250}selectInjection8BODY|URL|ARGS|HEADERS
1023RLextractvalueInjection4BODY|URL|ARGS|HEADERS
1024RLx\Wconcat\W*\(Injection6BODY|URL|ARGS|HEADERS
1025RLupdatexmlInjection4BODY|URL|ARGS|HEADERS
1026RLx\Wsystem\W*[\(\)]Injection12BODY|URL|ARGS|HEADERS
1027RLx\Wextractvalue\W*\(Injection6BODY|URL|ARGS|HEADERS
1028RLx\Welt\W*\(Injection6BODY|URL|ARGS|HEADERS
1031RLx(encode|decode)\W*[\(\)]Injection12BODY|URL|ARGS|HEADERS
1032RLgroup_concatInjection4BODY|URL|ARGS|HEADERS
1033RLx\Wrlike\W*\(Injection6BODY|URL|ARGS|HEADERS
1034RLx[^-:=\.\w\|]database[^-:=\.\w\|]Injection4BODY|URL|ARGS|HEADERS
1035RLsystem_userInjection6BODY|URL|ARGS|HEADERS
1036RLversion()Injection8BODY|URL|ARGS|HEADERS
1037RLx\Wnot\W+in\W*\(Injection6BODY|URL|ARGS|HEADERS
1038RLxjson(_\w+){1,2}\W*\(Injection6BODY|URL|ARGS|$HEADERS_VAR:Cookie
1039RLx[^-:=\.\w\|]contains[^-:=\.\w\|]Injection4BODY|URL|ARGS|HEADERS
1040RLx[^-:=\.\w\|]sleep[^-:=\.\w\|]Injection6BODY|URL|ARGS|HEADERS
1042RLtable_nameInjection8BODY|URL|ARGS
1043RLx``\s{0,250}``Injection3BODY|URL|ARGS
1044RLtable.nameInjection8BODY|URL|ARGS
1045RLisnullInjection2BODY|URL|ARGS|HEADERS
1046RLx_(en|de)crypt\W*\(Injection6BODY|URL|ARGS|HEADERS
1049RLcreate_digestInjection6BODY|URL|ARGS|HEADERS
1050RLxlog\d+\W*(\(|\))Injection8URL|ARGS
1053RLx/(bin|sbin)/Other4BODY|URL|ARGS|HEADERS
1054RLx\Wslug\WInjection4BODY|ARGS|$HEADERS_VAR:X-Forward-For
1055RLto_base64Injection6BODY|URL|ARGS|HEADERS
1056RLx[^-:=\.\w\|]replace[^-:=\.\w\|]Injection4BODY|URL|ARGS|HEADERS
1057RLmaster_pos_waitInjection8URL|ARGS
1059RLstr_replaceInjection8BODY|ARGS
1060RLuser_metaInjection8BODY|URL|ARGS
1061RLregexpInjection2BODY|ARGS
1063RLx\d+[\'\`]Injection8URL
1064RLwp_commentInjection8BODY|URL|ARGS
1065RLwp_usermetaInjection8BODY|URL|ARGS
1066RLwp_postInjection8BODY|URL|ARGS
1067RLwp_termInjection8BODY|URL|ARGS
1068RLwp_userInjection8BODY|ARGS
1069RLwp_optionsInjection8BODY|ARGS
1072RLx\Wprint(_r)?\W*\(Injection12BODY|URL|ARGS|HEADERS
1073RLx\{\s*.\s+\d+.{0,5000}\}Injection8URL|ARGS
1075RLx\d\'\s*\w+=(\d+|\')Injection12URL|ARGS
1077RLx=(\-\w+|\w+[\'\)\"])(.|\s){0,30}\s+where\s+(.|\s){0,30}\s+(OR|AND)Injection12BODY|URL|ARGS|HEADERS
1078RLxctx=web\&cache_filename=.+\.php.+IMresizedData=\<\?phpInjection12BODY
1079RLx["'`](.|\s){0,50}[^a-z\_\-\=\|\\](\s|\+)(OR|AND|&&|\|\|)(\s|\+)(.|\s){1,500}=Injection8BODY|URL|ARGS|HEADERS
1080RLx\-\d+(.|\s){0,50}[^a-z\_\-\=\|\\](\s|\+)(OR|AND|&&|\|\|)(\s|\+)(.|\s){1,500}=Injection8BODY|URL|ARGS|HEADERS
1081RLx\w+=\d+\'($|\s)Injection12URL|ARGS
1085RLx\d+[\'\`]Injection2BODY|ARGS|HEADERS
1086RLx(\b(m(s(ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)\b|s(ys(\.database_name|aux)\b|chema(\W*\(|_name\b)|qlite(_temp)?_master\b)|d(atabas|b_nam)e\W*\(|information_schema\b|pg_(catalog|toast)\b|northwind\b|tempdb\b))Injection8BODY|URL|ARGS|HEADERS
