2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecAuditEngine RelevantOnly" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecAuditLogRelevantStatus \"^(?:(5|4)(0|1)[0-9])$\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecAuditLogParts ABIJDEFHZ" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecAuditLogType Serial" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecArgumentSeparator &" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecCookieFormat 0" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecComponentSignature \"OWASP_CRS/4.0.0-rc2\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:crs_setup_version \"@eq 0\" \"id:901001,phase:1,deny,status:500,log,auditlog,msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:inbound_anomaly_score_threshold \"@eq 0\" \"id:901100,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.inbound_anomaly_score_threshold=5'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:outbound_anomaly_score_threshold \"@eq 0\" \"id:901110,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.outbound_anomaly_score_threshold=4'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:reporting_level \"@eq 0\" \"id:901111,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.reporting_level=4'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:early_blocking \"@eq 0\" \"id:901115,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.early_blocking=0'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:blocking_paranoia_level \"@eq 0\" \"id:901120,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.blocking_paranoia_level=1'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:detection_paranoia_level \"@eq 0\" \"id:901125,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:sampling_percentage \"@eq 0\" \"id:901130,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.sampling_percentage=100'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:critical_anomaly_score \"@eq 0\" \"id:901140,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.critical_anomaly_score=5'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:error_anomaly_score \"@eq 0\" \"id:901141,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.error_anomaly_score=4'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:warning_anomaly_score \"@eq 0\" \"id:901142,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.warning_anomaly_score=3'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:notice_anomaly_score \"@eq 0\" \"id:901143,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.notice_anomaly_score=2'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:allowed_methods \"@eq 0\" \"id:901160,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:allowed_request_content_type \"@eq 0\" \"id:901162,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:allowed_request_content_type_charset \"@eq 0\" \"id:901168,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:allowed_http_versions \"@eq 0\" \"id:901163,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:restricted_extensions \"@eq 0\" \"id:901164,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:restricted_headers_basic \"@eq 0\" \"id:901165,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:restricted_headers_extended \"@eq 0\" \"id:901171,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.restricted_headers_extended=/accept-charset/'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:enforce_bodyproc_urlencoded \"@eq 0\" \"id:901167,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.enforce_bodyproc_urlencoded=0'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:crs_validate_utf8_encoding \"@eq 0\" \"id:901169,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.crs_validate_utf8_encoding=0'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecAction \"id:901200,phase:1,pass,t:none,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.blocking_inbound_anomaly_score=0',setvar:'tx.detection_inbound_anomaly_score=0',setvar:'tx.inbound_anomaly_score_pl1=0',setvar:'tx.inbound_anomaly_score_pl2=0',setvar:'tx.inbound_anomaly_score_pl3=0',setvar:'tx.inbound_anomaly_score_pl4=0',setvar:'tx.sql_injection_score=0',setvar:'tx.xss_score=0',setvar:'tx.rfi_score=0',setvar:'tx.lfi_score=0',setvar:'tx.rce_score=0',setvar:'tx.php_injection_score=0',setvar:'tx.http_violation_score=0',setvar:'tx.session_fixation_score=0',setvar:'tx.blocking_outbound_anomaly_score=0',setvar:'tx.detection_outbound_anomaly_score=0',setvar:'tx.outbound_anomaly_score_pl1=0',setvar:'tx.outbound_anomaly_score_pl2=0',setvar:'tx.outbound_anomaly_score_pl3=0',setvar:'tx.outbound_anomaly_score_pl4=0',setvar:'tx.anomaly_score=0'\"" 2024/01/09 18:41:04 [DEBUG] Added SecAction actions="id:901200,phase:1,pass,t:none,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'tx.blocking_inbound_anomaly_score=0',setvar:'tx.detection_inbound_anomaly_score=0',setvar:'tx.inbound_anomaly_score_pl1=0',setvar:'tx.inbound_anomaly_score_pl2=0',setvar:'tx.inbound_anomaly_score_pl3=0',setvar:'tx.inbound_anomaly_score_pl4=0',setvar:'tx.sql_injection_score=0',setvar:'tx.xss_score=0',setvar:'tx.rfi_score=0',setvar:'tx.lfi_score=0',setvar:'tx.rce_score=0',setvar:'tx.php_injection_score=0',setvar:'tx.http_violation_score=0',setvar:'tx.session_fixation_score=0',setvar:'tx.blocking_outbound_anomaly_score=0',setvar:'tx.detection_outbound_anomaly_score=0',setvar:'tx.outbound_anomaly_score_pl1=0',setvar:'tx.outbound_anomaly_score_pl2=0',setvar:'tx.outbound_anomaly_score_pl3=0',setvar:'tx.outbound_anomaly_score_pl4=0',setvar:'tx.anomaly_score=0'" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:ENABLE_DEFAULT_COLLECTIONS \"@eq 1\" \"id:901320,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:User-Agent \"@rx ^.*$\" \"t:none,t:sha1,t:hexEncode,initcol:global=global,initcol:ip=%{remote_addr}_%{MATCHED_VAR}\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQBODY_PROCESSOR \"!@rx (?:URLENCODED|MULTIPART|XML|JSON)\" \"id:901340,phase:1,pass,nolog,noauditlog,msg:'Enabling body inspection',ctl:forceRequestBodyVariable=On,ver:'OWASP_CRS/4.0.0-rc2'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:enforce_bodyproc_urlencoded \"@eq 1\" \"id:901350,phase:1,pass,t:none,t:urlDecodeUni,nolog,noauditlog,msg:'Enabling forced body inspection for ASCII content',ver:'OWASP_CRS/4.0.0-rc2',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQBODY_PROCESSOR \"!@rx (?:URLENCODED|MULTIPART|XML|JSON)\" \"ctl:requestBodyProcessor=URLENCODED\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:sampling_percentage \"@eq 100\" \"id:901400,phase:1,pass,nolog,ver:'OWASP_CRS/4.0.0-rc2',skipAfter:END-SAMPLING\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule UNIQUE_ID \"@rx ^[a-f]*([0-9])[a-f]*([0-9])\" \"id:901410,phase:1,pass,capture,t:sha1,t:hexEncode,nolog,ver:'OWASP_CRS/4.0.0-rc2',setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:sampling_rnd100 \"!@lt %{tx.sampling_percentage}\" \"id:901450,phase:1,pass,log,noauditlog,msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',ctl:ruleRemoveByTag=OWASP_CRS,ver:'OWASP_CRS/4.0.0-rc2'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-SAMPLING\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:detection_paranoia_level \"@lt %{tx.blocking_paranoia_level}\" \"id:901500,phase:1,deny,status:500,t:none,log,msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',ver:'OWASP_CRS/4.0.0-rc2'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_LINE \"@streq GET /\" \"id:905100,phase:1,pass,t:none,nolog,tag:'application-multi',tag:'language-multi',tag:'platform-apache',tag:'attack-generic',ver:'OWASP_CRS/4.0.0-rc2',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REMOTE_ADDR \"@ipMatch 127.0.0.1,::1\" \"t:none,ctl:ruleRemoveByTag=OWASP_CRS,ctl:auditEngine=Off\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REMOTE_ADDR \"@ipMatch 127.0.0.1,::1\" \"id:905110,phase:1,pass,t:none,nolog,tag:'application-multi',tag:'language-multi',tag:'platform-apache',tag:'attack-generic',ver:'OWASP_CRS/4.0.0-rc2',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:User-Agent \"@endsWith (internal dummy connection)\" \"t:none,chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_LINE \"@rx ^(?:GET /|OPTIONS \\*) HTTP/[12]\\.[01]$\" \"t:none,ctl:ruleRemoveByTag=OWASP_CRS,ctl:auditEngine=Off\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:911011,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:911012,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_METHOD \"!@within %{tx.allowed_methods}\" \"id:911100,phase:1,block,msg:'Method is not allowed by policy',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-generic',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272/220/274',tag:'PCI/12.1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:911013,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:911014,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:911015,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:911016,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:911017,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:911018,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-REQUEST-911-METHOD-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:920011,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:920012,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_LINE \"!@rx (?i)^(?:get /[^#\\?]*(?:\\?[^\\s\\v#]*)?(?:#[^\\s\\v]*)?|(?:connect (?:(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\\.?(?::[0-9]+)?|[\\--9A-Z_a-z]+:[0-9]+)|options \\*|[a-z]{3,10}[\\s\\v]+(?:[0-9A-Z_a-z]{3,7}?://[\\--9A-Z_a-z]*(?::[0-9]+)?)?/[^#\\?]*(?:\\?[^\\s\\v#]*)?(?:#[^\\s\\v]*)?)[\\s\\v]+[\\.-9A-Z_a-z]+)$\" \"id:920100,phase:1,block,t:none,msg:'Invalid HTTP Request Line',logdata:'%{request_line}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule FILES|FILES_NAMES \"!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\\\"';=])*$\" \"id:920120,phase:2,block,t:none,t:urlDecodeUni,msg:'Attempted multipart/form-data bypass',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Content-Length \"!@rx ^\\d+$\" \"id:920160,phase:1,block,t:none,msg:'Content-Length HTTP header is not numeric',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_METHOD \"@rx ^(?:GET|HEAD)$\" \"id:920170,phase:1,block,t:none,msg:'GET or HEAD Request with Body Content',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Content-Length \"!@rx ^0?$\" \"t:none,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_METHOD \"@rx ^(?:GET|HEAD)$\" \"id:920171,phase:1,block,t:none,msg:'GET or HEAD Request with Transfer-Encoding',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:Transfer-Encoding \"!@eq 0\" \"t:none,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_PROTOCOL \"!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0\" \"id:920180,phase:1,block,t:none,msg:'POST without Content-Length or Transfer-Encoding headers',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_METHOD \"@streq POST\" \"chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:Content-Length \"@eq 0\" \"chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:Transfer-Encoding \"@eq 0\" \"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:Transfer-Encoding \"!@eq 0\" \"id:920181,phase:1,block,t:none,msg:'Content-Length and Transfer-Encoding headers present',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:Content-Length \"!@eq 0\" \"t:none,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range \"@rx (\\d+)-(\\d+)\" \"id:920190,phase:1,block,capture,t:none,msg:'Range: Invalid Last Byte Value',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:2 \"@lt %{tx.1}\" \"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Connection \"@rx \\b(?:keep-alive|close),\\s?(?:keep-alive|close)\\b\" \"id:920210,phase:1,block,t:none,msg:'Multiple/Conflicting Connection Header Data Found',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_URI \"@rx \\x25\" \"id:920220,phase:1,block,t:none,msg:'URL Encoding Abuse Attack Attempt',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153/267/72',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_URI \"@validateUrlEncoding\" \"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Content-Type \"@rx ^(?i)application/x-www-form-urlencoded\" \"id:920240,phase:2,block,t:none,msg:'URL Encoding Abuse Attack Attempt',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153/267/72',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_BODY \"@rx \\x25\" \"chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_BODY \"@validateUrlEncoding\" \"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:CRS_VALIDATE_UTF8_ENCODING \"@eq 1\" \"id:920250,phase:2,block,t:none,msg:'UTF8 Encoding Abuse Attack Attempt',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153/267',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES \"@validateUtf8Encoding\" \"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_URI|REQUEST_BODY \"@rx (?i)%uff[0-9a-f]{2}\" \"id:920260,phase:2,block,t:none,msg:'Unicode Full/Half Width Abuse Attack Attempt',logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-iis',tag:'platform-windows',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153/267/72',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES \"@validateByteRange 1-255\" \"id:920270,phase:2,block,t:none,t:urlDecodeUni,msg:'Invalid character in request (null character)',logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:Host \"@eq 0\" \"id:920280,phase:1,pass,t:none,msg:'Request Missing a Host Header',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'PCI/6.5.10',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',skipAfter:END-HOST-CHECK\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Host \"@rx ^$\" \"id:920290,phase:1,block,t:none,msg:'Empty Host Header',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-HOST-CHECK\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Accept \"@rx ^$\" \"id:920310,phase:1,pass,t:none,msg:'Request Has an Empty Accept Header',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'NOTICE',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_METHOD \"!@rx ^OPTIONS$\" \"chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:User-Agent \"!@pm AppleWebKit Android Business Enterprise Entreprise\" \"t:none,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Accept \"@rx ^$\" \"id:920311,phase:1,pass,t:none,msg:'Request Has an Empty Accept Header',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'NOTICE',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_METHOD \"!@rx ^OPTIONS$\" \"chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:User-Agent \"@eq 0\" \"t:none,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:User-Agent \"@rx ^$\" \"id:920330,phase:1,pass,t:none,msg:'Empty User Agent Header',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'NOTICE',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Content-Length \"!