SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"

# (sid 2003897) ET WEB Adobe RoboHelp XSS Attempt whstart.js
SecRule REQUEST_URI_RAW "(?i:\/whstart\.js)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003897,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt whstart.js',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt whstart.js',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003898) ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm
SecRule REQUEST_URI_RAW "(?i:\/whcsh_home\.htm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003898,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003899) ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js
SecRule REQUEST_URI_RAW "(?i:\/wf_startpage\.js)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003899,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003900) ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm
SecRule REQUEST_URI_RAW "(?i:\/wf_startqs\.htm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003900,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003901) ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll
SecRule REQUEST_URI_RAW "(?i:\/WindowManager\.dll)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003901,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001945) ET WEB WebAPP Apage.CGI Remote Command Execution Attempt
SecRule REQUEST_URI_RAW "(?i:\/apage\.cgi)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001945,rev:6,msg:'ET WEB WebAPP Apage.CGI Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache.cgi'"
SecRule ARGS:f "(?i:(\.\|.+\|))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WebAPP Apage.CGI Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001669) ET WEB Proxy GET Request
SecRule REQUEST_URI_RAW "@contains GET http\://" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001669,rev:6,msg:'ET WEB Proxy GET Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy GET Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001670) ET WEB Proxy HEAD Request
SecRule REQUEST_URI_RAW "@contains HEAD http\://" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001670,rev:7,msg:'ET WEB Proxy HEAD Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy HEAD Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001674) ET WEB Proxy POST Request
SecRule REQUEST_URI_RAW "@contains POST http\://" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001674,rev:6,msg:'ET WEB Proxy POST Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy POST Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001675) ET WEB Proxy CONNECT Request
SecRule REQUEST_URI_RAW "@contains CONNECT " "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001675,rev:6,msg:'ET WEB Proxy CONNECT Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy CONNECT Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003156) ET WEB Crewbox Proxy Scan
SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003156,rev:3,msg:'ET WEB Crewbox Proxy Scan',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy'"
SecRule REQUEST_URI_RAW "@contains crewbox.by.ru/crew/" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Crewbox Proxy Scan',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002900) ET WEB CGI AWstats Migrate Command Attempt
SecRule REQUEST_URI_RAW "(?i:\/awstats\.pl)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002900,rev:3,msg:'ET WEB CGI AWstats Migrate Command Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Awstats'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:migrate\s*=\s*\|)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB CGI AWstats Migrate Command Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002711) ET WEB includer.cgi Remote Command Execution Attempt
SecRule REQUEST_URI_RAW "@contains /includer.cgi?|7c|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002711,rev:5,msg:'ET WEB includer.cgi Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_CGI',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB includer.cgi Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002129) ET WEB Cacti Input Validation Attack
SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002129,rev:7,msg:'ET WEB Cacti Input Validation Attack',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(config_settings|top_graph_header)\.php\?.*=(http|https)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti Input Validation Attack',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002313) ET WEB Cacti graph_image.php Remote Command Execution Attempt
SecRule REQUEST_URI_RAW "(?i:\/graph_image\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002313,rev:6,msg:'ET WEB Cacti graph_image.php Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(graph_start=%0a.+%0a))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti graph_image.php Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003334) ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt
SecRule REQUEST_URI_RAW "(?i:\/cmd\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003334,rev:3,msg:'ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
SecRule REQUEST_URI_RAW "@contains UNION" "chain"
SecRule REQUEST_URI_RAW "@contains SELECT" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2007889) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT
SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007889,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
SecRule ARGS:graph_list "(?i:.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2007890) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT
SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007890,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
SecRule ARGS:graph_list "(?i:.+INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2007891) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE
SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007891,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
SecRule ARGS:graph_list "(?i:.+DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2007892) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE
SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007892,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
SecRule ARGS:graph_list "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2007893) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT
SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007893,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
SecRule ARGS:leaf_id "(?i:.+SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2007894) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT
SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007894,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
SecRule ARGS:leaf_id "(?i:.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2007895) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT
SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007895,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
SecRule ARGS:leaf_id "(?i:.+INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2007896) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE
SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007896,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
SecRule ARGS:leaf_id "(?i:.+DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2007897) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE
SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007897,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
SecRule ARGS:leaf_id "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2004556) ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern
SecRule REQUEST_URI_RAW "(?i:\/CCMAdmin\/serverlist\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2004556,rev:4,msg:'ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cisco'"
SecRule ARGS:pattern "(?i:.*<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002376) ET WEB IBM Lotus Domino BaseTarget XSS attempt
SecRule REQUEST_URI_RAW "@contains OpenForm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002376,rev:7,msg:'ET WEB IBM Lotus Domino BaseTarget XSS attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Domino_XSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:BaseTarget=.*?\x22)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IBM Lotus Domino BaseTarget XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002377) ET WEB IBM Lotus Domino Src XSS attempt
SecRule REQUEST_URI_RAW "@contains OpenFrameSet" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002377,rev:6,msg:'ET WEB IBM Lotus Domino Src XSS attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Domino_XSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:src=.*\x22><\/FRAMESET>.*<script>.*<\/script>)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IBM Lotus Domino Src XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009361) ET WEB cmd.exe In URI - Possible Command Execution Attempt
SecRule REQUEST_URI_RAW "(?i:\/cmd\.exe)" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009361,rev:2,msg:'ET WEB cmd.exe In URI - Possible Command Execution Attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB cmd.exe In URI - Possible Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009362) ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt
SecRule REQUEST_URI_RAW "@contains /system32/" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009362,rev:2,msg:'ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009363) ET WEB Suspicious Chmod Usage in URI
SecRule QUERY_STRING|REQUEST_BODY "(?i:chmod.([r|w|x|1-7]))" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009363,rev:2,msg:'ET WEB Suspicious Chmod Usage in URI',tag:'attempted-admin',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Suspicious Chmod Usage in URI',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2008171) ET WEB HP OpenView Network Node Manager CGI Directory Traversal
SecRule REQUEST_URI_RAW "(?i:\/OpenView5\.exe)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008171,rev:2,msg:'ET WEB HP OpenView Network Node Manager CGI Directory Traversal',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_HP_Openview'"
SecRule REQUEST_URI_RAW "@contains GET " "chain"
SecRule REQUEST_URI_RAW "@contains /OvCgi/" "chain"
SecRule QUERY_STRING|REQUEST_BODY "@contains Action=../../" "chain"
SecRule QUERY_STRING|REQUEST_BODY "@contains  HTTP/1" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB HP OpenView Network Node Manager CGI Directory Traversal',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002897) ET WEB Horde README access probe
SecRule REQUEST_URI_RAW "@contains /horde" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002897,rev:5,msg:'ET WEB Horde README access probe',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Horde'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:\/horde((2|3|-3\.(0\.[1-9]|1\.0)))?\/{1,2}README)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Horde README access probe',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001365) ET WEB-MISC Alternate Data Stream source view attempt
SecRule REQUEST_URI_RAW "@contains |3A 3A|$DATA" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001365,rev:8,msg:'ET WEB-MISC Alternate Data Stream source view attempt',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_ADS_Source_Code_Exposure',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC Alternate Data Stream source view attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001342) ET WEB IIS ASP.net Auth Bypass / Canonicalization
SecRule REQUEST_URI_RAW "(?i:\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001342,rev:21,msg:'ET WEB IIS ASP.net Auth Bypass / Canonicalization',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_Canonicalization_Bypass'"
SecRule QUERY_STRING|REQUEST_BODY "@contains GET" "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x5C)" "chain"
SecRule QUERY_STRING|REQUEST_BODY "@contains aspx" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IIS ASP.net Auth Bypass / Canonicalization',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001343) ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C
SecRule REQUEST_URI_RAW "(?i:\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001343,rev:19,msg:'ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_Canonicalization_Bypass'"
SecRule QUERY_STRING|REQUEST_BODY "@contains GET" "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x5C)" "chain"
SecRule QUERY_STRING|REQUEST_BODY "@contains aspx" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009510) ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt
SecRule REQUEST_URI_RAW "@contains .jsp\:\:$DATA" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009510,rev:2,msg:'ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Java',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001546) ET WEB-MISC LINK Method
SecRule QUERY_STRING|REQUEST_BODY "@contains LINK " "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001546,rev:7,msg:'ET WEB-MISC LINK Method',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_LINK_Method',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC LINK Method',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002777) ET WEB Light Weight Calendar 'date' Arbitrary Remote Code Execution
SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002777,rev:3,msg:'ET WEB Light Weight Calendar \'date\' Arbitrary Remote Code Execution',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Light_Weight_Calendar'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:date=\d{8}\)\;.+)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Light Weight Calendar \'date\' Arbitrary Remote Code Execution',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001075) ET WEB-MISC cross site scripting attempt IMG onerror or onload
SecRule QUERY_STRING|REQUEST_BODY "@contains <IMG" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001075,rev:5,msg:'ET WEB-MISC cross site scripting attempt IMG onerror or onload',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:\bonerror\b[\s]*=)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt IMG onerror or onload',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001077) ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT
SecRule QUERY_STRING|REQUEST_BODY "@contains application/x-javascript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001077,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]application\/x-javascript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001078) ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT
SecRule QUERY_STRING|REQUEST_BODY "@contains text/jscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001078,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]text\/jscript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001079) ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1
SecRule QUERY_STRING|REQUEST_BODY "@contains text/vbscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001079,rev:8,msg:'ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]text\/vbscript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001080) ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2
SecRule QUERY_STRING|REQUEST_BODY "@contains application/x-vbscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001080,rev:8,msg:'ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]application\/x-vbscript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001081) ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT
SecRule QUERY_STRING|REQUEST_BODY "@contains text/ecmascript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001081,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]text\/ecmascript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001082) ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1
SecRule QUERY_STRING|REQUEST_BODY "@contains expression" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001082,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:STYLE[\s]*=[\s]*[^>]expression[\s]*\()" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001083) ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2
SecRule QUERY_STRING|REQUEST_BODY "@contains expression" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001083,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001084) ET WEB-MISC cross site scripting attempt using XML
SecRule QUERY_STRING|REQUEST_BODY "@contains <XML" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001084,rev:5,msg:'ET WEB-MISC cross site scripting attempt using XML',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "@contains <![CDATA[<]]>SCRIPT" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt using XML',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001085) ET WEB-MISC cross site scripting attempt executing hidden Javascript 1
SecRule QUERY_STRING|REQUEST_BODY "@contains innerhtml" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001085,rev:7,msg:'ET WEB-MISC cross site scripting attempt executing hidden Javascript 1',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt executing hidden Javascript 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001086) ET WEB-MISC cross site scripting attempt executing hidden Javascript 2
SecRule QUERY_STRING|REQUEST_BODY "@contains window.execscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001086,rev:7,msg:'ET WEB-MISC cross site scripting attempt executing hidden Javascript 2',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:window.execScript[\s]*\()" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt executing hidden Javascript 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001087) ET WEB-MISC cross site scripting attempt to execute Javascript code
SecRule QUERY_STRING|REQUEST_BODY "@contains javascript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001087,rev:6,msg:'ET WEB-MISC cross site scripting attempt to execute Javascript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*javascript[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt to execute Javascript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001088) ET WEB-MISC cross site scripting attempt to execute VBScript code
SecRule QUERY_STRING|REQUEST_BODY "@contains vbscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001088,rev:6,msg:'ET WEB-MISC cross site scripting attempt to execute VBScript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*vbscript[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt to execute VBScript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001089) ET WEB-MISC cross site scripting attempt to access SHELL\:
SecRule QUERY_STRING|REQUEST_BODY "@contains shell" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001089,rev:6,msg:'ET WEB-MISC cross site scripting attempt to access SHELL:',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*shell[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt to access SHELL:',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001090) ET WEB-MISC cross site scripting stealth attempt to execute Javascript code