1087RLxsleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.{0,100}?),(.{0,100}?)\)Injection12BODY|URL|ARGS|HEADERS
1088RLx(((select|;)\s+(benchmark|if|sleep)\s*?\(\s*?\(?\s*?\w+))Injection12BODY|URL|ARGS|HEADERS
1090RLx((alter\s*?\w+.{0,100}?(character|char)\s+set\s+\w+)|([\"'`];*?\s*?waitfor\s+(time|delay)\s+[\"'`])|([\"'`];.{0,100}\s*?goto\W))Injection8BODY|URL|ARGS|HEADERS
1091RLxunion.{1,500}select.{1,500}fromInjection12BODY|URL|ARGS|HEADERS
1092RLx((select\s*?pg_sleep)|(waitfor\s*?delay\s?[\"'`]+\s?\d)|(;\s*?shutdown\s*?(;|--|#|/\*|{)))Injection8BODY|URL|ARGS|HEADERS
1093RLx((\[\$(ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))Injection12BODY|URL|ARGS|HEADERS
1094RLx((procedure\s+analyse\s*?\()|(;\s*?(declare|open)\s+[\w-]+)|(create\s+(procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-)|(declare[^\w]+[@#]\s*?\w+)|(exec\s*?\(\s*?@))Injection8BODY|URL|ARGS|HEADERS
1095RLx((create\s+function\s+.{1,5000}\s+returns)|(;\s*?(select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?[\[(]?\w{2,}))Injection8BODY|URL|ARGS|HEADERS
1096RLxxp_(servicecontrol|regread|regwrite|regdeletevalue|regdeletekey|fileexist|enumerrorlogs|readerrorlogs|enumdsn|enumgroups|ntsec_enumdomains)Other12BODY|URL|ARGS|HEADERS
1099RLx(^|&)src=[^&]*?(http|ftp)Injection12URL
1100RLx[?&]home=[^&]*?(http|ftp)Other12URL
1102RLx[?&]size=[^&]*?\x3bInjection12ARGS
1104RLaction=getTopicInjection8BODY
1105RLx\[\#markup\]\=\S+\s+\S+Injection12BODY|URL|ARGS
1107RLfound_rowsInjection8URL|ARGS
1108RLtcelesInjection4URL|ARGS|$HEADERS_VAR:Cookie
1109RLxinformation(_|\.)schemaInjection12BODY|URL|ARGS|HEADERS
1110RLx(\s|\+)(infile|outfile|dumpfile)(\s|\+)Injection8BODY|URL|ARGS|HEADERS
1111RLnoinuInjection4URL|ARGS
1112RLsubstring%Injection8BODY|URL|ARGS|HEADERS
1115RL@@versionInjection8BODY|URL|ARGS|HEADERS
1116RLschemaInjection6URL|ARGS
1117RLdatadirInjection8BODY|URL|ARGS|HEADERS
1118RLhostnameInjection4BODY|URL|ARGS|HEADERS
1119RLrowcountInjection4BODY|URL|ARGS|HEADERS
1120RLx\s;\sInjection8URL|ARGS
1121RLcoercibilityInjection8URL|ARGS
1123RLCOLLATIONInjection8URL|ARGS
1124RLCONNECTION_IDInjection8URL|ARGS
1125RLcurrent_userInjection8URL|ARGS
1126RLlast_insert_idInjection8URL|ARGS
1127RLrow_countInjection8URL|ARGS
1128RLsession_userInjection8URL|ARGS
1129RL@userInjection8URL|ARGS
1130RLx/%?\*(.|\s){0,250}\*%?/Injection6URL|ARGS
1131RLx/%?\*(.|\s){0,300}\*%?/Injection2BODY
1132RLx((/%?\*(.|\s){0,300}\*%?/)(.|\s){0,300}){3,}Injection12BODY|URL|ARGS|HEADERS
1133RLxname\[\d+.{20,}\]Injection12BODY
1134RLxadmin(istrator)?'--Injection12BODY|URL|ARGS|HEADERS