@rx ^0$\" \"id:920340,phase:1,pass,t:none,msg:'Request Containing Content, but Missing Content-Type header',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'NOTICE',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:Content-Type \"@eq 0\" \"t:none,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Host \"@rx (?:^([\\d.]+|\\[[\\da-f:]+\\]|[\\da-f:]+)(:[\\d]+)?$)\" \"id:920350,phase:1,block,t:none,msg:'Host header is a numeric IP address',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'PCI/6.5.10',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:MAX_NUM_ARGS \"@eq 1\" \"id:920380,phase:2,block,t:none,msg:'Too many arguments in request',logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &ARGS \"@gt %{tx.max_num_args}\" \"t:none,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:ARG_NAME_LENGTH \"@eq 1\" \"id:920360,phase:2,block,t:none,msg:'Argument name too long',logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES \"@gt %{tx.arg_name_length}\" \"t:none,t:length,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:ARG_LENGTH \"@eq 1\" \"id:920370,phase:2,block,t:none,msg:'Argument value too long',logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS \"@gt %{tx.arg_length}\" \"t:none,t:length,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:TOTAL_ARG_LENGTH \"@eq 1\" \"id:920390,phase:2,block,t:none,msg:'Total arguments size exceeded',logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_COMBINED_SIZE \"@gt %{tx.total_arg_length}\" \"t:none,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:MAX_FILE_SIZE \"@eq 1\" \"id:920400,phase:1,block,t:none,msg:'Uploaded file size too large',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Content-Type \"@rx ^(?i)multipart/form-data\" \"chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Content-Length \"@gt %{tx.max_file_size}\" \"t:none,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &TX:COMBINED_FILE_SIZES \"@eq 1\" \"id:920410,phase:2,block,t:none,msg:'Total uploaded files size too large',logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule FILES_COMBINED_SIZE \"@gt %{tx.combined_file_sizes}\" \"t:none,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Content-Type \"!@rx ^[\\w/.+*-]+(?:\\s?;\\s?(?:action|boundary|charset|component|start(?:-info)?|type|version)\\s?=\\s?['\\\"\\w.()+,/:=?<>@#*-]+)*$\" \"id:920470,phase:1,block,t:none,t:lowercase,msg:'Illegal Content-Type header',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153',tag:'PCI/12.1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Content-Type \"@rx ^[^;\\s]+\" \"id:920420,phase:1,block,capture,t:none,msg:'Request content type is not allowed by policy',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153',tag:'PCI/12.1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.content_type=|%{tx.0}|',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:content_type \"!@within %{tx.allowed_request_content_type}\" \"t:lowercase,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Content-Type \"@rx charset\\s*=\\s*[\\\"']?([^;\\\"'\\s]+)\" \"id:920480,phase:1,block,capture,t:none,msg:'Request content type charset is not allowed by policy',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153',tag:'PCI/12.1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.content_type_charset=|%{tx.1}|',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:content_type_charset \"!@within %{tx.allowed_request_content_type_charset}\" \"t:lowercase,ctl:forceRequestBodyVariable=On,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Content-Type \"@rx charset.*?charset\" \"id:920530,phase:1,block,t:none,t:lowercase,msg:'Multiple charsets detected in content type header',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153',tag:'PCI/12.1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_PROTOCOL \"!@within %{tx.allowed_http_versions}\" \"id:920430,phase:1,block,t:none,msg:'HTTP protocol version is not allowed by policy',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'PCI/6.5.10',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_BASENAME \"@rx \\.([^.]+)$\" \"id:920440,phase:1,block,capture,t:none,msg:'URL file extension is restricted by policy',logdata:'%{TX.0}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'PCI/6.5.10',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.extension=.%{tx.1}/',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:EXTENSION \"@within %{tx.restricted_extensions}\" \"t:none,t:urlDecodeUni,t:lowercase,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_FILENAME \"@rx \\.[^.~]+~(?:/.*|)$\" \"id:920500,phase:1,block,t:none,t:urlDecodeUni,msg:'Attempt to access a backup or working file',logdata:'%{TX.0}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'PCI/6.5.10',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS_NAMES \"@rx ^.*$\" \"id:920450,phase:1,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'PCI/12.1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:/^header_name_920450_/ \"@within %{tx.restricted_headers_basic}\" \"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Accept-Encoding \"@gt 50\" \"id:920520,phase:1,block,t:none,t:lowercase,t:length,msg:'Accept-Encoding header exceeded sensible length',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153',tag:'PCI/12.1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Accept \"!@rx ^(?:(?:\\*|[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\v]*;[\\s\\v]*(?:charset[\\s\\v]*=[\\s\\v]*\\\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\\\"?|(?:[^\\s\\v -\\\"\\(-\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]e\\{\\}]|e[^!-\\\"\\(-\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\v]*=[\\s\\v]*[^!\\(-\\),/:-\\?\\[-\\]\\{\\}]+);?)*(?:[\\s\\v]*,[\\s\\v]*(?:(?:\\*|[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\v]*;[\\s\\v]*(?:charset[\\s\\v]*=[\\s\\v]*\\\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\\\"?|(?:[^\\s\\v -\\\"\\(-\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]e\\{\\}]|e[^!-\\\"\\(-\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\v]*=[\\s\\v]*[^!\\(-\\),/:-\\?\\[-\\]\\{\\}]+);?)*)*$\" \"id:920600,phase:1,block,t:none,t:lowercase,msg:'Illegal Accept header: charset parameter',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQBODY_PROCESSOR \"!@streq JSON\" \"id:920540,phase:2,block,t:none,msg:'Possible Unicode character bypass detected',logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153/267/72',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES \"@rx (?i)\\x5cu[0-9a-f]{4}\" \"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_URI_RAW \"@contains #\" \"id:920610,phase:1,block,t:none,msg:'Raw (unencoded) fragment in request URI',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:Content-Type \"@gt 1\" \"id:920620,phase:1,block,t:none,msg:'Multiple Content-Type Request Headers',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range \"@rx ^bytes=(?:(?:\\d+)?-(?:\\d+)?\\s*,?\\s*){6}\" \"id:920200,phase:1,block,t:none,msg:'Range: Too many fields (6 or more)',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_BASENAME \"!@endsWith .pdf\" \"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_BASENAME \"@endsWith .pdf\" \"id:920201,phase:1,block,t:none,msg:'Range: Too many fields for pdf request (63 or more)',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range \"@rx ^bytes=(?:(?:\\d+)?-(?:\\d+)?\\s*,?\\s*){63}\" \"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS \"@rx %[0-9a-fA-F]{2}\" \"id:920230,phase:2,block,t:none,msg:'Multiple URL Encoding Detected',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/255/153/267/120',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES \"@validateByteRange 9,10,13,32-126,128-255\" \"id:920271,phase:2,block,t:none,t:urlDecodeUni,msg:'Invalid character in request (non printable characters)',logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:User-Agent \"@eq 0\" \"id:920320,phase:1,pass,t:none,msg:'Missing User Agent Header',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'PCI/6.5.10',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'NOTICE',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule FILES_NAMES|FILES \"@rx ['\\\";=]\" \"id:920121,phase:2,block,t:none,t:urlDecodeUni,msg:'Attempted multipart/form-data bypass',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Content-Length \"!@rx ^0$\" \"id:920341,phase:1,block,t:none,msg:'Request Containing Content Requires Content-Type header',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:Content-Type \"@eq 0\" \"t:none,setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS_NAMES \"@rx ^.*$\" \"id:920451,phase:1,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'PCI/12.1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:/^header_name_920451_/ \"@within %{tx.restricted_headers_extended}\" \"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:920015,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:920016,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY \"@validateByteRange 32-36,38-126\" \"id:920272,phase:2,block,t:none,t:urlDecodeUni,msg:'Invalid character in request (outside of printable chars below ascii 127)',logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:Accept \"@eq 0\" \"id:920300,phase:1,pass,t:none,msg:'Request Missing an Accept Header',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'PCI/6.5.10',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'NOTICE',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_METHOD \"!@rx ^(?:OPTIONS|CONNECT)$\" \"chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:User-Agent \"!@pm AppleWebKit Android\" \"t:none,setvar:'tx.inbound_anomaly_score_pl3=+%{tx.notice_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:x-up-devcap-post-charset \"@ge 1\" \"id:920490,phase:1,block,t:none,msg:'Request header x-up-devcap-post-charset detected in combination with prefix \\'UP\\' to User-Agent',logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',tag:'language-aspnet',tag:'platform-windows',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:User-Agent \"@rx ^(?i)up\" \"t:none,setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:Cache-Control \"@gt 0\" \"id:920510,phase:1,block,t:none,msg:'Invalid Cache-Control request header',logdata:'Invalid Cache-Control value in request found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'header-allowlist',tag:'paranoia-level/3',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Cache-Control \"!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\\s*\\,\\s*|$)){1,7}$\" \"setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Accept-Encoding \"!@rx br|compress|deflate|(?:pack200-)?gzip|identity|\\*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)\" \"id:920521,phase:1,block,t:none,t:lowercase,msg:'Illegal Accept-Encoding header',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/3',tag:'OWASP_CRS',tag:'capec/1000/255/153',tag:'PCI/12.1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:920017,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:920018,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_BASENAME \"@endsWith .pdf\" \"id:920202,phase:1,block,t:none,msg:'Range: Too many fields for pdf request (6 or more)',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'paranoia-level/4',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range \"@rx ^bytes=(?:(?:\\d+)?-(?:\\d+)?\\s*,?\\s*){6}\" \"setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS|ARGS_NAMES|REQUEST_BODY \"@validateByteRange 38,44-46,48-58,61,65-90,95,97-122\" \"id:920273,phase:2,block,t:none,t:urlDecodeUni,msg:'Invalid character in request (outside of very strict set)',logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'paranoia-level/4',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:Sec-Fetch-User|!REQUEST_HEADERS:Sec-CH-UA|!REQUEST_HEADERS:Sec-CH-UA-Mobile \"@validateByteRange 32,34,38,42-59,61,65-90,95,97-122\" \"id:920274,phase:1,block,t:none,t:urlDecodeUni,msg:'Invalid character in request headers (outside of very strict set)',logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'paranoia-level/4',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile \"!@rx ^(?:\\?[01])?$\" \"id:920275,phase:1,block,t:none,t:urlDecodeUni,msg:'Invalid character in request headers (outside of very strict set)',logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/210/272',tag:'paranoia-level/4',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES \"@rx (?:^|[^\\x5c])\\x5c[cdeghijklmpqwxyz123456789]\" \"id:920460,phase:2,block,capture,t:none,t:htmlEntityDecode,t:lowercase,msg:'Abnormal character escapes in request',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/4',tag:'OWASP_CRS',tag:'capec/1000/153/267',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-REQUEST-920-PROTOCOL-ENFORCEMENT\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:921011,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:921012,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* \"@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+[^\\s]+\\s+http/\\d\" \"id:921110,phase:2,block,capture,t:none,t:htmlEntityDecode,t:lowercase,msg:'HTTP Request Smuggling Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272/220/33',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx [\\r\\n]\\W*?(?:content-(?:type|length)|set-cookie|location):\\s*\\w\" \"id:921120,phase:2,block,capture,t:none,t:lowercase,msg:'HTTP Response Splitting Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272/220/34',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?:\\bhttp/\\d|<(?:html|meta)\\b)\" \"id:921130,phase:2,block,capture,t:none,t:htmlEntityDecode,t:lowercase,msg:'HTTP Response Splitting Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272/220/34',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS \"@rx [\\n\\r]\" \"id:921140,phase:1,block,capture,t:none,t:htmlEntityDecode,msg:'HTTP Header Injection Attack via headers',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272/220/273',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES \"@rx [\\n\\r]\" \"id:921150,phase:2,block,capture,t:none,t:htmlEntityDecode,msg:'HTTP Header Injection Attack via payload (CR/LF detected)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272/220/33',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_GET_NAMES|ARGS_GET \"@rx [\\n\\r]+(?:\\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\s*:\" \"id:921160,phase:1,block,capture,t:none,t:htmlEntityDecode,t:lowercase,msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272/220/33',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_FILENAME \"@rx [\\n\\r]\" \"id:921190,phase:1,block,t:none,t:urlDecodeUni,msg:'HTTP Splitting (CR/LF in request filename detected)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272/220/34',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx ^[^:\\(\\)\\&\\|\\!