SecRule QUERY_STRING|REQUEST_BODY "@contains =" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001090,rev:7,msg:'ET WEB-MISC cross site scripting stealth attempt to execute Javascript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting stealth attempt to execute Javascript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001091) ET WEB-MISC cross site scripting stealth attempt to execute VBScript code
SecRule QUERY_STRING|REQUEST_BODY "@contains =" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001091,rev:7,msg:'ET WEB-MISC cross site scripting stealth attempt to execute VBScript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting stealth attempt to execute VBScript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001092) ET WEB-MISC cross site scripting stealth attempt to access SHELL\:
SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:])" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001092,rev:8,msg:'ET WEB-MISC cross site scripting stealth attempt to access SHELL:',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting stealth attempt to access SHELL:',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002361) ET WEB Netquery Remote Command Execution Attempt
SecRule REQUEST_URI_RAW "(?i:\/nquser\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002361,rev:4,msg:'ET WEB Netquery Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Netquery'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(host=\|.+))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Netquery Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2007936) ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability
SecRule REQUEST_URI_RAW "(?i:webmail\.exe)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007936,rev:4,msg:'ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Netwin'"
SecRule QUERY_STRING|REQUEST_BODY "@contains GET" "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:[%n%s]{2,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002997) ET WEB PHP Remote File Inclusion (monster list http)
SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002997,rev:4,msg:'ET WEB PHP Remote File Inclusion (monster list http)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP'"
SecRule REQUEST_URI_RAW "@contains http" "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*https?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Remote File Inclusion (monster list http)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003098) ET WEB PHP Remote File Inclusion (monster list ftp)
SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003098,rev:4,msg:'ET WEB PHP Remote File Inclusion (monster list ftp)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP'"
SecRule REQUEST_URI_RAW "@contains ftp\:" "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*ftp)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Remote File Inclusion (monster list ftp)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003935) ET WEB PHP Remote File Inclusion (monster list php)
SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003935,rev:3,msg:'ET WEB PHP Remote File Inclusion (monster list php)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*php)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Remote File Inclusion (monster list php)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002730) ET WEB PHPGedView Remote Script Code Execution attempt
SecRule REQUEST_URI_RAW "(?i:\/help_text_vars\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002730,rev:6,msg:'ET WEB PHPGedView Remote Script Code Execution attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHPGedView'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:PGV_BASE_DIRECTORY=(f|ht)tp\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHPGedView Remote Script Code Execution attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002314) ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt
SecRule REQUEST_URI_RAW "(?i:\/prod\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002314,rev:5,msg:'ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHPOutsourcing'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(argv[1]=\|.+))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001344) ET WEB PHP EasyDynamicPages exploit
SecRule ARGS_NAMES "(?i:edp_relative_path)" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001344,rev:7,msg:'ET WEB PHP EasyDynamicPages exploit',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_EasyDynamicPages_Exploit',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP EasyDynamicPages exploit',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009336) ET WEB Possible Web Backdoor cfexec.cfm access
SecRule REQUEST_URI_RAW "(?i:\/cfexec\.cfm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009336,rev:2,msg:'ET WEB Possible Web Backdoor cfexec.cfm access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cfexec.cfm access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009337) ET WEB Possible Web Backdoor cmdasp.asp access
SecRule REQUEST_URI_RAW "(?i:\/cmdasp\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009337,rev:2,msg:'ET WEB Possible Web Backdoor cmdasp.asp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmdasp.asp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009338) ET WEB Possible Web Backdoor cmdasp.aspx access
SecRule REQUEST_URI_RAW "(?i:\/cmdasp\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009338,rev:2,msg:'ET WEB Possible Web Backdoor cmdasp.aspx access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmdasp.aspx access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009339) ET WEB Possible Web Backdoor simple-backdoor.php access
SecRule REQUEST_URI_RAW "(?i:\/simple\-backdoor\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009339,rev:2,msg:'ET WEB Possible Web Backdoor simple-backdoor.php access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor simple-backdoor.php access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009340) ET WEB Possible Web Backdoor php-backdoor.php access
SecRule REQUEST_URI_RAW "(?i:\/php\-backdoor\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009340,rev:2,msg:'ET WEB Possible Web Backdoor php-backdoor.php access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor php-backdoor.php access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009341) ET WEB Possible Web Backdoor jsp-reverse.jsp access