1135RLx((\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(file|ftps?|https?):\/)Other12BODY
1136RLx^(file|ftps?|https?)://(.{0,500})$Other12ARGS
1137RLx%0(.|\s){0,50}([a-z]%){3,}Injection12BODY|URL|ARGS|HEADERS
1138RLx(%\w%.{0,500}){5,}Injection8BODY|URL|ARGS|HEADERS
1139RLvalidate_password_strengthInjection8URL|ARGS
1141RLlibraryContentInjection8BODY
1142RLbase64_decodeInjection8BODY
1143RLglobals[Other8BODY|URL|ARGS
1144RLx\WResponse.Write\W*\(Injection8BODY|URL|ARGS|HEADERS
1145RLx\w=\.\.\/Injection12ARGS
1311RL<?Other4BODY
1312RL?>Other4BODY
1313RL<?phpOther12BODY|URL|ARGS|HEADERS
1314RLx\$_\w+\[Other12BODY|URL|ARGS|HEADERS
1316RLget_defined_functionsOther12BODY|URL|ARGS|HEADERS
1317RL_PHPLIB[libdir]Other8BODY|URL|ARGS|HEADERS
1318RLauto_prepend_fileOther8URL|ARGS
1319RLvar_dumpOther12BODY|URL|ARGS|HEADERS
1322RLburpcollaborator.netOther12BODY|URL|ARGS|HEADERS
1324RLconstructor.constructorOther8BODY
1352RLXAttacker.phpOther12BODY|URL|ARGS
1359RLx\%0(0|A|D)Evasion12URL|ARGS
1395RLxGALLERY_BASEDIR=(https?|ftps?|php)Other12URL
1397RLxinclude.?dir\x3DOther12URL
1398RLxpath=(https?|ftps?|php)Other12URL
1399RLxphp\?goto=(https?|ftps?|php)Other12URL
1427RL|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|Other12HEADERS
1431RLx/(admin/addcontent\.inc|images/psg)\.phpOther12URL
1432RL|50 4B 05 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|Other8BODY|URL|ARGS|HEADERS
1433RL$padd = str_repeat(|22|A|22|, 196)Other8BODY|URL|ARGS|HEADERS
1434RL$evil = $padd.$payloadOther8BODY|URL|ARGS|HEADERS
1435RLstr_repeat(|22 5C|x90|22|, EVIL_SPACE_SIZE)Other8BODY|URL|ARGS|HEADERS
1436RLfor ($i = 0, $j = EVIL_SPACE_SIZE - strlen($SHELLCODE) - 1Other8BODY|URL|ARGS|HEADERS
1439RLContent-Length: 0|0D 0A|Other8URL
1459RLsvg>Other3BODY
1491RLx[^-:\.\w\|]exec[^-:\.\w\|/]Injection8BODY|URL|ARGS|HEADERS
1493RLx\Wdie\W*\(Injection12BODY|URL|ARGS|HEADERS
1494RLaction=after_upload_completeInjection8BODY|ARGS
1495RLxO:\d+:.{0,100}:\d+:{(s|S):\d+:.{0,100};.{0,100}}Injection12BODY|ARGS|HEADERS
1496RLx(\\)+Shell(\\)+Open(\\)+CommandInjection12URL|ARGS
1497RLx(.{1,50}\(.{1,50}\)){3,}Injection12URL
1500RLx\.(.{0,250})~($|\s)UWA12URL
1501RLxsrc=https?\x3a\x2f[^\x26\x20]*?(\x24\x28|%24%28)UWA12URL|ARGS
1502RL.vscodeOther12URL
1505RLx\.(gemfile|gemfile|rb|irbrc)($|\s|\:)UWA12URL
1506RLx\.(bzr|project|sublime|md|svn|git|gitignore|s3cfg|hg|hgignore|subversion|cvs|cvsignore|ftpconfig|csproj)($|\s|/|\:)UWA12URL
1512RLx\.php[^3-7S]+$UWA12URL
1513RLx\.(py|pydevproject|pl|cgi)($|\s|\:)UWA12URL
1515RL.DS_StoreUWA12URL
1516RLx\.(jar|jsp|jspx|jspf|java|coffee|war|yml|cfm)($|\s|\:)UWA12URL
1517RLx\.(conf|ssh|ini|inc|env|inc|viminfo|properties|dead\.letter|passwd)($|\s|\:)UWA12URL