\\<\\>\\~]*\\)\\s*(?:\\((?:[^,\\(\\)\\=\\&\\|\\!\\<\\>\\~]+[><~]?=|\\s*[&!|]\\s*(?:\\)|\\()?\\s*)|\\)\\s*\\(\\s*[\\&\\|\\!]\\s*|[&!|]\\s*\\([^\\(\\)\\=\\&\\|\\!\\<\\>\\~]+[><~]?=[^:\\(\\)\\&\\|\\!\\<\\>\\~]*)\" \"id:921200,phase:2,block,capture,t:none,t:htmlEntityDecode,msg:'LDAP Injection Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-ldap',tag:'platform-multi',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/136',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Content-Type \"@rx ^[^\\s\\v,;]+[\\s\\v,;].*?(?:application/(?:.+\\+)?json|(?:application/(?:soap\\+)?|text/)xml)\" \"id:921421,phase:1,block,capture,t:none,t:lowercase,msg:'Content-Type header: Dangerous content type outside the mime type declaration',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153',tag:'PCI/12.1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_URI \"@rx unix:[^|]*\\|\" \"id:921240,phase:1,block,capture,t:none,t:lowercase,msg:'mod_proxy attack attempt detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-apache',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272/220/33',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:921014,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_GET \"@rx [\\n\\r]\" \"id:921151,phase:1,block,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,msg:'HTTP Header Injection Attack via payload (CR/LF detected)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/210/272/220/33',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Content-Type \"@rx ^[^\\s\\v,;]+[\\s\\v,;].*?\\b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([\\+/]))\\b\" \"id:921422,phase:1,block,capture,t:none,t:lowercase,msg:'Content-Type header: Dangerous content type outside the mime type declaration',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/255/153',tag:'PCI/12.1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:921016,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:Range \"@gt 0\" \"id:921230,phase:1,block,t:none,msg:'HTTP Range Header detected',logdata:'Matched Data: Header %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/3',tag:'OWASP_CRS',tag:'capec/1000/210/272/220',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES \"@rx .\" \"id:921170,phase:2,pass,nolog,tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/152/137/15/460',ver:'OWASP_CRS/4.0.0-rc2',setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:/paramcounter_.*/ \"@gt 1\" \"id:921180,phase:2,pass,msg:'HTTP Parameter Pollution (%{TX.1})',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/152/137/15/460',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule MATCHED_VARS_NAMES \"@rx TX:paramcounter_(.*)\" \"capture,setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES \"@rx (][^\\]]+$|][^\\]]+\\[)\" \"id:921210,phase:2,pass,log,msg:'HTTP Parameter Pollution after detecting bogus char after parameter array',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/152/137/15/460',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:921017,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:921018,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES \"@rx \\[\" \"id:921220,phase:2,pass,log,msg:'HTTP Parameter Pollution possible via array notation',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/1000/152/137/15/460',tag:'paranoia-level/4',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-REQUEST-921-PROTOCOL-ATTACK\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &MULTIPART_PART_HEADERS:_charset_ \"!@eq 0\" \"id:922100,phase:2,block,t:none,msg:'Multipart content type global _charset_ definition is not allowed by policy',logdata:'Matched Data: %{ARGS._charset_}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-multipart-header',tag:'OWASP_CRS',tag:'capec/1000/255/153',tag:'paranoia-level/1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS:_charset_ \"!@within |%{tx.allowed_request_content_type_charset}|\" \"t:lowercase,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule MULTIPART_PART_HEADERS \"@rx ^content-type\\s*:\\s*(.*)$\" \"id:922110,phase:2,block,capture,t:none,t:lowercase,msg:'Illegal MIME Multipart Header content-type: charset parameter',logdata:'Matched Data: %{TX.1} found within Content-Type multipart form',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS',tag:'capec/272/220',tag:'paranoia-level/1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:1 \"!@rx ^(?:(?:\\*|[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\v]*;[\\s\\v]*(?:charset[\\s\\v]*=[\\s\\v]*\\\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\\\"?|(?:[^\\s\\v -\\\"\\(-\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]e\\{\\}]|e[^!-\\\"\\(-\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\v]*=[\\s\\v]*[^!\\(-\\),/:-\\?\\[-\\]\\{\\}]+);?)*(?:[\\s\\v]*,[\\s\\v]*(?:(?:\\*|[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\v]*;[\\s\\v]*(?:charset[\\s\\v]*=[\\s\\v]*\\\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\\\"?|(?:[^\\s\\v -\\\"\\(-\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]e\\{\\}]|e[^!-\\\"\\(-\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\v]*=[\\s\\v]*[^!\\(-\\),/:-\\?\\[-\\]\\{\\}]+);?)*)*$\" \"t:lowercase,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule MULTIPART_PART_HEADERS \"@rx content-transfer-encoding:(.*)\" \"id:922120,phase:2,block,capture,t:none,t:lowercase,msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used',logdata:'Matched Data: %{TX.0}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-deprecated-header',tag:'OWASP_CRS',tag:'capec/272/220',tag:'paranoia-level/1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:930011,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:930012,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* \"@rx (?i)(?:[/\\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\\.(?:%0[0-1]|\\?)?|\\?\\.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:\\.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/\\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))\" \"id:930100,phase:2,block,capture,t:none,msg:'Path Traversal Attack (/../) or (/.../)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-lfi',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153/126',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* \"@rx (?:(?:^|[\\x5c/;])\\.{2,3}[\\x5c/;]|[\\x5c/;]\\.{2,3}(?:[\\x5c/;]|$))\" \"id:930110,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,msg:'Path Traversal Attack (/../) or (/.../)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-lfi',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153/126',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',multiMatch,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@pmFromFile lfi-os-files.data\" \"id:930120,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,msg:'OS File Access Attempt',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-lfi',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153/126',tag:'PCI/6.5.4',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_FILENAME \"@pmFromFile restricted-files.data\" \"id:930130,phase:1,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,msg:'Restricted File Access Attempt',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-lfi',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/255/153/126',tag:'PCI/6.5.4',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:930013,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:930014,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent \"@pmFromFile lfi-os-files.data\" \"id:930121,phase:1,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,msg:'OS File Access Attempt in REQUEST_HEADERS',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-lfi',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/255/153/126',tag:'PCI/6.5.4',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:930015,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:930016,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:930017,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:930018,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-REQUEST-930-APPLICATION-ATTACK-LFI\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:931011,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:931012,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS \"@rx ^(?i:file|ftps?|https?)://(?:\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" \"id:931100,phase:2,block,capture,t:none,msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-rfi',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/175/253',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule QUERY_STRING|REQUEST_BODY \"@rx (?i)(?:\\binclude\\s*\\([^)]*|mosConfig_absolute_path|_CONF\\[path\\]|_SERVER\\[DOCUMENT_ROOT\\]|GALLERY_BASEDIR|path\\[docroot\\]|appserv_root|config\\[root_dir\\])=(?:file|ftps?|https?)://\" \"id:931110,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-rfi',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/175/253',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS \"@rx ^(?i:file|ftps?|https?).*?\\?+$\" \"id:931120,phase:2,block,capture,t:none,msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-rfi',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/175/253',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:931013,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:931014,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS \"@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)\" \"id:931130,phase:2,block,capture,t:none,msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-rfi',tag:'OWASP_CRS',tag:'capec/1000/152/175/253',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:/rfi_parameter_.*/ \"!@endsWith .%{request_headers.host}\" \"setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_FILENAME \"@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)\" \"id:931131,phase:1,block,capture,t:none,t:urlDecodeUni,msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-rfi',tag:'OWASP_CRS',tag:'capec/1000/152/175/253',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:/rfi_parameter_.*/ \"!@endsWith .%{request_headers.host}\" \"setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:931015,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:931016,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:931017,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:931018,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-REQUEST-931-APPLICATION-ATTACK-RFI\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:932011,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:932012,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|[\\n\\r;`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|\\{)|[<>]\\(|\\([\\s\\v]*\\))[\\s\\v]*(?:[\\$\\{]|(?:[\\s\\v]*\\(|!)[\\s\\v]*|[0-9A-Z_a-z]+=(?:[^\\s\\v]*|\\$(?:.*|.*)|[<>].*|'.*'|\\\".*\\\")[\\s\\v]+)*[\\s\\v]*[\\\"']*(?:[\\\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\\\"'\\x5c]*(?:7[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?z(?:[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[arx])?|(?:(?:b[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?z|x)[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?z|h[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?u[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p)[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[\\s\\v&\\),<>\\|].*|[ckz][\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?s[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?h|d[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?f|e[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:n[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?v|s[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?h)|f[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[dg]|g[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:c[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?c[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:[&,<>\\|]|(?:[\\--\\.0-9A-Z_a-z][\\\"'\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?)+[\\s\\v&,<>\\|]).*|p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?g)|i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?r[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?b|l[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:s|z[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:4|[\\s\\v&\\),<>\\|].*))|p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:h[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[\\s\\v&\\),<>\\|].*|w[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?d|x[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?z)|r[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?c(?:[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[\\s\\v&\\),<>\\|].*)?|s[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:c[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p|(?:e[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?d|(?:s[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?)?h)[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[\\s\\v&\\),<>\\|].*|v[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?n)|u[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?d[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p|w[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?3[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m)\\b\" \"id:932230,phase:2,block,capture,t:none,msg:'Remote Command Execution: Unix Command Injection (2-3 chars)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|[\\n\\r;`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|\\{)|[<>]\\(|\\([\\s\\v]*\\))[\\s\\v]*(?:[\\$\\{]|(?:[\\s\\v]*\\(|!)[\\s\\v]*|[0-9A-Z_a-z]+=(?:[^\\s\\v]*|\\$(?:.*|.*)|[<>].*|'.*'|\\\".*\\\")[\\s\\v]+)*[\\s\\v]*[\\\"']*(?:[\\\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\\\"'\\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[\\s\\v&\\)<>\\|]|a(?:dd(?:group|user)|getty|l(?:ias|pine)[\\s\\v&\\)<>\\|]|nsible-playbook|pt(?:-get|itude[\\s\\v&\\)<>\\|])|r(?:ch[\\s\\v&\\)<>\\|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm|xel)|b(?:a(?:s(?:e(?:32|64|n(?:ame[\\s\\v&\\)<>\\|]|c))|h[\\s\\v&\\)<>\\|])|tch[\\s\\v&\\)<>\\|])|lkid|pftrace|r(?:eaksw|idge[\\s\\v&\\)<>\\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\\s\\v&\\)<>\\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[\\s\\v&\\)<>\\|]|ertbot|h(?:attr|(?:dir|root)[\\s\\v&\\)<>\\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\\s\\v&\\)<>\\|]|\\+\\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\\s\\v&\\)<>\\|]|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\\s\\v&\\)<>\\|]|on(?:tab)?)