SecRule REQUEST_URI_RAW "(?i:\/jsp\-reverse\.jsp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009341,rev:2,msg:'ET WEB Possible Web Backdoor jsp-reverse.jsp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor jsp-reverse.jsp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009342) ET WEB Possible Web Backdoor perlcmd.cgi access
SecRule REQUEST_URI_RAW "(?i:\/perlcmd\.cgi)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009342,rev:2,msg:'ET WEB Possible Web Backdoor perlcmd.cgi access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor perlcmd.cgi access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009343) ET WEB Possible Web Backdoor cmdjsp.jsp access
SecRule REQUEST_URI_RAW "(?i:\/cmdjsp\.jsp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009343,rev:2,msg:'ET WEB Possible Web Backdoor cmdjsp.jsp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmdjsp.jsp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009344) ET WEB Possible Web Backdoor cmd-asp-5.1.asp access
SecRule REQUEST_URI_RAW "(?i:\/cmd\-asp\-5\.1\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009344,rev:2,msg:'ET WEB Possible Web Backdoor cmd-asp-5.1.asp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmd-asp-5.1.asp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002972) ET WEB PHP ZeroBoard .htaccess upload
SecRule QUERY_STRING|REQUEST_BODY "@contains filename=" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002972,rev:3,msg:'ET WEB PHP ZeroBoard .htaccess upload',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_ZeroBoard'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:^\s*\.htaccess)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP ZeroBoard .htaccess upload',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2001738) ET WEB PHP vBulletin Remote Command Execution Attempt
SecRule REQUEST_URI_RAW "(?i:forumdisplay\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001738,rev:9,msg:'ET WEB PHP vBulletin Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_vBulletin'"
SecRule ARGS:comma "(?i:(\.system\(.+\)\.))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP vBulletin Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002388) ET WEB vBulletin misc.php Template Name Arbitrary Code Execution
SecRule REQUEST_URI_RAW "(?i:\/misc\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002388,rev:5,msg:'ET WEB vBulletin misc.php Template Name Arbitrary Code Execution',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_vBulletin'"
SecRule REQUEST_URI_RAW "@contains &template=.*{${" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB vBulletin misc.php Template Name Arbitrary Code Execution',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002837) ET WEB PmWiki Globals Variables Overwrite Attempt
SecRule REQUEST_URI_RAW "(?i:\/pmwiki\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002837,rev:3,msg:'ET WEB PmWiki Globals Variables Overwrite Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PMWiki'"
SecRule QUERY_STRING|REQUEST_BODY "@contains GLOBALS[FarmD]=" "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:GLOBALS\x5bFarmD\x5d\x3d)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PmWiki Globals Variables Overwrite Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2008687) ET WEB PassWiki site_id Parameter Local File Inclusion
SecRule REQUEST_URI_RAW "(?i:\/passwiki\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008687,rev:2,msg:'ET WEB PassWiki site_id Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PassWiki'"
SecRule REQUEST_URI_RAW "@contains GET " "chain"
SecRule ARGS:site_id "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PassWiki site_id Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2007871) ET WEB Philips VOIP841 Web Server Directory Traversal
SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007871,rev:2,msg:'ET WEB Philips VOIP841 Web Server Directory Traversal',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Philips_VOIP'"
SecRule REQUEST_URI_RAW "@contains /etc/passwd" "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Philips VOIP841 Web Server Directory Traversal',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002331) ET WEB Piranha default passwd attempt
SecRule REQUEST_URI_RAW "(?i:\/piranha\/secure\/control\.php3)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002331,rev:3,msg:'ET WEB Piranha default passwd attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Piranha'"
SecRule QUERY_STRING|REQUEST_BODY "@contains Authorization\: Basic cGlyYW5oYTp" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Piranha default passwd attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2008622) ET WEB Pritlog index.php filename File Disclosure
SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008622,rev:2,msg:'ET WEB Pritlog index.php filename File Disclosure',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Pritlog'"
SecRule REQUEST_URI_RAW "@contains /index.php?option=viewEntry" "chain"
SecRule ARGS:&filename "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Pritlog index.php filename File Disclosure',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009152) ET WEB PHP Generic Remote File Include Attempt (HTTPS)
SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009152,rev:4,msg:'ET WEB PHP Generic Remote File Include Attempt (HTTPS)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic'"
SecRule REQUEST_URI_RAW "@contains =https\:/" "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3Dhttps\x3A\x2F[^\x3F\x26]+\x3F)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Generic Remote File Include Attempt (HTTPS)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009153) ET WEB PHP Generic Remote File Include Attempt (FTP)
SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009153,rev:4,msg:'ET WEB PHP Generic Remote File Include Attempt (FTP)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic'"
SecRule REQUEST_URI_RAW "@contains =ftp\:/" "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Generic Remote File Include Attempt (FTP)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2009155) ET WEB PHP Generic Remote File Include Attempt (FTPS)
SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009155,rev:5,msg:'ET WEB PHP Generic Remote File Include Attempt (FTPS)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic'"