1518RLx\.(phpinc|save|swp|lock|old|orig|log|tmp|temp)($|\s|\:)UWA12URL
1519RLx\.(bz2|gz|tar|xz|lzma|zip)($|\s|\:)UWA12URL
1521RLsftp-config.jsonUWA12URL
1522RL.idea/UWA12URL
1523RLx^/wp-content/plugins/($|\s)UWA12URL
1524RLx/wp-content/plugins/.{1,250}/cache/UWA12URL
1526RLx\.(mdb|db|sqlite|sql)($|\s|\:)UWA12URL
1528RLxid_(rsa|dsa)\.ppk($|\s|\:)UWA12URL
1559RLxetc/(passwd|shadow)UWA12BODY|URL|ARGS|HEADERS
1560RLsystem.iniUWA12URL
1561RLx\.(ksh|rsh|tcsh|csh|zsh|zshrc|bash|bash_profile|rksh)($|\s|\:)UWA12URL
1562RLx\.(bat|exe|dll)($|\s|\:)UWA12URL
1808RLcomposer.jsonUWA12URL
1810RLx%COMMONPROGRAMFILES%|%PROGRAMDATA%|%PROGRAMFILES%UWA12URL|ARGS
1811RLx%PSModulePath%|%PUBLIC%|%APPDATA%|%LOCALAPPDATA%UWA12URL|ARGS
1812RLx%ALLUSERSPROFILE%|%USERDATA%|%USERNAME%|%USERPROFILE%UWA12URL|ARGS
1813RLx%HOMEDRIVE%|%HOMEPATH%UWA12URL|ARGS
1814RLx%TEMP%|%TMP%UWA12URL|ARGS
1816RLx%SystemDrive%|%SystemRoot%|%WINDIR%|%COMSPEC%UWA12URL|ARGS
1817RL%PROGRAMFILES|40|X86|41|%UWA12URL|ARGS
1818RLx%PATH%|%PATHEXT%UWA8URL|ARGS
1819RLx%COMPUTERNAME%|%LOGONSERVER%|%PROMPT%|%USERDOMAIN%UWA8URL|ARGS
1820RLdb_details_importdocsql.phpUWA8URL
1821RLx/(global|dnewsweb|swsrv|ikonboard)\.cgiUWA8URL
1822RL/math_sum.mscgiUWA8URL|ARGS
1823RLx/(ksh|rsh|tcsh|csh|zsh|zshrc|bash|bash_profile|rksh)($|\s)UWA12URL|ARGS
1826RLx/(math_sum.mscgi|htsearch|printenv|db2www|document.d2w)UWA8URL
1827RL/admentor/admin/admin.aspUWA8URL
1830RL/timthumb.phpUWA4URL
1831RL/timthumbdir/cacheUWA4URL
1832RL/w3tc/dbcacheUWA8URL
1833RL/uploadify/uploadify.phpUWA12URL
1834RLphp://UWA12BODY|URL|ARGS|HEADERS
1835RLftp://UWA12BODY|URL|ARGS|HEADERS
1836RLzlib://UWA12BODY|URL|ARGS|HEADERS
1837RLdata://UWA12BODY|URL|ARGS|HEADERS
1838RLglob://UWA12BODY|URL|ARGS|HEADERS
1839RLphar://UWA12BODY|URL|ARGS|HEADERS
1840RLfile://UWA8BODY|URL|ARGS|HEADERS
1841RL/cfide/componentutilsUWA12URL
1842RL/mysqldumperUWA12URL
1843RLxphp(pg|my)adminUWA12URL
1845RL/bin/shUWA12BODY|URL|ARGS|HEADERS
1846RL.htpasswdUWA12URL|ARGS
1847RL.htaccessUWA12URL|ARGS
1848RLwhitelist.pacUWA12URL
1849RLproxy.pacUWA12URL
1850RL(?p=b)((?p=b)(?j:(?p<b>c)(?p<b>a(?p=b)))>wgxcredits)UWA12BODY|ARGS|HEADERS
1851RL0000::1UWA12$HEADERS_VAR:X-Forward-For
1852RL127.0.0UWA12$HEADERS_VAR:X-Forward-For
1853RL(?j:(?|(:(?|(?'r')(\k'r')|((?'r')))h'rk'rf)|s(?'r'))))UWA12HEADERS
1854RL/var/www/UWA12URL|ARGS
1856RL/philboard_admin.aspUWA12URL|ARGS
1857RL/cgi-bin/lsUWA8URL|ARGS
1858RL.php.pjpgUWA12BODY|URL
1860RL/wp-includes/rss-functions.phpUWA12URL
1861RL/wp-content/themes/RightNow/includes/uploadify/upload_settings_image.phpUWA12BODY
1865RL/xmlrpc.phpUWA12URL
1866RLxstdin|stdout|stderrUWA4BODY|URL|ARGS|HEADERS