|s(?:plit|vtool)|u(?:psfilter|rl[\\s\\v&\\)<>\\|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\\s\\v&\\)<>\\|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\\s\\v&\\)<>\\|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[\\s\\v&\\)<>\\|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\\s\\v&\\)<>\\|]|iftool|p(?:(?:and|(?:ec|or)t)[\\s\\v&\\)<>\\|]|r)))|f(?:acter|(?:etch|lock|unction)[\\s\\v&\\)<>\\|]|grep|i(?:le(?:[\\s\\v&\\)<>\\|]|test)|(?:n(?:d|ger)|sh)[\\s\\v&\\)<>\\|])|o(?:ld[\\s\\v&\\)<>\\|]|reach)|ping|tp(?:stats|who))|g(?:awk[\\s\\v&\\)<>\\|]|core|e(?:ni(?:e[\\s\\v&\\)<>\\|]|soimage)|tfacl[\\s\\v&\\)<>\\|])|hci|i(?:mp[\\s\\v&\\)<>\\|]|nsh)|r(?:ep[\\s\\v&\\)<>\\|]|oup(?:[\\s\\v&\\)<>\\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[\\s\\v&\\)<>\\|]|e(?:ad[\\s\\v&\\)<>\\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[\\s\\v&\\)<>\\|]|onice|p(?:6?tables|config)|spell)|j(?:ava[\\s\\v&\\)<>\\|]|exec|o(?:(?:bs|in)[\\s\\v&\\)<>\\|]|urnalctl)|runscript)|k(?:ill(?:[\\s\\v&\\)<>\\|]|all)|nife[\\s\\v&\\)<>\\|]|sshell)|l(?:a(?:st(?:[\\s\\v&\\)<>\\|]|comm|log(?:in)?)|tex[\\s\\v&\\)<>\\|])|dconfig|ess(?:[\\s\\v&\\)<>\\|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\\s\\v&\\)<>\\|]|o(?:(?:ca(?:l|te)|ok)[\\s\\v&\\)<>\\|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[\\s\\v&\\)<>q\\|]|x[\\s\\v&\\)<>\\|])|ke[\\s\\v&\\)<>\\|]|ster\\.passwd|wk)|k(?:dir[\\s\\v&\\)<>\\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\\s\\v&\\)<>\\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[\\s\\v&\\)<>\\|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\\s\\v&\\)<>\\|]|sm|wk)|c(?:\\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[\\s\\v&\\)<>\\|]|map|o(?:de[\\s\\v&\\)<>\\|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\\s\\v&\\)<>\\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[\\s\\v&\\)<>\\|]|s(?:swd|te[\\s\\v&\\)<>\\|]))|d(?:f(?:la)?tex|ksh)|er(?:f|l(?:5|sh)?|ms[\\s\\v&\\)<>\\|])|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[\\s\\v&\\)<>\\|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\\s\\v&\\)<>\\|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[\\s\\v&\\)<>\\|]|shd)|wd\\.db|ython[^\\s\\v])|r(?:ak(?:e[\\s\\v&\\)<>\\|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\\s\\v&\\)<>\\|]|stic)|l(?:ogin|wrap)|m(?:dir[\\s\\v&\\)<>\\|]|user)|nano|oute[\\s\\v&\\)<>\\|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\\s\\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap)[\\s\\v&\\)<>\\|]|c(?:hed|r(?:een|ipt)[\\s\\v&\\)<>\\|])|diff|e(?:(?:lf|rvice)[\\s\\v&\\)<>\\|]|ndmail|t(?:arch|env|facl[\\s\\v&\\)<>\\|]|sid))|ftp|h(?:\\.distrib|(?:adow|ells)[\\s\\v&\\)<>\\|]|u(?:f|tdown[\\s\\v&\\)<>\\|]))|l(?:eep[\\s\\v&\\)<>\\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\\s\\v&\\)<>\\|])|p(?:lit[\\s\\v&\\)<>\\|]|wd\\.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\\s\\v&\\)<>\\|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\\s\\v&\\)<>f\\|]|sk(?:[\\s\\v&\\)<>\\|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[\\s\\v&\\)<>\\|]|datectl)|mux|ouch[\\s\\v&\\)<>\\|]|r(?:aceroute6?|off)|shark)|u(?:limit[\\s\\v&\\)<>\\|]|n(?:ame|(?:compress|s(?:et|hare))[\\s\\v&\\)<>\\|]|expand|iq|l(?:ink[\\s\\v&\\)<>\\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\\s\\v&\\)<>\\|]|std))|p(?:2date[\\s\\v&\\)<>\\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\\s\\v&\\)<>\\|]|gr|mdiff|pw|rsh)|olatility[\\s\\v&\\)<>\\|])|w(?:a(?:ll|tch)[\\s\\v&\\)<>\\|]|get|h(?:iptail[\\s\\v&\\)<>\\|]|o(?:ami|is))|i(?:reshark|sh[\\s\\v&\\)<>\\|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[\\s\\v&\\)<>\\|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))\" \"id:932235,phase:2,block,capture,t:none,msg:'Remote Command Execution: Unix Command Injection (command without evasion)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@pmFromFile windows-powershell-commands.data\" \"id:932120,phase:2,block,capture,t:none,t:cmdLine,msg:'Remote Command Execution: Windows PowerShell Command Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'language-powershell',tag:'platform-windows',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:[\\n\\r;`\\{]|\\|\\|?|&&?)[\\s\\v]*[\\s\\v\\\"'-\\(,@]*(?:[\\\"'\\.-9A-Z_a-z]+/|(?:[\\\"'\\x5c\\^]*[0-9A-Z_a-z][\\\"'\\x5c\\^]*:.*|[ \\\"'\\.-9A-Z\\x5c\\^-_a-z]*)\\x5c)?[\\\"\\^]*(?:(?:a[\\\"\\^]*(?:c|s[\\\"\\^]*n[\\\"\\^]*p)|e[\\\"\\^]*(?:b[\\\"\\^]*p|p[\\\"\\^]*(?:a[\\\"\\^]*l|c[\\\"\\^]*s[\\\"\\^]*v|s[\\\"\\^]*n)|[tx][\\\"\\^]*s[\\\"\\^]*n)|f[\\\"\\^]*(?:[cltw]|o[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*h)|i[\\\"\\^]*(?:[cr][\\\"\\^]*m|e[\\\"\\^]*x|h[\\\"\\^]*y|i|p[\\\"\\^]*(?:a[\\\"\\^]*l|c[\\\"\\^]*s[\\\"\\^]*v|m[\\\"\\^]*o|s[\\\"\\^]*n)|s[\\\"\\^]*e|w[\\\"\\^]*(?:m[\\\"\\^]*i|r))|m[\\\"\\^]*(?:a[\\\"\\^]*n|[dipv]|o[\\\"\\^]*u[\\\"\\^]*n[\\\"\\^]*t)|o[\\\"\\^]*g[\\\"\\^]*v|p[\\\"\\^]*(?:o[\\\"\\^]*p|u[\\\"\\^]*s[\\\"\\^]*h)[\\\"\\^]*d|t[\\\"\\^]*r[\\\"\\^]*c[\\\"\\^]*m|w[\\\"\\^]*j[\\\"\\^]*b)[\\\"\\^]*[\\s\\v,\\.-/;-<>].*|c[\\\"\\^]*(?:(?:(?:d|h[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*r|v[\\\"\\^]*p[\\\"\\^]*a)[\\\"\\^]*|p[\\\"\\^]*(?:[ip][\\\"\\^]*)?)[\\s\\v,\\.-/;-<>].*|l[\\\"\\^]*(?:(?:[cipv]|h[\\\"\\^]*y)[\\\"\\^]*[\\s\\v,\\.-/;-<>].*|s)|n[\\\"\\^]*s[\\\"\\^]*n)|d[\\\"\\^]*(?:(?:b[\\\"\\^]*p|e[\\\"\\^]*l|i[\\\"\\^]*(?:f[\\\"\\^]*f|r))[\\\"\\^]*[\\s\\v,\\.-/;-<>].*|n[\\\"\\^]*s[\\\"\\^]*n)|g[\\\"\\^]*(?:(?:(?:(?:a[\\\"\\^]*)?l|b[\\\"\\^]*p|d[\\\"\\^]*r|h[\\\"\\^]*y|(?:w[\\\"\\^]*m[\\\"\\^]*)?i|j[\\\"\\^]*b|[u-v])[\\\"\\^]*|c[\\\"\\^]*(?:[ims][\\\"\\^]*)?|m[\\\"\\^]*(?:o[\\\"\\^]*)?|s[\\\"\\^]*(?:n[\\\"\\^]*(?:p[\\\"\\^]*)?|v[\\\"\\^]*))[\\s\\v,\\.-/;-<>].*|e[\\\"\\^]*r[\\\"\\^]*r|p[\\\"\\^]*(?:(?:s[\\\"\\^]*)?[\\s\\v,\\.-/;-<>].*|v))|l[\\\"\\^]*s|n[\\\"\\^]*(?:(?:a[\\\"\\^]*l|d[\\\"\\^]*r|[iv]|m[\\\"\\^]*o|s[\\\"\\^]*n)[\\\"\\^]*[\\s\\v,\\.-/;-<>].*|p[\\\"\\^]*s[\\\"\\^]*s[\\\"\\^]*c)|r[\\\"\\^]*(?:(?:(?:(?:b[\\\"\\^]*)?p|e[\\\"\\^]*n|(?:w[\\\"\\^]*m[\\\"\\^]*)?i|j[\\\"\\^]*b|n[\\\"\\^]*[ip])[\\\"\\^]*|d[\\\"\\^]*(?:r[\\\"\\^]*)?|m[\\\"\\^]*(?:(?:d[\\\"\\^]*i[\\\"\\^]*r|o)[\\\"\\^]*)?|s[\\\"\\^]*n[\\\"\\^]*(?:p[\\\"\\^]*)?|v[\\\"\\^]*(?:p[\\\"\\^]*a[\\\"\\^]*)?)[\\s\\v,\\.-/;-<>].*|c[\\\"\\^]*(?:j[\\\"\\^]*b[\\\"\\^]*[\\s\\v,\\.-/;-<>].*|s[\\\"\\^]*n)|u[\\\"\\^]*j[\\\"\\^]*b)|s[\\\"\\^]*(?:(?:(?:a[\\\"\\^]*(?:j[\\\"\\^]*b|l|p[\\\"\\^]*s|s[\\\"\\^]*v)|b[\\\"\\^]*p|[civ]|w[\\\"\\^]*m[\\\"\\^]*i)[\\\"\\^]*|l[\\\"\\^]*(?:s[\\\"\\^]*)?|p[\\\"\\^]*(?:(?:j[\\\"\\^]*b|p[\\\"\\^]*s|s[\\\"\\^]*v)[\\\"\\^]*)?)[\\s\\v,\\.-/;-<>].*|h[\\\"\\^]*c[\\\"\\^]*m|u[\\\"\\^]*j[\\\"\\^]*b))(?:\\.[\\\"\\^]*[0-9A-Z_a-z]+)?\\b\" \"id:932125,phase:2,block,capture,t:none,msg:'Remote Command Execution: Windows Powershell Alias Command Injection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-windows',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx \\$(?:\\((?:.*|\\(.*\\))\\)|\\{.*\\})|[<>]\\(.*\\)|/[0-9A-Z_a-z]*\\[!?.+\\]\" \"id:932130,phase:2,block,capture,t:none,t:cmdLine,msg:'Remote Command Execution: Unix Shell Expression Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx \\b(?:for(?:/[dflr].*)? %+[^ ]+ in\\(.*\\)[\\s\\v]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)\\b|[ \\(].*(?:\\b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))\\b|==)))\" \"id:932140,phase:2,block,capture,t:none,t:cmdLine,msg:'Remote Command Execution: Windows FOR/IF Command Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-windows',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:^|=)[\\s\\v]*(?:t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|[\\$\\{]|(?:[\\s\\v]*\\(|!)[\\s\\v]*|[0-9A-Z_a-z]+=(?:[^\\s\\v]*|\\$(?:.*|.*)|[<>].*|'.*'|\\\".*\\\")[\\s\\v]+)*[\\s\\v]*[\\\"']*(?:[\\\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\\\"'\\x5c]*(?:7[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?z(?:[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[arx])?|(?:b[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?z|x)[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?z|[ckz][\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?s[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?h|d[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?f|e[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:n[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?v|s[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?h)|f[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[dg]|g[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:c[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?c|p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?g)|(?:h[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?u|u[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?d)[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p|i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?r[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?b|l[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:s|z(?:[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?4)?)|p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:h[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p|w[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?d|x[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?z)|r[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?c(?:[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p)?|s[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:c[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p|e[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?d|(?:s[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?)?h|v[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?n)|w[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?3[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m)[\\s\\v&\\)<>\\|]\" \"id:932250,phase:2,block,capture,t:none,msg:'Remote Command Execution: Direct Unix Command Execution',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:^|=)[\\s\\v]*(?:t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|[\\$\\{]|(?:[\\s\\v]*\\(|!)[\\s\\v]*|[0-9A-Z_a-z]+=(?:[^\\s\\v]*|\\$(?:.*|.*)|[<>].*|'.*'|\\\".*\\\")[\\s\\v]+)*[\\s\\v]*[\\\"']*(?:[\\\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\\\"'\\x5c]*(?:a(?:ddgroup|xel)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:g(?:passwd|rp)|pass|sh)|lang\\+\\+|o(?:mm[\\s\\v&\\)<>\\|]|proc)|ron)|d(?:iff[\\s\\v&\\)<>\\|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[\\s\\v&\\)<>\\|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster\\.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|erl5?|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[\\s\\v&\\)<>\\|])|tar(?:diff|grep)?|wd\\.db|ython[2-3])|r(?:(?:bas|ealpat)h|m(?:dir[\\s\\v&\\)<>\\|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h\\.distri|pwd\\.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\\s\\v&\\)<>\\|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))\" \"id:932260,phase:2,block,capture,t:none,msg:'Remote Command Execution: Direct Unix Command Execution',logdata:'Matched Data: %{TX.0} found within %{TX.932260_MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.932260_matched_var_name=%{matched_var_name}',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule MATCHED_VAR \"!@rx [0-9]\\s*\\'\\s*[0-9]\" \"t:none,setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx !-\\d\" \"id:932330,phase:2,block,capture,t:none,msg:'Remote Command Execution: Unix shell history invocation',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@pmFromFile unix-shell.data\" \"id:932160,phase:2,block,capture,t:none,t:cmdLine,t:normalizePath,msg:'Remote Command Execution: Unix Shell Code Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS|REQUEST_LINE \"@rx ^\\(\\s*\\)\\s+{\" \"id:932170,phase:1,block,capture,t:none,t:urlDecode,msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES|ARGS|FILES_NAMES \"@rx ^\\(\\s*\\)\\s+{\" \"id:932171,phase:2,block,capture,t:none,t:urlDecode,t:urlDecodeUni,msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx \\ba[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?l[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?a[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?s\\b[\\s\\v]+[!-\\\"%',0-9@-Z_a-z]+=[^\\s\\v]\" \"id:932175,phase:2,block,capture,t:none,msg:'Remote Command Execution: Unix shell alias invocation',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name \"@pmFromFile restricted-upload.data\" \"id:932180,phase:2,block,capture,t:none,msg:'Restricted File Upload Attempt',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:t[\\\"\\^]*i[\\\"\\^]*m[\\\"\\^]*e|[\\n\\r;`\\{]|\\|\\|?|&&?)[\\s\\v]*[\\s\\v\\\"'-\\(,@]*(?:[\\\"'\\.-9A-Z_a-z]+/|(?:[\\\"'\\x5c\\^]*[0-9A-Z_a-z][\\\"'\\x5c\\^]*:.*|[ \\\"'\\.-9A-Z\\x5c\\^-_a-z]*)\\x5c)?[\\\"\\^]*(?:a[\\\"\\^]*(?:c[\\\"\\^]*c[\\\"\\^]*c[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*k[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*s[\\\"\\^]*o[\\\"\\^]*l[\\\"\\^]*e|d[\\\"\\^]*(?:p[\\\"\\^]*l[\\\"\\^]*u[\\\"\\^]*s|v[\\\"\\^]*p[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*k)|(?:g[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*x[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*o|s[\\\"\\^]*p[\\\"\\^]*n[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*_[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*m[\\\"\\^]*p[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*e)[\\\"\\^]*r|p[\\\"\\^]*p[\\\"\\^]*(?:i[\\\"\\^]*n[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*l[\\\"\\^]*l[\\\"\\^]*e[\\\"\\^]*r|v[\\\"\\^]*l[\\\"\\^]*p)|t[\\\"\\^]*(?:[\\s\\v,\\.-/;-<>].*|b[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*k[\\\"\\^]*e[\\\"\\^]*r))|b[\\\"\\^]*(?:a[\\\"\\^]*s[\\\"\\^]*h|g[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*o|i[\\\"\\^]*t[\\\"\\^]*s[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*m[\\\"\\^]*i[\\\"\\^]*n)|c[\\\"\\^]*(?:d[\\\"\\^]*b|e[\\\"\\^]*r[\\\"\\^]*t[\\\"\\^]*(?:o[\\\"\\^]*c|r[\\\"\\^]*e[\\\"\\^]*q|u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l)|l[\\\"\\^]*_[\\\"\\^]*(?:i[\\\"\\^]*n[\\\"\\^]*v[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*o[\\\"\\^]*n|l[\\\"\\^]*o[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*a[\\\"\\^]*s[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*m[\\\"\\^]*b[\\\"\\^]*l[\\\"\\^]*y|m[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*x[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*s)|m[\\\"\\^]*(?:d(?:[\\\"\\^]*(?:k[\\\"\\^]*e[\\\"\\^]*y|l[\\\"\\^]*3[\\\"\\^]*2))?|s[\\\"\\^]*t[\\\"\\^]*p)|o[\\\"\\^]*(?:m[\\\"\\^]*s[\\\"\\^]*v[\\\"\\^]*c[\\\"\\^]*s|n[\\\"\\^]*(?:f[\\\"\\^]*i[\\\"\\^]*g[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*u[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*t[\\\"\\^]*y[\\\"\\^]*p[\\\"\\^]*o[\\\"\\^]*l[\\\"\\^]*i[\\\"\\^]*c[\\\"\\^]*y|h[\\\"\\^]*o[\\\"\\^]*s[\\\"\\^]*t|t[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*l)|r[\\\"\\^]*e[\\\"\\^]*g[\\\"\\^]*e[\\\"\\^]*n)|r[\\\"\\^]*e[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*d[\\\"\\^]*u[\\\"\\^]*m[\\\"\\^]*p|s[\\\"\\^]*(?:c(?:[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*p[\\\"\\^]*t)?