SecRule REQUEST_URI_RAW "@contains =ftps\:/" "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Generic Remote File Include Attempt (FTPS)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002660) ET WEB RSA Web Auth Exploit Attempt - Long URL
SecRule REQUEST_URI_RAW "(?i:\?Redirect)" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002660,rev:5,msg:'ET WEB RSA Web Auth Exploit Attempt - Long URL',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RSA'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:url=.{8000})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB RSA Web Auth Exploit Attempt - Long URL',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2006443) ET WEB Possible SQL Injection Attempt DELETE FROM
SecRule REQUEST_URI_RAW "@contains DELETE " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006443,rev:6,msg:'ET WEB Possible SQL Injection Attempt DELETE FROM',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
SecRule REQUEST_URI_RAW "@contains  FROM " "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt DELETE FROM',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2006444) ET WEB Possible SQL Injection Attempt INSERT INTO
SecRule REQUEST_URI_RAW "@contains INSERT " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006444,rev:6,msg:'ET WEB Possible SQL Injection Attempt INSERT INTO',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
SecRule REQUEST_URI_RAW "@contains  INTO " "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt INSERT INTO',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2006445) ET WEB Possible SQL Injection Attempt SELECT FROM
SecRule REQUEST_URI_RAW "@contains SELECT " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006445,rev:6,msg:'ET WEB Possible SQL Injection Attempt SELECT FROM',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
SecRule REQUEST_URI_RAW "@contains  FROM " "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt SELECT FROM',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2006446) ET WEB Possible SQL Injection Attempt UNION SELECT
SecRule REQUEST_URI_RAW "@contains UNION " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006446,rev:6,msg:'ET WEB Possible SQL Injection Attempt UNION SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
SecRule REQUEST_URI_RAW "@contains  SELECT " "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2006447) ET WEB Possible SQL Injection Attempt UPDATE SET
SecRule REQUEST_URI_RAW "@contains UPDATE " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006447,rev:7,msg:'ET WEB Possible SQL Injection Attempt UPDATE SET',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
SecRule REQUEST_URI_RAW "@contains  SET " "chain"
SecRule QUERY_STRING|REQUEST_BODY "(?i:[&\?].*UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt UPDATE SET',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003903) ET WEB Microsoft SharePoint XSS Attempt default.aspx
SecRule REQUEST_URI_RAW "(?i:\/default\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003903,rev:5,msg:'ET WEB Microsoft SharePoint XSS Attempt default.aspx',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Sharepoint'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Microsoft SharePoint XSS Attempt default.aspx',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003904) ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]
SecRule REQUEST_URI_RAW "(?i:\/contact\/contact\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003904,rev:5,msg:'ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Sharepoint'"
SecRule ARGS:form[mail] "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003705) ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe
SecRule REQUEST_URI_RAW "(?i:\/site_conf\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003705,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
SecRule ARGS_NAMES "(?i:ordnertiefe)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003706) ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot
SecRule REQUEST_URI_RAW "(?i:\/class\.csv\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003706,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003707) ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot
SecRule REQUEST_URI_RAW "(?i:\/produkte_nach_serie\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003707,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003708) ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot
SecRule REQUEST_URI_RAW "(?i:\/functionen\/ref_kd_rubrik\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003708,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003709) ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot
SecRule REQUEST_URI_RAW "(?i:\/hg_referenz_jobgalerie\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003709,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003710) ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot
SecRule REQUEST_URI_RAW "(?i:\/surfer_anmeldung_NWL\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003710,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003711) ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot
SecRule REQUEST_URI_RAW "(?i:\/produkte_nach_serie_alle\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003711,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003712) ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot
SecRule REQUEST_URI_RAW "(?i:\/surfer_aendern\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003712,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003715) ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot
SecRule REQUEST_URI_RAW "(?i:\/ref_kd_rubrik\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003715,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003713) ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot
SecRule REQUEST_URI_RAW "(?i:\/module\/referenz\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003713,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003714) ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot
SecRule REQUEST_URI_RAW "(?i:\/standard\/1\/lay\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003714,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003867) ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot
SecRule REQUEST_URI_RAW "(?i:\/standard\/3\/lay\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003867,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002662) ET WEB TWiki INCLUDE remote command execution attempt
SecRule QUERY_STRING|REQUEST_BODY "(?i:%INCLUDE\s*{.*rev=\x22\d+\|.+\x22.*}\s*%)" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002662,rev:5,msg:'ET WEB TWiki INCLUDE remote command execution attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Twiki',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TWiki INCLUDE remote command execution attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003085) ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt
SecRule QUERY_STRING|REQUEST_BODY "(?i:&TYPEOF\:.+system\s*\()" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003085,rev:4,msg:'ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Twiki',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003099) ET WEB-MISC Poison Null Byte
SecRule REQUEST_URI_RAW "@contains |00|" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003099,rev:4,msg:'ET WEB-MISC Poison Null Byte',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_URI',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC Poison Null Byte',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002494) ET WEB Versatile Bulletin Board SQL Injection Attack
SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002494,rev:5,msg:'ET WEB Versatile Bulletin Board SQL Injection Attack',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_VersatileBB'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:select=.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Versatile Bulletin Board SQL Injection Attack',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002100) ET WEB WPS wps_shop.cgi Remote Command Execution Attempt
SecRule REQUEST_URI_RAW "(?i:\/wps_shop\.cgi)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002100,rev:4,msg:'ET WEB WPS wps_shop.cgi Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WPS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(art=\|.+\|))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WPS wps_shop.cgi Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002844) ET WEB WebDAV search overflow
SecRule QUERY_STRING|REQUEST_BODY "@contains SEARCH " "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002844,rev:4,msg:'ET WEB WebDAV search overflow',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Webdav',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WebDAV search overflow',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2004574) ET WEB WikyBlog XSS Attempt sessionRegister.php
SecRule REQUEST_URI_RAW "(?i:\/include\/sessionRegister\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2004574,rev:4,msg:'ET WEB WikyBlog XSS Attempt sessionRegister.php',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WikyBlog'"
SecRule REQUEST_URI_RAW "@contains | 3C |" "chain"
SecRule REQUEST_URI_RAW "@contains SCRIPT" "chain"
SecRule REQUEST_URI_RAW "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WikyBlog XSS Attempt sessionRegister.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2007872) ET WEB WinIPDS Directory Traversal Vulnerabilities GET
SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007872,rev:2,msg:'ET WEB WinIPDS Directory Traversal Vulnerabilities GET',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WinIPDS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.[\\/]){1,}.+\.(com|exe|bat|dll|cab|ini))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WinIPDS Directory Traversal Vulnerabilities GET',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2007873) ET WEB WinIPDS Directory Traversal Vulnerabilities POST
SecRule REQUEST_URI_RAW "@contains POST " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007873,rev:3,msg:'ET WEB WinIPDS Directory Traversal Vulnerabilities POST',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WinIPDS'"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.[\\/]){1,}.+\.(com|exe|bat|dll|cab|ini))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WinIPDS Directory Traversal Vulnerabilities POST',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2008553) ET WEB WordPress Random Password Generation Insufficient Entropy Attack
SecRule REQUEST_URI_RAW "(?i:\/wp\-login\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008553,rev:2,msg:'ET WEB WordPress Random Password Generation Insufficient Entropy Attack',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Wordpress'"
SecRule REQUEST_URI_RAW "@contains POST " "chain"
SecRule ARGS:action "(?i:\w+(%20){60,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WordPress Random Password Generation Insufficient Entropy Attack',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002408) ET WEB phpMyAdmin Suspicious Activity
SecRule REQUEST_URI_RAW "(?i:\/grab_globals\.lib\.php)" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002408,rev:7,msg:'ET WEB phpMyAdmin Suspicious Activity',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_phpMyAdmin'"
SecRule REQUEST_URI_RAW "@contains POST " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB phpMyAdmin Suspicious Activity',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002409) ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)
SecRule QUERY_STRING|REQUEST_BODY "@contains [redirect]" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002409,rev:5,msg:'ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_phpMyAdmin',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2002667) ET WEB sumthin scan
SecRule REQUEST_URI_RAW "@contains GET /sumthin HTTP/1." "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002667,rev:3,msg:'ET WEB sumthin scan',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_sumthin',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB sumthin scan',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


# (sid 2003167) ET WEB tikiwiki featured link XSS attempt
SecRule REQUEST_URI_RAW "(?i:\/tiki\-featured_link\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003167,rev:4,msg:'ET WEB tikiwiki featured link XSS attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_tikiwiki'"
SecRule ARGS_NAMES "(?i:type)" "chain"
SecRule REQUEST_URI_RAW "@contains /iframe>" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB tikiwiki featured link XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"


SecMarker END_SNORT_RULES