1868RLX-Pingback-Forwarded-For:UWA8$HEADERS_VAR:X-Forward-For
1869RLx/dev/(tcp|udp)UWA12BODY|ARGS|HEADERS
1870RL/sqlite/main.phpUWA12URL|ARGS
1871RLphpinfoUWA12BODY|ARGS
1872RLx/~(root|ftp|nobody)UWA12BODY|URL|ARGS
1873RL/htmlscriptUWA12URL
1876RL/post-queryUWA8URL
1877RL%COMMONPROGRAMFILES|40|x86|41|%UWA12URL|ARGS
1879RLx[^/]https?:/UWA12URL
1881RLxlinear-gradient\(|<a\s+href=UWA12URL
1882RLjavascript:UWA12URL|ARGS
1883RL/DatabaseFunctions.phpUWA8URL
1884RL/GlobalFunctions.phpUWA8URL
1885RL/UpdateClasses.phpUWA8URL
1886RL/scripts/setup.phpUWA12URL
1887RLx(phpinfo|phpsysinfo)\.phpUWA12URL
1888RL/server_sync.phpUWA12URL
1891RLPageServicesUWA8URL|ARGS
1892RL/htgrepUWA8URL
1893RL/WEB-INFUWA6URL
1894RL/proc/self/UWA12BODY|URL|ARGS
1895RLphpb8b5f2a0-3c92-11d3-a3a9-4c7b08c10000UWA4ARGS
1896RLxphpe9568f3(4|5|6)-d428-11d2-a769-00aa001acf42UWA4ARGS
1897RLx/_vti_(adm|bin)/UWA12URL
1898RL/_vti_rpcUWA12URL
1899RL/server-statusUWA12URL
1900RL/balancer-managerUWA12URL
1901RL/host-manager/UWA12URL
1902RLfx29shcookUWA8URL
1903RLxact=\S+&(d|f)=UWA12BODY|ARGS
1904RLxact=(fxmailselfremove|encoder|eval|sql|phpinfo)UWA12BODY|ARGS
1905RLx_act=(execute|list\s+files|upload)UWA12BODY|ARGS
1906RLcmd_txt=1UWA8ARGS
1907RL/c99.phpUWA12URL
1908RLx(\s|\+|#)cmd=UWA12BODY|URL|ARGS|HEADERS
1909RLxc999sh_surl|c999shvarsUWA12$HEADERS_VAR:Cookie
1910RLwebconfig.txt.phpUWA12URL
1911RLwpad.datUWA12URL
1912RLkcfinderUWA12URL
1913RLcomposer.pharUWA12URL
1914RLxadminer.*\.phpUWA12URL
1915RL\/(r57|r57shell)\.phpUWA12URL
1917RL/admin/templates/header.phpUWA8URL
1918RL/soapcaller.bsUWA12URL
1919RL/plugin_googlemap2_proxy.phpUWA12URL
1920RL/images/stories/story.phpUWA12URL
1921RLx/plugins/system/.{1,250}\.phpUWA12URL
1922RL/.ssh/UWA12URL
1923RL/known_hostsUWA12URL
1924RL/authorized_keysUWA12URL
1925RLx\.(key|pem|id_rsa|id_dsa)($|\s)UWA12URL
1926RLx\.(sh|bash|nano|irb|psql|mysql)_history($|\s)UWA12URL
1927RLx\.(bac|bak|bkp|bkf|bkp|back|backup|bakup)($|\s)UWA12URL
1928RLx\.(history|histfile)($|\s)UWA12URL
1929RLproftpdpasswdUWA12URL
2100RLxnessus|acunetix|nmap|sqlmap|[nw]ikto|dirbuster|gobuster|w3af|webster|openvas|meterpreter|network-services-auditor|wpscan|hydra|XSpiderScanner12$HEADERS_VAR:User-Agent
2101RLxabsinthe|autogetcolumn|bsqlbf|cisco-torch|crimscanner|appscan_fingerprint|amiga-aweb|digimarc webreaderScanner12$HEADERS_VAR:User-Agent
2102RLxsql power injector|dav\.pm|prog.customcrawler|whcc/|grendel-scan|myie2|masscan/Scanner12$HEADERS_VAR:User-Agent
2103RLxshellshock-scan|thanks-rob|WebCruiser|webinspect|whisker|chinaclaw|whatweb|wordpress hash grabberScanner12$HEADERS_VAR:User-Agent
2104RLxmysqloit|netsparker|paros|pavuk|uil2pn|friendly-scanner|sundayddr|zmeu|sqlspider|EvasionsScanner12$HEADERS_VAR:User-Agent