|i)|u[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*o[\\\"\\^]*m[\\\"\\^]*s[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*l[\\\"\\^]*l[\\\"\\^]*h[\\\"\\^]*o[\\\"\\^]*s[\\\"\\^]*t)|d[\\\"\\^]*(?:a[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*s[\\\"\\^]*v[\\\"\\^]*c[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l|e[\\\"\\^]*(?:f[\\\"\\^]*a[\\\"\\^]*u[\\\"\\^]*l[\\\"\\^]*t[\\\"\\^]*p[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*k|s[\\\"\\^]*k(?:[\\\"\\^]*t[\\\"\\^]*o[\\\"\\^]*p[\\\"\\^]*i[\\\"\\^]*m[\\\"\\^]*g[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*n[\\\"\\^]*l[\\\"\\^]*d[\\\"\\^]*r)?|v[\\\"\\^]*(?:i[\\\"\\^]*c[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*d[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*a[\\\"\\^]*l[\\\"\\^]*d[\\\"\\^]*e[\\\"\\^]*p[\\\"\\^]*l[\\\"\\^]*o[\\\"\\^]*y[\\\"\\^]*m[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*t|t[\\\"\\^]*o[\\\"\\^]*o[\\\"\\^]*l[\\\"\\^]*s[\\\"\\^]*l[\\\"\\^]*a[\\\"\\^]*u[\\\"\\^]*n[\\\"\\^]*c[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*r))|f[\\\"\\^]*s[\\\"\\^]*(?:h[\\\"\\^]*i[\\\"\\^]*m|v[\\\"\\^]*c)|i[\\\"\\^]*(?:a[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*z|s[\\\"\\^]*k[\\\"\\^]*s[\\\"\\^]*h[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*w)|n[\\\"\\^]*(?:s[\\\"\\^]*c[\\\"\\^]*m[\\\"\\^]*d|x)|o[\\\"\\^]*t[\\\"\\^]*n[\\\"\\^]*e[\\\"\\^]*t|u[\\\"\\^]*m[\\\"\\^]*p[\\\"\\^]*6[\\\"\\^]*4|x[\\\"\\^]*c[\\\"\\^]*a[\\\"\\^]*p)|e[\\\"\\^]*(?:s[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*l|v[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*v[\\\"\\^]*w[\\\"\\^]*r|x[\\\"\\^]*(?:c[\\\"\\^]*e[\\\"\\^]*l|p[\\\"\\^]*(?:a[\\\"\\^]*n[\\\"\\^]*d|l[\\\"\\^]*o[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*r)|t[\\\"\\^]*(?:e[\\\"\\^]*x[\\\"\\^]*p[\\\"\\^]*o[\\\"\\^]*r[\\\"\\^]*t|r[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*3[\\\"\\^]*2)))|f[\\\"\\^]*(?:i[\\\"\\^]*n[\\\"\\^]*(?:d[\\\"\\^]*s[\\\"\\^]*t|g[\\\"\\^]*e)[\\\"\\^]*r|l[\\\"\\^]*t[\\\"\\^]*m[\\\"\\^]*c|o[\\\"\\^]*r[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*e[\\\"\\^]*s|s[\\\"\\^]*(?:i(?:[\\\"\\^]*a[\\\"\\^]*n[\\\"\\^]*y[\\\"\\^]*c[\\\"\\^]*p[\\\"\\^]*u)?|u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l)|t[\\\"\\^]*p)|g[\\\"\\^]*(?:f[\\\"\\^]*x[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*n[\\\"\\^]*l[\\\"\\^]*o[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*w[\\\"\\^]*r[\\\"\\^]*a[\\\"\\^]*p[\\\"\\^]*p[\\\"\\^]*e[\\\"\\^]*r|p[\\\"\\^]*s[\\\"\\^]*c[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*p[\\\"\\^]*t)|h[\\\"\\^]*h|i[\\\"\\^]*(?:e[\\\"\\^]*(?:4[\\\"\\^]*u[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*i[\\\"\\^]*t|a[\\\"\\^]*d[\\\"\\^]*v[\\\"\\^]*p[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*k|e[\\\"\\^]*x[\\\"\\^]*e[\\\"\\^]*c|f[\\\"\\^]*r[\\\"\\^]*a[\\\"\\^]*m[\\\"\\^]*e)|l[\\\"\\^]*a[\\\"\\^]*s[\\\"\\^]*m|m[\\\"\\^]*e[\\\"\\^]*w[\\\"\\^]*d[\\\"\\^]*b[\\\"\\^]*l[\\\"\\^]*d|n[\\\"\\^]*(?:f[\\\"\\^]*d[\\\"\\^]*e[\\\"\\^]*f[\\\"\\^]*a[\\\"\\^]*u[\\\"\\^]*l[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*l|s[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*l[\\\"\\^]*l[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i)[\\\"\\^]*l)|j[\\\"\\^]*s[\\\"\\^]*c|l[\\\"\\^]*(?:a[\\\"\\^]*u[\\\"\\^]*n[\\\"\\^]*c[\\\"\\^]*h[\\\"\\^]*-[\\\"\\^]*v[\\\"\\^]*s[\\\"\\^]*d[\\\"\\^]*e[\\\"\\^]*v[\\\"\\^]*s[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*l[\\\"\\^]*l|d[\\\"\\^]*i[\\\"\\^]*f[\\\"\\^]*d[\\\"\\^]*e)|m[\\\"\\^]*(?:a[\\\"\\^]*(?:k[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*a[\\\"\\^]*b|n[\\\"\\^]*a[\\\"\\^]*g[\\\"\\^]*e[\\\"\\^]*-[\\\"\\^]*b[\\\"\\^]*d[\\\"\\^]*e|v[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*j[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*t)|f[\\\"\\^]*t[\\\"\\^]*r[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*e|i[\\\"\\^]*c[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*s[\\\"\\^]*o[\\\"\\^]*f[\\\"\\^]*t|m[\\\"\\^]*c|p[\\\"\\^]*c[\\\"\\^]*m[\\\"\\^]*d[\\\"\\^]*r[\\\"\\^]*u[\\\"\\^]*n|s[\\\"\\^]*(?:(?:b[\\\"\\^]*u[\\\"\\^]*i[\\\"\\^]*l|o[\\\"\\^]*h[\\\"\\^]*t[\\\"\\^]*m[\\\"\\^]*e)[\\\"\\^]*d|c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*g|d[\\\"\\^]*(?:e[\\\"\\^]*p[\\\"\\^]*l[\\\"\\^]*o[\\\"\\^]*y|t)|h[\\\"\\^]*t[\\\"\\^]*(?:a|m[\\\"\\^]*l)|i[\\\"\\^]*e[\\\"\\^]*x[\\\"\\^]*e[\\\"\\^]*c|p[\\\"\\^]*u[\\\"\\^]*b|x[\\\"\\^]*s[\\\"\\^]*l))|n[\\\"\\^]*(?:e[\\\"\\^]*t[\\\"\\^]*s[\\\"\\^]*h|t[\\\"\\^]*d[\\\"\\^]*s[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l)|o[\\\"\\^]*(?:d[\\\"\\^]*b[\\\"\\^]*c[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*f|f[\\\"\\^]*f[\\\"\\^]*l[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*c[\\\"\\^]*a[\\\"\\^]*n[\\\"\\^]*n[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*s[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*l[\\\"\\^]*l|n[\\\"\\^]*e[\\\"\\^]*d[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*n[\\\"\\^]*d[\\\"\\^]*a[\\\"\\^]*l[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*e[\\\"\\^]*u[\\\"\\^]*p[\\\"\\^]*d[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*r|p[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*s[\\\"\\^]*o[\\\"\\^]*l[\\\"\\^]*e)|p[\\\"\\^]*(?:c[\\\"\\^]*(?:a[\\\"\\^]*l[\\\"\\^]*u[\\\"\\^]*a|w[\\\"\\^]*(?:r[\\\"\\^]*u[\\\"\\^]*n|u[\\\"\\^]*t[\\\"\\^]*l))|(?:e[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*e|s)[\\\"\\^]*r|(?:k[\\\"\\^]*t[\\\"\\^]*m[\\\"\\^]*o|u[\\\"\\^]*b[\\\"\\^]*p[\\\"\\^]*r)[\\\"\\^]*n|n[\\\"\\^]*p[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l|o[\\\"\\^]*w[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*p[\\\"\\^]*n[\\\"\\^]*t|r[\\\"\\^]*(?:e[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*h[\\\"\\^]*o[\\\"\\^]*s[\\\"\\^]*t|i[\\\"\\^]*n[\\\"\\^]*t(?:[\\\"\\^]*b[\\\"\\^]*r[\\\"\\^]*m)?|o[\\\"\\^]*(?:c[\\\"\\^]*d[\\\"\\^]*u[\\\"\\^]*m[\\\"\\^]*p|t[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*l[\\\"\\^]*h[\\\"\\^]*a[\\\"\\^]*n[\\\"\\^]*d[\\\"\\^]*l[\\\"\\^]*e[\\\"\\^]*r)))|r[\\\"\\^]*(?:a[\\\"\\^]*s[\\\"\\^]*a[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*o[\\\"\\^]*u|c[\\\"\\^]*s[\\\"\\^]*i|(?:d[\\\"\\^]*r[\\\"\\^]*l[\\\"\\^]*e[\\\"\\^]*a[\\\"\\^]*k[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*a|p[\\\"\\^]*c[\\\"\\^]*p[\\\"\\^]*i[\\\"\\^]*n)[\\\"\\^]*g|e[\\\"\\^]*(?:g(?:[\\\"\\^]*(?:a[\\\"\\^]*s[\\\"\\^]*m|e[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*t|i[\\\"\\^]*(?:n[\\\"\\^]*i|s[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*-[\\\"\\^]*c[\\\"\\^]*i[\\\"\\^]*m[\\\"\\^]*p[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*v[\\\"\\^]*i[\\\"\\^]*d[\\\"\\^]*e[\\\"\\^]*r)|s[\\\"\\^]*v[\\\"\\^]*(?:c[\\\"\\^]*s|r[\\\"\\^]*3[\\\"\\^]*2)))?|(?:m[\\\"\\^]*o[\\\"\\^]*t|p[\\\"\\^]*l[\\\"\\^]*a[\\\"\\^]*c)[\\\"\\^]*e)|u[\\\"\\^]*n[\\\"\\^]*(?:d[\\\"\\^]*l[\\\"\\^]*l[\\\"\\^]*3[\\\"\\^]*2|(?:e[\\\"\\^]*x[\\\"\\^]*e|s[\\\"\\^]*c[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*p[\\\"\\^]*t)[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*l[\\\"\\^]*p[\\\"\\^]*e[\\\"\\^]*r|o[\\\"\\^]*n[\\\"\\^]*c[\\\"\\^]*e))|s[\\\"\\^]*(?:c[\\\"\\^]*(?:[\\s\\v,\\.-/;-<>].*|h[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*s[\\\"\\^]*k[\\\"\\^]*s|r[\\\"\\^]*i[\\\"\\^]*p[\\\"\\^]*t[\\\"\\^]*r[\\\"\\^]*u[\\\"\\^]*n[\\\"\\^]*n[\\\"\\^]*e[\\\"\\^]*r)|e[\\\"\\^]*t[\\\"\\^]*(?:r[\\\"\\^]*e[\\\"\\^]*s|t[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*g[\\\"\\^]*s[\\\"\\^]*y[\\\"\\^]*n[\\\"\\^]*c[\\\"\\^]*h[\\\"\\^]*o[\\\"\\^]*s[\\\"\\^]*t|u[\\\"\\^]*p[\\\"\\^]*a[\\\"\\^]*p[\\\"\\^]*i)|h[\\\"\\^]*(?:d[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*v[\\\"\\^]*w|e[\\\"\\^]*l[\\\"\\^]*l[\\\"\\^]*3[\\\"\\^]*2)|q[\\\"\\^]*(?:l[\\\"\\^]*(?:d[\\\"\\^]*u[\\\"\\^]*m[\\\"\\^]*p[\\\"\\^]*e[\\\"\\^]*r|(?:t[\\\"\\^]*o[\\\"\\^]*o[\\\"\\^]*l[\\\"\\^]*s[\\\"\\^]*)?p[\\\"\\^]*s)|u[\\\"\\^]*i[\\\"\\^]*r[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*l)|s[\\\"\\^]*h|t[\\\"\\^]*o[\\\"\\^]*r[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*a[\\\"\\^]*g|y[\\\"\\^]*(?:n[\\\"\\^]*c[\\\"\\^]*a[\\\"\\^]*p[\\\"\\^]*p[\\\"\\^]*v[\\\"\\^]*p[\\\"\\^]*u[\\\"\\^]*b[\\\"\\^]*l[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*h[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*g[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*r|s[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*u[\\\"\\^]*p))|t[\\\"\\^]*(?:e[\\\"\\^]*[\\s\\v,\\.-/;-<>].*|r[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*k[\\\"\\^]*e[\\\"\\^]*r|t[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*j[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*t|t[\\\"\\^]*r[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*e[\\\"\\^]*r))|u[\\\"\\^]*(?:n[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*g[\\\"\\^]*m[\\\"\\^]*p[\\\"\\^]*2|p[\\\"\\^]*d[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*e|r[\\\"\\^]*l|t[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*i[\\\"\\^]*t[\\\"\\^]*y[\\\"\\^]*f[\\\"\\^]*u[\\\"\\^]*n[\\\"\\^]*c[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*s)|v[\\\"\\^]*(?:b[\\\"\\^]*c|e[\\\"\\^]*r[\\\"\\^]*c[\\\"\\^]*l[\\\"\\^]*s[\\\"\\^]*i[\\\"\\^]*d|i[\\\"\\^]*s[\\\"\\^]*u[\\\"\\^]*a[\\\"\\^]*l[\\\"\\^]*u[\\\"\\^]*i[\\\"\\^]*a[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*f[\\\"\\^]*y[\\\"\\^]*n[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*v[\\\"\\^]*e|s[\\\"\\^]*(?:i[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*x[\\\"\\^]*e[\\\"\\^]*l[\\\"\\^]*a[\\\"\\^]*u[\\\"\\^]*n[\\\"\\^]*c[\\\"\\^]*h|j[\\\"\\^]*i[\\\"\\^]*t[\\\"\\^]*d[\\\"\\^]*e[\\\"\\^]*b[\\\"\\^]*u[\\\"\\^]*g[\\\"\\^]*g)[\\\"\\^]*e[\\\"\\^]*r)|w[\\\"\\^]*(?:a[\\\"\\^]*b|(?:f|m[\\\"\\^]*i)[\\\"\\^]*c|i[\\\"\\^]*n[\\\"\\^]*(?:g[\\\"\\^]*e[\\\"\\^]*t|r[\\\"\\^]*m|w[\\\"\\^]*o[\\\"\\^]*r[\\\"\\^]*d)|l[\\\"\\^]*r[\\\"\\^]*m[\\\"\\^]*d[\\\"\\^]*r|o[\\\"\\^]*r[\\\"\\^]*k[\\\"\\^]*f[\\\"\\^]*o[\\\"\\^]*l[\\\"\\^]*d[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*s|s[\\\"\\^]*(?:(?:c[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*p|r[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*e)[\\\"\\^]*t|l)|t[\\\"\\^]*[\\s\\v,\\.-/;-<>].*|u[\\\"\\^]*a[\\\"\\^]*u[\\\"\\^]*c[\\\"\\^]*l[\\\"\\^]*t)|x[\\\"\\^]*w[\\\"\\^]*i[\\\"\\^]*z[\\\"\\^]*a[\\\"\\^]*r[\\\"\\^]*d|z[\\\"\\^]*i[\\\"\\^]*p[\\\"\\^]*f[\\\"\\^]*l[\\\"\\^]*d[\\\"\\^]*r)(?:\\.[\\\"\\^]*[0-9A-Z_a-z]+)?\\b\" \"id:932370,phase:2,block,capture,t:none,msg:'Remote Command Execution: Windows Command Injection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-windows',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:t[\\\"\\^]*i[\\\"\\^]*m[\\\"\\^]*e|[\\n\\r;`\\{]|\\|\\|?|&&?)[\\s\\v]*[\\s\\v\\\"'-\\(,@]*(?:[\\\"'\\.-9A-Z_a-z]+/|(?:[\\\"'\\x5c\\^]*[0-9A-Z_a-z][\\\"'\\x5c\\^]*:.*|[ \\\"'\\.-9A-Z\\x5c\\^-_a-z]*)\\x5c)?[\\\"\\^]*(?:a[\\\"\\^]*(?:s[\\\"\\^]*s[\\\"\\^]*o[\\\"\\^]*c|t[\\\"\\^]*(?:m[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*m|t[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*b)|u[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*t[\\\"\\^]*p[\\\"\\^]*o[\\\"\\^]*l|t[\\\"\\^]*o[\\\"\\^]*(?:c[\\\"\\^]*(?:h[\\\"\\^]*k|o[\\\"\\^]*n[\\\"\\^]*v)|(?:f[\\\"\\^]*m|m[\\\"\\^]*o[\\\"\\^]*u[\\\"\\^]*n)[\\\"\\^]*t)))|b[\\\"\\^]*(?:c[\\\"\\^]*d[\\\"\\^]*(?:b[\\\"\\^]*o[\\\"\\^]*o|e[\\\"\\^]*d[\\\"\\^]*i)[\\\"\\^]*t|(?:d[\\\"\\^]*e[\\\"\\^]*h[\\\"\\^]*d|o[\\\"\\^]*o[\\\"\\^]*t)[\\\"\\^]*c[\\\"\\^]*f[\\\"\\^]*g|i[\\\"\\^]*t[\\\"\\^]*s[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*m[\\\"\\^]*i[\\\"\\^]*n)|c[\\\"\\^]*(?:a[\\\"\\^]*c[\\\"\\^]*l[\\\"\\^]*s|e[\\\"\\^]*r[\\\"\\^]*t[\\\"\\^]*(?:r[\\\"\\^]*e[\\\"\\^]*q|u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l)|h[\\\"\\^]*(?:c[\\\"\\^]*p|d[\\\"\\^]*i[\\\"\\^]*r|g[\\\"\\^]*(?:l[\\\"\\^]*o[\\\"\\^]*g[\\\"\\^]*o[\\\"\\^]*n|p[\\\"\\^]*o[\\\"\\^]*r[\\\"\\^]*t|u[\\\"\\^]*s[\\\"\\^]*r)|k[\\\"\\^]*(?:d[\\\"\\^]*s[\\\"\\^]*k|n[\\\"\\^]*t[\\\"\\^]*f[\\\"\\^]*s))|l[\\\"\\^]*e[\\\"\\^]*a[\\\"\\^]*n[\\\"\\^]*m[\\\"\\^]*g[\\\"\\^]*r|m[\\\"\\^]*(?:d(?:[\\\"\\^]*k[\\\"\\^]*e[\\\"\\^]*y)?|s[\\\"\\^]*t[\\\"\\^]*p)|s[\\\"\\^]*c[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*p[\\\"\\^]*t)|d[\\\"\\^]*(?:c[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*a[\\\"\\^]*g|g[\\\"\\^]*p[\\\"\\^]*o[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*x)|e[\\\"\\^]*(?:f[\\\"\\^]*r[\\\"\\^]*a[\\\"\\^]*g|l)|f[\\\"\\^]*s[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*a|r[\\\"\\^]*m[\\\"\\^]*i)[\\\"\\^]*g|i[\\\"\\^]*(?:a[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*z|r|s[\\\"\\^]*(?:k[\\\"\\^]*(?:c[\\\"\\^]*o[\\\"\\^]*(?:m[\\\"\\^]*p|p[\\\"\\^]*y)|p[\\\"\\^]*(?:a[\\\"\\^]*r[\\\"\\^]*t|e[\\\"\\^]*r[\\\"\\^]*f)|r[\\\"\\^]*a[\\\"\\^]*i[\\\"\\^]*d|s[\\\"\\^]*h[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*w)|p[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*a[\\\"\\^]*g))|n[\\\"\\^]*s[\\\"\\^]*c[\\\"\\^]*m[\\\"\\^]*d|(?:o[\\\"\\^]*s[\\\"\\^]*k[\\\"\\^]*e|r[\\\"\\^]*i[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*q[\\\"\\^]*u[\\\"\\^]*e[\\\"\\^]*r)[\\\"\\^]*y)|e[\\\"\\^]*(?:n[\\\"\\^]*d[\\\"\\^]*l[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*a[\\\"\\^]*l|v[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*c[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*e)|E[\\\"\\^]*v[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*c[\\\"\\^]*m[\\\"\\^]*d|f[\\\"\\^]*(?:c|i[\\\"\\^]*(?:l[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*y[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*m[\\\"\\^]*s|n[\\\"\\^]*d[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*r)|l[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*m[\\\"\\^]*p|o[\\\"\\^]*r(?:[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*e[\\\"\\^]*s)?|r[\\\"\\^]*e[\\\"\\^]*e[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*k|s[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l|(?:t[\\\"\\^]*y[\\\"\\^]*p|v[\\\"\\^]*e[\\\"\\^]*u[\\\"\\^]*p[\\\"\\^]*d[\\\"\\^]*a[\\\"\\^]*t)[\\\"\\^]*e)|g[\\\"\\^]*(?:e[\\\"\\^]*t[\\\"\\^]*(?:m[\\\"\\^]*a[\\\"\\^]*c|t[\\\"\\^]*y[\\\"\\^]*p[\\\"\\^]*e)|o[\\\"\\^]*t[\\\"\\^]*o|p[\\\"\\^]*(?:f[\\\"\\^]*i[\\\"\\^]*x[\\\"\\^]*u[\\\"\\^]*p|(?:r[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*u[\\\"\\^]*l[\\\"\\^]*)?t|u[\\\"\\^]*p[\\\"\\^]*d[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*e)|r[\\\"\\^]*a[\\\"\\^]*f[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*b[\\\"\\^]*l)|h[\\\"\\^]*(?:e[\\\"\\^]*l[\\\"\\^]*p[\\\"\\^]*c[\\\"\\^]*t[\\\"\\^]*r|o[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*n[\\\"\\^]*a[\\\"\\^]*m[\\\"\\^]*e)|i[\\\"\\^]*(?:c[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*l[\\\"\\^]*s|f|p[\\\"\\^]*(?:c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*g|x[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*e)|r[\\\"\\^]*f[\\\"\\^]*t[\\\"\\^]*p)|j[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*p[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*k|k[\\\"\\^]*(?:l[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*t|s[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*u[\\\"\\^]*p|t[\\\"\\^]*(?:m[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l|p[\\\"\\^]*a[\\\"\\^]*s[\\\"\\^]*s))|l[\\\"\\^]*(?:o[\\\"\\^]*(?:d[\\\"\\^]*c[\\\"\\^]*t[\\\"\\^]*r|g[\\\"\\^]*(?:m[\\\"\\^]*a[\\\"\\^]*n|o[\\\"\\^]*f[\\\"\\^]*f))|p[\\\"\\^]*[q-r])|m[\\\"\\^]*(?:a[\\\"\\^]*(?:c[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*e|k[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*a[\\\"\\^]*b|p[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*m[\\\"\\^]*i[\\\"\\^]*n)|k[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*r|l[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*k)|m[\\\"\\^]*c|o[\\\"\\^]*u[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*v[\\\"\\^]*o[\\\"\\^]*l|q[\\\"\\^]*(?:b[\\\"\\^]*k[\\\"\\^]*u[\\\"\\^]*p|(?:t[\\\"\\^]*g[\\\"\\^]*)?s[\\\"\\^]*v[\\\"\\^]*c)|s[\\\"\\^]*(?:d[\\\"\\^]*t|i[\\\"\\^]*(?:e[\\\"\\^]*x[\\\"\\^]*e[\\\"\\^]*c|n[\\\"\\^]*f[\\\"\\^]*o[\\\"\\^]*3[\\\"\\^]*2)|t[\\\"\\^]*s[\\\"\\^]*c))|n[\\\"\\^]*(?:b[\\\"\\^]*t[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*t|e[\\\"\\^]*t[\\\"\\^]*(?:c[\\\"\\^]*f[\\\"\\^]*g|d[\\\"\\^]*o[\\\"\\^]*m|s[\\\"\\^]*(?:h|t[\\\"\\^]*a[\\\"\\^]*t))|f[\\\"\\^]*s[\\\"\\^]*(?:a[\\\"\\^]*d[\\\"\\^]*m[\\\"\\^]*i[\\\"\\^]*n|s[\\\"\\^]*(?:h[\\\"\\^]*a[\\\"\\^]*r[\\\"\\^]*e|t[\\\"\\^]*a[\\\"\\^]*t))|l[\\\"\\^]*(?:b[\\\"\\^]*m[\\\"\\^]*g[\\\"\\^]*r|t[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*t)|s[\\\"\\^]*l[\\\"\\^]*o[\\\"\\^]*o[\\\"\\^]*k[\\\"\\^]*u[\\\"\\^]*p|t[\\\"\\^]*(?:b[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*k[\\\"\\^]*u[\\\"\\^]*p|c[\\\"\\^]*m[\\\"\\^]*d[\\\"\\^]*p[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*m[\\\"\\^]*p[\\\"\\^]*t|f[\\\"\\^]*r[\\\"\\^]*s[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*l))|o[\\\"\\^]*(?:f[\\\"\\^]*f[\\\"\\^]*l[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*e|p[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*e[\\\"\\^]*s)|p[\\\"\\^]*(?:a[\\\"\\^]*(?:g[\\\"\\^]*e[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*i|t[\\\"\\^]*h[\\\"\\^]*p[\\\"\\^]*i[\\\"\\^]*n)[\\\"\\^]*g|(?:b[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*m[\\\"\\^]*i|k[\\\"\\^]*t[\\\"\\^]*m[\\\"\\^]*o)[\\\"\\^]*n|e[\\\"\\^]*(?:n[\\\"\\^]*t[\\\"\\^]*n[\\\"\\^]*t|r[\\\"\\^]*f[\\\"\\^]*m[\\\"\\^]*o[\\\"\\^]*n)|n[\\\"\\^]*p[\\\"\\^]*u[\\\"\\^]*(?:n[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*d|t[\\\"\\^]*i[\\\"\\^]*l)|o[\\\"\\^]*(?:p[\\\"\\^]*d|w[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*s[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*l[\\\"\\^]*l)|r[\\\"\\^]*n[\\\"\\^]*(?:c[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*g|(?:d[\\\"\\^]*r[\\\"\\^]*v|m[\\\"\\^]*n[\\\"\\^]*g)[\\\"\\^]*r|j[\\\"\\^]*o[\\\"\\^]*b[\\\"\\^]*s|p[\\\"\\^]*o[\\\"\\^]*r[\\\"\\^]*t|q[\\\"\\^]*c[\\\"\\^]*t[\\\"\\^]*l)|u[\\\"\\^]*(?:b[\\\"\\^]*p[\\\"\\^]*r[\\\"\\^]*n|s[\\\"\\^]*h[\\\"\\^]*(?:d|p[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*n[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*s))|w[\\\"\\^]*(?:l[\\\"\\^]*a[\\\"\\^]*u[\\\"\\^]*n[\\\"\\^]*c[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*r|s[\\\"\\^]*h))|q[\\\"\\^]*(?:a[\\\"\\^]*p[\\\"\\^]*p[\\\"\\^]*s[\\\"\\^]*r[\\\"\\^]*v|p[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*s|u[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*r|w[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a)|r[\\\"\\^]*(?:d(?:[\\\"\\^]*p[\\\"\\^]*s[\\\"\\^]*i[\\\"\\^]*g[\\\"\\^]*n)?|e[\\\"\\^]*(?:f[\\\"\\^]*s[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l|g(?:[\\\"\\^]*(?:i[\\\"\\^]*n[\\\"\\^]*i|s[\\\"\\^]*v[\\\"\\^]*r[\\\"\\^]*3[\\\"\\^]*2))?|l[\\\"\\^]*o[\\\"\\^]*g|(?:(?:p[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*m[\\\"\\^]*i|s[\\\"\\^]*c[\\\"\\^]*a)[\\\"\\^]*)?n|x[\\\"\\^]*e[\\\"\\^]*c)|i[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*u[\\\"\\^]*p|m[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*r|o[\\\"\\^]*b[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*p[\\\"\\^]*y|p[\\\"\\^]*c[\\\"\\^]*(?:i[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*o|p[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*g)|s[\\\"\\^]*h|u[\\\"\\^]*n[\\\"\\^]*d[\\\"\\^]*l[\\\"\\^]*l[\\\"\\^]*3[\\\"\\^]*2|w[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a)|s[\\\"\\^]*(?:a[\\\"\\^]*n|c[\\\"\\^]*(?:h[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*s[\\\"\\^]*k[\\\"\\^]*s|w[\\\"\\^]*c[\\\"\\^]*m[\\\"\\^]*d)|e[\\\"\\^]*(?:c[\\\"\\^]*e[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*t|r[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*(?:(?:c[\\\"\\^]*e[\\\"\\^]*i[\\\"\\^]*p|w[\\\"\\^]*e[\\\"\\^]*r)[\\\"\\^]*o[\\\"\\^]*p[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*n|m[\\\"\\^]*a[\\\"\\^]*n[\\\"\\^]*a[\\\"\\^]*g[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*c[\\\"\\^]*m[\\\"\\^]*d)|t[\\\"\\^]*x)|f[\\\"\\^]*c|(?:h[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*m[\\\"\\^]*o[\\\"\\^]*u[\\\"\\^]*n|u[\\\"\\^]*b[\\\"\\^]*s)[\\\"\\^]*t|x[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*r[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*e|y[\\\"\\^]*s[\\\"\\^]*(?:o[\\\"\\^]*c[\\\"\\^]*m[\\\"\\^]*g[\\\"\\^]*r|t[\\\"\\^]*e[\\\"\\^]*m[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*o))|t[\\\"\\^]*(?:a[\\\"\\^]*(?:k[\\\"\\^]*e[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*n|p[\\\"\\^]*i[\\\"\\^]*c[\\\"\\^]*f[\\\"\\^]*g|s[\\\"\\^]*k[\\\"\\^]*(?:k[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*l|l[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*t))|(?:c[\\\"\\^]*m[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*u|f[\\\"\\^]*t)[\\\"\\^]*p|(?:(?:e[\\\"\\^]*l[\\\"\\^]*n[\\\"\\^]*e|i[\\\"\\^]*m[\\\"\\^]*e[\\\"\\^]*o[\\\"\\^]*u)[\\\"\\^]*|r[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*(?:p[\\\"\\^]*)?)t|l[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*m[\\\"\\^]*n|p[\\\"\\^]*m[\\\"\\^]*(?:t[\\\"\\^]*o[\\\"\\^]*o[\\\"\\^]*l|v[\\\"\\^]*s[\\\"\\^]*c[\\\"\\^]*m[\\\"\\^]*g[\\\"\\^]*r)|s[\\\"\\^]*(?:(?:d[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*)?c[\\\"\\^]*o[\\\"\\^]*n|e[\\\"\\^]*c[\\\"\\^]*i[\\\"\\^]*m[\\\"\\^]*p|k[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*l|p[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*f)|y[\\\"\\^]*p[\\\"\\^]*e[\\\"\\^]*p[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*f|z[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l)|u[\\\"\\^]*n[\\\"\\^]*(?:e[\\\"\\^]*x[\\\"\\^]*p[\\\"\\^]*o[\\\"\\^]*s[\\\"\\^]*e|i[\\\"\\^]*q[\\\"\\^]*u[\\\"\\^]*e[\\\"\\^]*i[\\\"\\^]*d|l[\\\"\\^]*o[\\\"\\^]*d[\\\"\\^]*c[\\\"\\^]*t[\\\"\\^]*r)|v[\\\"\\^]*(?:o[\\\"\\^]*l|s[\\\"\\^]*s[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*m[\\\"\\^]*i[\\\"\\^]*n)|w[\\\"\\^]*(?:a[\\\"\\^]*i[\\\"\\^]*t[\\\"\\^]*f[\\\"\\^]*o[\\\"\\^]*r|b[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*m[\\\"\\^]*i[\\\"\\^]*n|(?:d[\\\"\\^]*s|e[\\\"\\^]*(?:c|v[\\\"\\^]*t))[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l|h[\\\"\\^]*(?:e[\\\"\\^]*r[\\\"\\^]*e|o[\\\"\\^]*a[\\\"\\^]*m[\\\"\\^]*i)|i[\\\"\\^]*n[\\\"\\^]*(?:n[\\\"\\^]*t(?:[\\\"\\^]*3[\\\"\\^]*2)?|r[\\\"\\^]*s)|m[\\\"\\^]*i[\\\"\\^]*c|s[\\\"\\^]*c[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*p[\\\"\\^]*t)|x[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*p[\\\"\\^]*y)(?:\\.[\\\"\\^]*[0-9A-Z_a-z]+)?\\b\" \"id:932380,phase:2,block,capture,t:none,msg:'Remote Command Execution: Windows Command Injection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-windows',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:932014,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?:t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|[\\n\\r;`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|\\{)|[<>]\\(|\\([\\s\\v]*\\))[\\s\\v]*(?:[\\$\\{]|(?:[\\s\\v]*\\(|!)[\\s\\v]*|[0-9A-Z_a-z]+=(?:[^\\s\\v]*|\\$(?:.*|.*)|[<>].*|'.*'|\\\".*\\\")[\\s\\v]+)*[\\s\\v]*[\\\"']*(?:[\\\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\\\"'\\x5c]*\\.[\\s\\v].*\\b\" \"id:932231,phase:2,block,capture,t:none,msg:'Remote Command Execution: Unix Command Injection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer \"@rx (?:\\$(?:\\((?:\\(.*\\)|.*)\\)|\\{.*})|[<>]\\(.*\\)|\\[!?.+\\])\" \"id:932131,phase:1,block,capture,t:none,t:cmdLine,msg:'Remote Command Execution: Unix Shell Expression Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* \"@rx ['\\*\\?\\x5c`][^\\n/]+/|/[^/]+?['\\*\\?\\x5c`]|\\$[!#-\\$\\(\\*\\-0-9\\?-\\[_a-\\{]\" \"id:932200,phase:2,block,capture,t:none,t:lowercase,t:urlDecodeUni,msg:'RCE Bypass Technique',logdata:'Matched Data: %{TX.0} found within %{TX.932200_MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.932200_matched_var_name=%{matched_var_name}',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule MATCHED_VAR \"@rx /\" \"t:none,t:urlDecodeUni,chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule MATCHED_VAR \"@rx \\s\" \"t:none,t:urlDecodeUni,setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Referer \"@rx ^[^\\.]+\\.[^;\\?]+[;\\?](.*(['\\*\\?\\x5c`][^\\n/]+/|/[^/]+?['\\*\\?\\x5c`]|\\$[!#-\\$\\(\\*\\-0-9\\?-\\[_a-\\{]))\" \"id:932205,phase:2,block,capture,t:none,t:lowercase,t:urlDecodeUni,msg:'RCE Bypass Technique',logdata:'Matched Data: %{TX.2} found within %{TX.932205_MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.932205_matched_var_name=%{matched_var_name}',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:1 \"@rx /\" \"t:none,t:urlDecodeUni,chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:1 \"@rx \\s\" \"t:none,t:urlDecodeUni,setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Referer \"@rx ^[^\\.]*?(?:['\\*\\?\\x5c`][^\\n/]+/|/[^/]+?['\\*\\?\\x5c`]|\\$[!#-\\$\\(\\*\\-0-9\\?-\\[_a-\\{])\" \"id:932206,phase:2,block,capture,t:none,t:lowercase,t:urlDecodeUni,msg:'RCE Bypass Technique',logdata:'Matched Data: %{TX.0} found within %{TX.932206_MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.932206_matched_var_name=%{matched_var_name}',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule MATCHED_VAR \"@rx /\" \"t:none,t:urlDecodeUni,chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule MATCHED_VAR \"@rx \\s\" \"t:none,t:urlDecodeUni,setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i).\\|(?:[\\s\\v]*|t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|[\\n\\r;`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|\\{)|[<>]\\(|\\([\\s\\v]*\\))[\\s\\v]*(?:[\\$\\{]|(?:[\\s\\v]*\\(|!)[\\s\\v]*|[0-9A-Z_a-z]+=(?:[^\\s\\v]*|\\$(?:.*|.*)|[<>].*|'.*'|\\\".*\\\")[\\s\\v]+)*[\\s\\v]*[\\\"']*(?:[\\\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\\\"'\\x5c]*(?:7[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?z(?:[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[arx])?|G[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?E[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?T|a[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:b|(?:p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?)?t|r(?:[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[jp])?|s(?:[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?h)?|w[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[ks])|b[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?z[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?z|c[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:[8-9][\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?9|[au][\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?t|c|(?:m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?)?p|s[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?h)|d[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:[dfu]|i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[gr])|e[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:[bdx]|n[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?v|q[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?n|s(?:[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?h)?)|f[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:[c-dgi]|m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?t|t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p)|g[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:[chr][\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?c|d[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?b|e[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m|i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?t|o|p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?g)|h[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:d|u[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p)|i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:[dp]|r[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?b)|j[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:j[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?s|q)|k[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?s[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?h|l[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:d(?:[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?d)?|[nps]|u[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?a|z(?:[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?4)?)|m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:a[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?n|t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?r|v)|n[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:[cl]|e[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?t|(?:p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?)?m)|o[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?d|p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:[at][\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?x|d[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?b|f|(?:k[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?)?g|h[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p|i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[cp]|r(?:[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?y)?|w[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?d|x[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?z)|r[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:a[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?r|c(?:[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p)?|e[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[dv]|(?:p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?)?m)|s[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:c[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p|e[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[dt]|[g-hu]|s(?:[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?h)?