2105RLxapachebench|datacha0s|nv32ts|brutus|arachni|synapse|havij|sucuri|sitelock|scanalertScanner12$HEADERS_VAR:User-Agent
2106RLxhttp_get_vars|n-stealth|picscout|t34mh4k|webshag|mozilla/\d+\.\d+\s+sfScanner12$HEADERS_VAR:User-Agent
2107RL++++++++resultScanner12URL
2112RL/jmx-console/htmladaptorScanner12URL
2115RLxphp/\d+\.|python-httplib|winhttprequest|pymills-spider/|^\.Scanner1$HEADERS_VAR:User-Agent
2116RLinternal dummy connectionScanner12$HEADERS_VAR:User-Agent
2400RLbase64Evasion4URL|ARGS
2401RLcghwaw5mbygpoyagEvasion12BODY|URL|ARGS|HEADERS
2402RLhttp://http://Other12HEADERS
2403RLxboundary=\S+[,|;]Evasion12HEADERS
2404RLmid%Evasion8URL|ARGS
2405RLdualEvasion2URL|ARGS
2406RLstrcmpEvasion8URL|ARGS
2407RLx(\\[0-7]{1,3}(.|\s){0,50}){3,}Evasion8BODY|URL|ARGS|HEADERS
2409RLx((&#\d+;?)(.|\s){0,50}){3,}Evasion12BODY|URL|ARGS|HEADERS
2411RLx(&#x[2-7]\w;(.|\s){0,50}){5,}Evasion12BODY|URL|ARGS|HEADERS
2413RLx(file|ftps?|https?)://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})Evasion12ARGS
2414RLx((merge.{0,100}?using\s*?\()|(execute\s*?immediate\s*?[\"'`])|(match\s*?[\w(),+-]+\s*?against\s*?\())Injection8ARGS|$HEADERS_VAR:Cookie
2415RLdata:imageInjection12URL
2416RLx\Whex\W*\(Evasion12BODY|URL|ARGS|HEADERS
2700RLgetruntime().exec(Other12$HEADERS_VAR:Content-Type
2701RL/wp/v2/posts/Other12URL
2702RL/invoker/ejbinvokerservletOther12BODY|URL
2703RLservice:wanipconnection:Other12BODY
2704RL/struts2-blank/Other12URL
2705RLx<!ENTITY\s+%*\s*[a-zA-Z1-9_-]*\s+SYSTEMOther12BODY
2706RLxmultipart/form-data;\s*boundary=[a-zA-Z0-9_-]{4000,}Other12$HEADERS_VAR:Content-Type
2707RLjava.beans.eventhandlerOther12BODY|ARGS
2708RLjava.lang.Other12BODY|ARGS
2709RLtypo3_confOther12ARGS
2711RLx\(\s{0,250}\)\s{0,250}\{\s{0,250}\:Other12BODY|ARGS|HEADERS
2712RLname[0%20Other12BODY
2716RLxscript_fields.{0,250}import.{0,250}java\.utilOther12BODY|ARGS
2717RLjava.io.Other12BODY|ARGS
2718RLjava.util.Other12BODY|ARGS
2719RLfill 'urlOther12BODY|URL|ARGS
2720RL$mftOther8BODY|ARGS
4000RLx\.\./|phpOther12ARGS|$URL:/components/com_hdflvplayer/hdflvplayer/download.php
4001RL.phOther12$URL:/uploader/server/php/
4002RLswp_url=httpOther12ARGS|$URL:/wp-admin/admin-post.php
4003RLxoption=com_user&(task|view)=registerOther12ARGS|$URL:/index.php
4005RLsystem.listmethodsOther12$URL:/xmlrpc.php|BODY
4006RLsystem.getcapabilitiesOther12$URL:/xmlrpc.php|BODY
4007RLpingback.pingUWA12$URL:/xmlrpc.php|BODY

Description:
RL - a blacklist rule ("x" - with regular expression).
WL - a whitelist rule ("x" - with regular expression).


Nemesida WAF
Protecting Š¾nline stores, web portals, API and other web applications against hacker attacks using the Nemesida AI.