|v[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?n)|t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:a[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[cr]|b[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?l|[co][\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p|e[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[ex]|i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?c)|u[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:d[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p|l)|v[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m|w[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:3[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m|c)|x[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:x[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?d|z)|y[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:e[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?s|u[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m)|z[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p|s[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?h))\" \"id:932220,phase:2,block,capture,t:none,msg:'Remote Command Execution: Unix Command Injection with pipe',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* \"@rx (?i)[\\-0-9_a-z]+(?:[\\\"'\\[-\\]]+|\\$+[!#\\*\\-0-9\\?-@\\x5c_a-\\{]+|``|[\\$<>]\\(\\))[\\s\\v]*[\\-0-9_a-z]+\" \"id:932240,phase:2,block,capture,t:none,msg:'Remote Command Execution: Unix Command Injection evasion attempt detected',logdata:'Matched Data: %{TX.0} found within %{TX.932240_MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.932240_matched_var_name=%{matched_var_name}',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule MATCHED_VAR \"!@rx [0-9]\\s*\\'\\s*[0-9]\" \"t:none,setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx ;[\\s\\v]*\\.[\\s\\v]*[\\\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)\" \"id:932210,phase:2,block,t:none,t:escapeSeqDecode,t:compressWhitespace,msg:'Remote Command Execution: SQLite System Command Execution',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx \\r\\n(?s:.)*?\\b(?:(?i:E)(?:HLO [\\--\\.A-Za-z\\x17f\\x212a]{1,255}|XPN .{1,64})|HELO [\\--\\.A-Za-z\\x17f\\x212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SET\\b)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [\\-0-9A-Z_a-z\\x17f\\x212a]{1,20}(?i: )(?:(?:[\\+/-9A-Z_a-z\\x17f\\x212a]{4})*(?:[\\+/-9A-Z_a-z\\x17f\\x212a]{2}(?i:=)|[\\+/-9A-Z_a-z\\x17f\\x212a]{3}))?(?i:=)|STARTTLS\\b|NOOP\\b(?:(?i: ).{1,255})?)\" \"id:932300,phase:2,block,t:none,t:escapeSeqDecode,msg:'Remote Command Execution: SMTP Command Execution',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/137/134',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?is)\\r\\n[0-9A-Z_a-z]{1,50}\\b (?:A(?:PPEND (?:[\\\"-#%-&\\*\\--9A-Z\\x5c_a-z]+)?(?: \\([ \\x5ca-z]+\\))?(?: \\\"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [\\+\\-][0-9]{4}\\\"?)? \\{[0-9]{1,20}\\+?\\}|UTHENTICATE [\\-0-9_a-z]{1,20}\\r\\n)|L(?:SUB (?:[\\\"-#\\*\\.-9A-Z_a-z~]+)? (?:[\\\"%-&\\*\\.-9A-Z\\x5c_a-z]+)?|ISTRIGHTS (?:[\\\"%-&\\*\\--9A-Z\\x5c_a-z]+)?)|S(?:TATUS (?:[\\\"%-&\\*\\--9A-Z\\x5c_a-z]+)? \\((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+\\)|ETACL (?:[\\\"%-&\\*\\--9A-Z\\x5c_a-z]+)? [\\+\\-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[\\*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\\\"%-&\\*\\--9A-Z\\x5c_a-z]+)?)\" \"id:932310,phase:2,block,t:none,t:escapeSeqDecode,msg:'Remote Command Execution: IMAP Command Execution',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/137/134',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?is)\\r\\n.*?\\b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [\\-0-9A-Z_]{1,20} (?:(?:[\\+/-9A-Z_a-z]{4})*(?:[\\+/-9A-Z_a-z]{2}=|[\\+/-9A-Z_a-z]{3}))?=))\" \"id:932320,phase:2,block,t:none,t:escapeSeqDecode,msg:'Remote Command Execution: POP3 Command Execution',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/137/134',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:(?:^|=)[\\s\\v]*(?:t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|[\\$\\{]|(?:[\\s\\v]*\\(|!)[\\s\\v]*|[0-9A-Z_a-z]+=(?:[^\\s\\v]*|\\$(?:.*|.*)|[<>].*|'.*'|\\\".*\\\")[\\s\\v]+)*|(?:t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|[\\n\\r;`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|\\{)|[<>]\\(|\\([\\s\\v]*\\))[\\s\\v]*(?:[\\$\\{]|(?:[\\s\\v]*\\(|!)[\\s\\v]*|[0-9A-Z_a-z]+=(?:[^\\s\\v]*|\\$(?:.*|.*)|[<>].*|'.*'|\\\".*\\\")[\\s\\v]+)*)[\\s\\v]*[\\\"']*(?:[\\\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\\\"'\\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\\s\\v&\\)<>\\|]|a(?:(?:b|w[ks]|l(?:ias|pine))[\\s\\v&\\)<>\\|]|pt(?:[\\s\\v&\\)<>\\|]|-get)|r(?:[\\s\\v&\\)<>j\\|]|(?:p|ch)[\\s\\v&\\)<>\\|]|ia2c)|s(?:h?[\\s\\v&\\)<>\\|]|cii(?:-xfr|85)|pell)|t(?:[\\s\\v&\\)<>\\|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[\\s\\v&\\)<>\\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\\s\\v&\\)<>\\|]|c))|h[\\s\\v&\\)<>\\|])|tch[\\s\\v&\\)<>\\|])|lkid|pftrace|r(?:eaksw|idge[\\s\\v&\\)<>\\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\\s\\v&\\)<>\\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\\s\\v&\\)<>\\|]|mp|p(?:[\\s\\v&\\)<>\\|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[\\s\\v&\\)<>\\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\\s\\v&\\)<>\\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\\s\\v&\\)<>\\|]|\\+\\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\\s\\v&\\)<>\\|]|w(?:say|think))|r(?:ash[\\s\\v&\\)<>\\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\\s\\v&\\)<>\\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\\s\\v&\\)<>\\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\\s\\v&\\)<>\\|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[\\s\\v&\\)<>h\\|]|ac)|x(?:(?:ec)?[\\s\\v&\\)<>\\|]|iftool|p(?:(?:and|(?:ec|or)t)[\\s\\v&\\)<>\\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\\s\\v&\\)<>\\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\\s\\v&\\)<>\\|]|le(?:[\\s\\v&\\)<>\\|]|test))|mt|tp(?:[\\s\\v&\\)<>\\|]|stats|who)|acter|o(?:ld[\\s\\v&\\)<>\\|]|reach)|ping)|g(?:c(?:c[^\\s\\v]|ore)|db|e(?:(?:m|tfacl)[\\s\\v&\\)<>\\|]|ni(?:e[\\s\\v&\\)<>\\|]|soimage))|hci?|i(?:(?:t|mp)[\\s\\v&\\)<>\\|]|nsh)|(?:o|awk)[\\s\\v&\\)<>\\|]|pg|r(?:c|ep[\\s\\v&\\)<>\\|]|oup(?:[\\s\\v&\\)<>\\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\\s\\v&\\)<>\\|]|e(?:ad[\\s\\v&\\)<>\\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\\s\\v&\\)<>\\|]|onice|spell)|j(?:js|q|ava[\\s\\v&\\)<>\\|]|exec|o(?:(?:bs|in)[\\s\\v&\\)<>\\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\\s\\v&\\)<>\\|]|all)|nife[\\s\\v&\\)<>\\|])|l(?:d(?:d?[\\s\\v&\\)<>\\|]|config)|(?:[np]|inks|ynx)[\\s\\v&\\)<>\\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\\s\\v&\\)<>\\|]|(?:la)?tex)|z(?:[\\s\\v&\\)4<>\\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\\s\\v&\\)<>\\|]|comm|log(?:in)?)|tex[\\s\\v&\\)<>\\|])|ess(?:[\\s\\v&\\)<>\\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\\s\\v&\\)<>\\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\\s\\v&\\)<>\\|]|il(?:[\\s\\v&\\)<>q\\|]|x[\\s\\v&\\)<>\\|])|ster\\.passwd|wk)|tr|(?:v|utt)[\\s\\v&\\)<>\\|]|k(?:dir[\\s\\v&\\)<>\\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\\s\\v&\\)<>\\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\\s\\v&\\)<>\\|]|\\.(?:openbsd|traditional)|at)|e(?:t(?:[\\s\\v&\\)<>\\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\\s\\v&\\)<>\\|]|m(?:[\\s\\v&\\)<>\\|]|ap)|p(?:m[\\s\\v&\\)<>\\|]|ing)|a(?:no[\\s\\v&\\)<>\\|]|sm|wk)|o(?:de[\\s\\v&\\)<>\\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\\s\\v&\\)<>\\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\\s\\v&\\)<>\\|]|s(?:swd|te[\\s\\v&\\)<>\\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\\s\\v&\\)<>\\|]|tp)|g(?:rep)?|hp(?:[\\s\\v&\\)57<>\\|]|-cgi)|i(?:(?:co?|ng)[\\s\\v&\\)<>\\|]|p[^\\s\\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\\s\\v&\\)<>\\|]|int(?:env|f[\\s\\v&\\)<>\\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\\.db)?|xz|er(?:f|l(?:5|sh)?|ms[\\s\\v&\\)<>\\|])|opd|s(?:ed|ftp|ql)|u(?:ppet[\\s\\v&\\)<>\\|]|shd)|ython[^\\s\\v])|r(?:a(?:r[\\s\\v&\\)<>\\|]|k(?:e[\\s\\v&\\)<>\\|]|u))|c(?:p[\\s\\v&\\)<>\\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\\s\\v&\\)<>\\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\\s\\v&\\)<>\\|]|user)|pm(?:[\\s\\v&\\)<>\\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\\s\\v&\\)<>\\|]|sync|u(?:by[^\\s\\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\\s\\v&\\)<>\\|])|e(?:(?:d|lf|rvice)[\\s\\v&\\)<>\\|]|t(?:arch|env|facl[\\s\\v&\\)<>\\|]|sid)?|ndmail)|(?:g|ash|nap)[\\s\\v&\\)<>\\|]|h(?:(?:adow|ells)?[\\s\\v&\\)<>\\|]|\\.distrib|u(?:f|tdown[\\s\\v&\\)<>\\|]))|s(?:[\\s\\v&\\)<>\\|]|h(?:[\\s\\v&\\)<>\\|]|-key(?:ge|sca)n|pass))|u(?:[\\s\\v&\\)<>\\|]|do)|vn|diff|ftp|l(?:eep[\\s\\v&\\)<>\\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\\s\\v&\\)<>\\|])|p(?:lit[\\s\\v&\\)<>\\|]|wd\\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\\s\\v&\\)<>\\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\\s\\v&\\)<>\\|]|il[\\s\\v&\\)<>f\\|]|sk(?:[\\s\\v&\\)<>\\|]|set))|bl|c(?:p(?:[\\s\\v&\\)<>\\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\\s\\v&\\)<>\\|]|lnet)|i(?:c[\\s\\v&\\)<>\\|]|me(?:(?:out)?[\\s\\v&\\)<>\\|]|datectl))|o(?:p|uch[\\s\\v&\\)<>\\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\\s\\v&\\)<>\\|]|n(?:ame|(?:compress|s(?:et|hare))[\\s\\v&\\)<>\\|]|expand|iq|l(?:ink[\\s\\v&\\)<>\\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\\s\\v&\\)<>\\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\\s\\v&\\)<>\\|]|diff)|ew[\\s\\v&\\)<>\\|]|gr|pw|rsh)|algrind|olatility[\\s\\v&\\)<>\\|])|w(?:3m|c|a(?:ll|tch)[\\s\\v&\\)<>\\|]|get|h(?:iptail[\\s\\v&\\)<>\\|]|o(?:ami|is))|i(?:reshark|sh[\\s\\v&\\)<>\\|]))|x(?:(?:x|pa)d|z(?:[\\s\\v&\\)<>\\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\\s\\v&\\)<>\\|]|um)|z(?:ip(?:[\\s\\v&\\)<>\\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\\s\\v&\\)<>\\|])|f?grep|less|more|run|ypper))\" \"id:932236,phase:2,block,capture,t:none,msg:'Remote Command Execution: Unix Command Injection (command without evasion)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent \"@rx (?i)(?:(?:^|=)[\\s\\v]*(?:t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|[\\$\\{]|(?:[\\s\\v]*\\(|!)[\\s\\v]*|[0-9A-Z_a-z]+=(?:[^\\s\\v]*|\\$(?:.*|.*)|[<>].*|'.*'|\\\".*\\\")[\\s\\v]+)*|(?:t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|[\\n\\r;`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|\\{)|[<>]\\(|\\([\\s\\v]*\\))[\\s\\v]*(?:[\\$\\{]|(?:[\\s\\v]*\\(|!)[\\s\\v]*|[0-9A-Z_a-z]+=(?:[^\\s\\v]*|\\$(?:.*|.*)|[<>].*|'.*'|\\\".*\\\")[\\s\\v]+)*)[\\s\\v]*[\\\"']*(?:[\\\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\\\"'\\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\\s\\v&\\)<>\\|]|a(?:(?:b|w[ks]|l(?:ias|pine))[\\s\\v&\\)<>\\|]|pt(?:[\\s\\v&\\)<>\\|]|-get)|r(?:[\\s\\v&\\)<>j\\|]|(?:p|ch)[\\s\\v&\\)<>\\|]|ia2c)|s(?:h?[\\s\\v&\\)<>\\|]|cii(?:-xfr|85)|pell)|t(?:[\\s\\v&\\)<>\\|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[\\s\\v&\\)<>\\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\\s\\v&\\)<>\\|]|c))|h[\\s\\v&\\)<>\\|])|tch[\\s\\v&\\)<>\\|])|lkid|pftrace|r(?:eaksw|idge[\\s\\v&\\)<>\\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\\s\\v&\\)<>\\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\\s\\v&\\)<>\\|]|mp|p(?:[\\s\\v&\\)<>\\|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\\s\\v&\\)<>\\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\\s\\v&\\)<>\\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\\s\\v&\\)<>\\|]|\\+\\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\\s\\v&\\)<>\\|]|w(?:say|think))|r(?:ash[\\s\\v&\\)<>\\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\\s\\v&\\)<>\\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\\s\\v&\\)<>\\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\\s\\v&\\)<>\\|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[\\s\\v&\\)<>h\\|]|ac)|x(?:(?:ec)?[\\s\\v&\\)<>\\|]|iftool|p(?:(?:and|(?:ec|or)t)[\\s\\v&\\)<>\\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\\s\\v&\\)<>\\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\\s\\v&\\)<>\\|]|le(?:[\\s\\v&\\)<>\\|]|test))|mt|tp(?:[\\s\\v&\\)<>\\|]|stats|who)|acter|o(?:ld[\\s\\v&\\)<>\\|]|reach)|ping)|g(?:c(?:c[^\\s\\v]|ore)|db|e(?:(?:m|tfacl)[\\s\\v&\\)<>\\|]|ni(?:e[\\s\\v&\\)<>\\|]|soimage))|hci?|i(?:(?:t|mp)[\\s\\v&\\)<>\\|]|nsh)|(?:o|awk)[\\s\\v&\\)<>\\|]|pg|r(?:c|ep[\\s\\v&\\)<>\\|]|oup(?:[\\s\\v&\\)<>\\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\\s\\v&\\)<>\\|]|e(?:ad[\\s\\v&\\)<>\\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\\s\\v&\\)<>\\|]|onice|spell)|j(?:js|q|ava[\\s\\v&\\)<>\\|]|exec|o(?:(?:bs|in)[\\s\\v&\\)<>\\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\\s\\v&\\)<>\\|]|all)|nife[\\s\\v&\\)<>\\|])|l(?:d(?:d?[\\s\\v&\\)<>\\|]|config)|(?:[np]|ynx)[\\s\\v&\\)<>\\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\\s\\v&\\)<>\\|]|(?:la)?tex)|z(?:[\\s\\v&\\)4<>\\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\\s\\v&\\)<>\\|]|comm|log(?:in)?)|tex[\\s\\v&\\)<>\\|])|ess(?:[\\s\\v&\\)<>\\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\\s\\v&\\)<>\\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\\s\\v&\\)<>\\|]|il(?:[\\s\\v&\\)<>q\\|]|x[\\s\\v&\\)<>\\|])|ster\\.passwd|wk)|tr|(?:v|utt)[\\s\\v&\\)<>\\|]|k(?:dir[\\s\\v&\\)<>\\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\\s\\v&\\)<>\\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\\s\\v&\\)<>\\|]|\\.(?:openbsd|traditional)|at)|e(?:t(?:[\\s\\v&\\)<>\\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\\s\\v&\\)<>\\|]|m(?:[\\s\\v&\\)<>\\|]|ap)|p(?:m[\\s\\v&\\)<>\\|]|ing)|a(?:no[\\s\\v&\\)<>\\|]|sm|wk)|o(?:de[\\s\\v&\\)<>\\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\\s\\v&\\)<>\\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\\s\\v&\\)<>\\|]|s(?:swd|te[\\s\\v&\\)<>\\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\\s\\v&\\)<>\\|]|tp)|g(?:rep)?|hp(?:[\\s\\v&\\)57<>\\|]|-cgi)|i(?:(?:co?|ng)[\\s\\v&\\)<>\\|]|p[^\\s\\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\\s\\v&\\)<>\\|]|int(?:env|f[\\s\\v&\\)<>\\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\\.db)?|xz|er(?:f|l(?:5|sh)?|ms[\\s\\v&\\)<>\\|])|opd|s(?:ed|ftp|ql)|u(?:ppet[\\s\\v&\\)<>\\|]|shd)|ython[2-3])|r(?:a(?:r[\\s\\v&\\)<>\\|]|k(?:e[\\s\\v&\\)<>\\|]|u))|c(?:p[\\s\\v&\\)<>\\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\\s\\v&\\)<>\\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\\s\\v&\\)<>\\|]|user)|pm(?:[\\s\\v&\\)<>\\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\\s\\v&\\)<>\\|]|sync|u(?:by[^\\s\\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\\s\\v&\\)<>\\|])|e(?:(?:d|lf|rvice)[\\s\\v&\\)<>\\|]|t(?:arch|env|facl[\\s\\v&\\)<>\\|]|sid)?|ndmail)|(?:g|ash)[\\s\\v&\\)<>\\|]|h(?:(?:adow|ells)?[\\s\\v&\\)<>\\|]|\\.distrib|u(?:f|tdown[\\s\\v&\\)<>\\|]))|s(?:[\\s\\v&\\)<>\\|]|h(?:[\\s\\v&\\)<>\\|]|-key(?:ge|sca)n|pass))|u(?:[\\s\\v&\\)<>\\|]|do)|vn|diff|ftp|l(?:eep[\\s\\v&\\)<>\\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\\s\\v&\\)<>\\|])|p(?:lit[\\s\\v&\\)<>\\|]|wd\\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\\s\\v&\\)<>\\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\\s\\v&\\)<>\\|]|il[\\s\\v&\\)<>f\\|]|sk(?:[\\s\\v&\\)<>\\|]|set))|bl|c(?:p(?:[\\s\\v&\\)<>\\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\\s\\v&\\)<>\\|]|lnet)|i(?:c[\\s\\v&\\)<>\\|]|me(?:(?:out)?[\\s\\v&\\)<>\\|]|datectl))|o(?:p|uch[\\s\\v&\\)<>\\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\\s\\v&\\)<>\\|]|n(?:ame|(?:compress|s(?:et|hare))[\\s\\v&\\)<>\\|]|expand|iq|l(?:ink[\\s\\v&\\)<>\\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\\s\\v&\\)<>\\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\\s\\v&\\)<>\\|]|diff)|ew[\\s\\v&\\)<>\\|]|gr|pw|rsh)|algrind|olatility[\\s\\v&\\)<>\\|])|w(?:c|a(?:ll|tch)[\\s\\v&\\)<>\\|]|h(?:iptail[\\s\\v&\\)<>\\|]|o(?:ami|is))|i(?:reshark|sh[\\s\\v&\\)<>\\|]))|x(?:(?:x|pa)d|z(?:[\\s\\v&\\)<>\\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\\s\\v&\\)<>\\|]|um)|z(?:ip(?:[\\s\\v&\\)<>\\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\\s\\v&\\)<>\\|])|f?grep|less|more|run|ypper))\" \"id:932239,phase:1,block,capture,t:none,msg:'Remote Command Execution: Unix Command Injection found in user-agent or referer header',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer \"@pmFromFile unix-shell.data\" \"id:932161,phase:2,block,capture,t:none,t:cmdLine,t:normalizePath,msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:932015,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:932016,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?:t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|[\\n\\r;`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|\\{)|[<>]\\(|\\([\\s\\v]*\\))[\\s\\v]*(?:[\\$\\{]|(?:[\\s\\v]*\\(|!)[\\s\\v]*|[0-9A-Z_a-z]+=(?:[^\\s\\v]*|\\$(?:.*|.*)|[<>].*|'.*'|\\\".*\\\")[\\s\\v]+)*[\\s\\v]*[\\\"']*(?:[\\\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\\\"'\\x5c]*(?:(?:(?:a[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?u[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?d|u[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?2[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?d[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?a[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?t)[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|v[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i)[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[\\s\\v&\\),<>\\|].*|d[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?n[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?f|p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:a[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?c[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?a[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?n[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[\\s\\v&\\),<>\\|].*|s)|w[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:h[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?o|[\\s\\v&\\),<>\\|].*))\\b\" \"id:932232,phase:2,block,capture,t:none,msg:'Remote Command Execution: Unix Command Injection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer \"@rx (?i)\\b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\\s\\v&\\)<>\\|]|a(?:(?:b|w[ks]|l(?:ias|pine))[\\s\\v&\\)<>\\|]|pt(?:(?:itude)?[\\s\\v&\\)<>\\|]|-get)|r(?:[\\s\\v&\\)<>j\\|]|(?:p|ch)[\\s\\v&\\)<>\\|]|ia2c)|s(?:h?[\\s\\v&\\)<>\\|]|cii(?:-xfr|85)|pell)|t(?:[\\s\\v&\\)<>\\|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[\\s\\v&\\)<>\\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\\s\\v&\\)<>\\|]|c))|h[\\s\\v&\\)<>\\|])|tch[\\s\\v&\\)<>\\|])|lkid|pftrace|r(?:eaksw|idge[\\s\\v&\\)<>\\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\\s\\v&\\)<>\\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\\s\\v&\\)<>\\|]|mp|p(?:[\\s\\v&\\)<>\\|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\\s\\v&\\)<>\\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\\s\\v&\\)<>\\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\\s\\v&\\)<>\\|]|\\+\\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\\s\\v&\\)<>\\|]|w(?:say|think))|r(?:ash[\\s\\v&\\)<>\\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\\s\\v&\\)<>\\|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\\s\\v&\\)<>\\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\\s\\v&\\)<>\\|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[\\s\\v&\\)<>h\\|]|ac)|x(?:(?:ec)?[\\s\\v&\\)<>\\|]|iftool|p(?:(?:and|(?:ec|or)t)[\\s\\v&\\)<>\\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\\s\\v&\\)<>\\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\\s\\v&\\)<>\\|]|le(?:[\\s\\v&\\)<>\\|]|test))|mt|tp(?:[\\s\\v&\\)<>\\|]|stats|who)|acter|o(?:ld[\\s\\v&\\)<>\\|]|reach)|ping)|g(?:c(?:c[^\\s\\v]|ore)|db|e(?:(?:m|tfacl)[\\s\\v&\\)<>\\|]|ni(?:e[\\s\\v&\\)<>\\|]|soimage))|hci?|i(?:(?:t|mp)[\\s\\v&\\)<>\\|]|nsh)|(?:o|awk)[\\s\\v&\\)<>\\|]|pg|r(?:c|ep[\\s\\v&\\)<>\\|]|oup(?:[\\s\\v&\\)<>\\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\\s\\v&\\)<>\\|]|e(?:ad[\\s\\v&\\)<>\\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\\s\\v&\\)<>\\|]|onice|spell)|j(?:js|q|ava[\\s\\v&\\)<>\\|]|exec|o(?:(?:bs|in)[\\s\\v&\\)<>\\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\\s\\v&\\)<>\\|]|all)|nife[\\s\\v&\\)<>\\|])|l(?:d(?:d?[\\s\\v&\\)<>\\|]|config)|(?:[np]|ynx)[\\s\\v&\\)<>\\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\\s\\v&\\)<>\\|]|(?:la)?tex)|z(?:[\\s\\v&\\)4<>\\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\\s\\v&\\)<>\\|]|comm|log(?:in)?)|tex[\\s\\v&\\)<>\\|])|ess(?:[\\s\\v&\\)<>\\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\\s\\v&\\)<>\\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\\s\\v&\\)<>\\|]|il(?:[\\s\\v&\\)<>q\\|]|x[\\s\\v&\\)<>\\|])|ster\\.passwd|wk)|tr|(?:v|utt)[\\s\\v&\\)<>\\|]|k(?:dir[\\s\\v&\\)<>\\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\\s\\v&\\)<>\\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\\s\\v&\\)<>\\|]|\\.(?:openbsd|traditional)|at)|e(?:t(?:[\\s\\v&\\)<>\\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\\s\\v&\\)<>\\|]|m(?:[\\s\\v&\\)<>\\|]|ap)|p(?:m[\\s\\v&\\)<>\\|]|ing)|a(?:no[\\s\\v&\\)<>\\|]|sm|wk)|o(?:de[\\s\\v&\\)<>\\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\\s\\v&\\)<>\\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[\\s\\v&\\)<>\\|]|s(?:swd|te[\\s\\v&\\)<>\\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\\s\\v&\\)<>\\|]|tp)|g(?:rep)?|hp(?:[\\s\\v&\\)57<>\\|]|-cgi)|i(?:(?:co?|ng)[\\s\\v&\\)<>\\|]|p[^\\s\\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\\s\\v&\\)<>\\|]|int(?:env|f[\\s\\v&\\)<>\\|]))|s(?:[\\s\\v&\\)<>\\|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:\\.db)?|xz|er(?:f|l(?:5|sh)?|ms[\\s\\v&\\)<>\\|])|opd|u(?:ppet[\\s\\v&\\)<>\\|]|shd)|ython[2-3])|r(?:a(?:r[\\s\\v&\\)<>\\|]|k(?:e[\\s\\v&\\)<>\\|]|u))|c(?:p[\\s\\v&\\)<>\\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\\s\\v&\\)<>\\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\\s\\v&\\)<>\\|]|user)|pm(?:[\\s\\v&\\)<>\\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\\s\\v&\\)<>\\|]|sync|u(?:by[^\\s\\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\\s\\v&\\)<>\\|])|e(?:(?:d|lf|rvice)[\\s\\v&\\)<>\\|]|t(?:arch|env|facl[\\s\\v&\\)<>\\|]|sid)?|ndmail)|(?:g|ash)[\\s\\v&\\)<>\\|]|h(?:(?:adow|ells)?[\\s\\v&\\)<>\\|]|\\.distrib|u(?:f|tdown[\\s\\v&\\)<>\\|]))|s(?:[\\s\\v&\\)<>\\|]|h(?:[\\s\\v&\\)<>\\|]|-key(?:ge|sca)n|pass))|u(?:[\\s\\v&\\)<>\\|]|do)|vn|diff|ftp|l(?:eep[\\s\\v&\\)<>\\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\\s\\v&\\)<>\\|])|p(?:lit[\\s\\v&\\)<>\\|]|wd\\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\\s\\v&\\)<>\\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\\s\\v&\\)<>\\|]|il[\\s\\v&\\)<>f\\|]|sk(?:[\\s\\v&\\)<>\\|]|set))|bl|c(?:p(?:[\\s\\v&\\)<>\\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\\s\\v&\\)<>\\|]|lnet)|i(?:c[\\s\\v&\\)<>\\|]|me(?:(?:out)?[\\s\\v&\\)<>\\|]|datectl))|o(?:p|uch[\\s\\v&\\)<>\\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\\s\\v&\\)<>\\|]|n(?:ame|(?:compress|s(?:et|hare))[\\s\\v&\\)<>\\|]|expand|iq|l(?:ink[\\s\\v&\\)<>\\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\\s\\v&\\)<>\\|]|std))|p(?:2date[\\s\\v&\\)<>\\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[\\s\\v&\\)<>\\|]|m(?:[\\s\\v&\\)<>\\|]|diff)|gr|pw|rsh)|algrind|olatility[\\s\\v&\\)<>\\|])|w(?:[\\s\\v&\\)<>c\\|]|h(?:o(?:[\\s\\v&\\)<>\\|]|ami|is)?|iptail[\\s\\v&\\)<>\\|])|a(?:ll|tch)[\\s\\v&\\)<>\\|]|i(?:reshark|sh[\\s\\v&\\)<>\\|]))|x(?:(?:x|pa)d|z(?:[\\s\\v&\\)<>\\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\\s\\v&\\)<>\\|]|um)|z(?:ip(?:[\\s\\v&\\)<>\\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\\s\\v&\\)<>\\|])|f?grep|less|more|run|ypper))(?:\\b|[^0-9A-Z_a-z])\" \"id:932237,phase:2,block,capture,t:none,t:cmdLine,t:normalizePath,msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/3',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent \"@rx (?i)(?:(?:^|=)[\\s\\v]*(?:t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|[\\$\\{]|(?:[\\s\\v]*\\(|!)[\\s\\v]*|[0-9A-Z_a-z]+=(?:[^\\s\\v]*|\\$(?:.*|.*)|[<>].*|'.*'|\\\".*\\\")[\\s\\v]+)*|(?:t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|[\\n\\r;`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|\\{)|[<>]\\(|\\([\\s\\v]*\\))[\\s\\v]*(?:[\\$\\{]|(?:[\\s\\v]*\\(|!)[\\s\\v]*|[0-9A-Z_a-z]+=(?:[^\\s\\v]*|\\$(?:.*|.*)|[<>].*|'.*'|\\\".*\\\")[\\s\\v]+)*)[\\s\\v]*[\\\"']*(?:[\\\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\\\"'\\x5c]*(?:(?:(?:a[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?t[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?u[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?d|u[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?2[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?d[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?a[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?t)[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?e|v[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?i)[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[\\s\\v&\\),<>\\|].*|d[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?n[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?f|p[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:a[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?c[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?m[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?a[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?n[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?[\\s\\v&\\),<>\\|].*|s)|w[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?(?:h[\\\"'\\)\\[-\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\v]*)?\\$[!#\\(\\*\\-0-9\\?-@_a-\\{]*)?\\x5c?o|[\\s\\v&\\),<>\\|].*))\" \"id:932238,phase:2,block,capture,t:none,t:cmdLine,t:normalizePath,msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/3',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS \"@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)\" \"id:932190,phase:2,block,capture,t:none,t:urlDecode,t:urlDecodeUni,t:normalizePath,t:cmdLine,msg:'Remote Command Execution: Wildcard bypass technique attempt',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx \\r\\n(?s:.)*?\\b(?:DATA|QUIT|HELP(?: .{1,255})?)\" \"id:932301,phase:2,block,t:none,t:escapeSeqDecode,msg:'Remote Command Execution: SMTP Command Execution',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/3',tag:'OWASP_CRS',tag:'capec/137/134',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?is)\\r\\n[0-9A-Z_a-z]{1,50}\\b (?:C(?:(?:REATE|OPY [\\*,0-:]+) [\\\"-#%-&\\*\\--9A-Z\\x5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\\\"-#%-&\\*\\--\\.0-9A-Z\\x5c_a-z]+|EX(?:AMINE [\\\"-#%-&\\*\\--\\.0-9A-Z\\x5c_a-z]+|PUNGE)|FETCH [\\*,0-:]+|L(?:IST [\\\"-#\\*\\--9A-Z\\x5c_a-z~]+? [\\\"-#%-&\\*\\--9A-Z\\x5c_a-z]+|OG(?:IN [\\--\\.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\\\"-#%-&\\*\\--9A-Z\\x5c_a-z]+? [\\\"-#%-&\\*\\--9A-Z\\x5c_a-z]+|S(?:E(?:LECT [\\\"-#%-&\\*\\--9A-Z\\x5c_a-z]+|ARCH(?: CHARSET [\\--\\.0-9A-Z_a-z]{1,40})? (?:(KEYWORD \\x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[\\*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \\\"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\\\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [\\*,0-:]+?|NKEYWORD \\x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [\\*,0-:]+? [\\+\\-]?FLAGS(?:\\.SILENT)? (?:\\(\\x5c[a-z]{1,20}\\))?|ARTTLS)|UBSCRIBE [\\\"-#%-&\\*\\--9A-Z\\x5c_a-z]+)|UN(?:SUBSCRIBE [\\\"-#%-&\\*\\--9A-Z\\x5c_a-z]+|AUTHENTICATE)|NOOP)\" \"id:932311,phase:2,block,t:none,t:escapeSeqDecode,msg:'Remote Command Execution: IMAP Command Execution',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/3',tag:'OWASP_CRS',tag:'capec/137/134',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx \\r\\n(?s:.)*?\\b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)\" \"id:932321,phase:2,block,t:none,t:escapeSeqDecode,msg:'Remote Command Execution: POP3 Command Execution',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/3',tag:'OWASP_CRS',tag:'capec/137/134',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx !(?:\\d|!)\" \"id:932331,phase:2,block,t:none,msg:'Remote Command Execution: Unix shell history invocation',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-shell',tag:'platform-unix',tag:'attack-rce',tag:'paranoia-level/3',tag:'OWASP_CRS',tag:'capec/1000/152/248/88',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:932017,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:932018,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-REQUEST-932-APPLICATION-ATTACK-RCE\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:933011,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:933012,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?:<\\?(?:[^x]|x[^m]|xm[^l]|xml[^\\s]|xml$|$)|<\\?php|\\[(?:/|\\x5c)?php\\])\" \"id:933100,phase:2,block,capture,t:none,t:lowercase,msg:'PHP Injection Attack: PHP Open Tag Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name \"@rx .*\\.ph(?:p\\d*|tml|ar|ps|t|pt)\\.*$\" \"id:933110,phase:2,block,capture,t:none,t:lowercase,msg:'PHP Injection Attack: PHP Script File Upload Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@pmFromFile php-config-directives.data\" \"id:933120,phase:2,block,capture,t:none,t:normalisePath,msg:'PHP Injection Attack: Configuration Directive Found',logdata:'Matched Data: %{TX.933120_TX_0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.933120_tx_0=%{tx.0}',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule MATCHED_VARS \"@pm =\" \"capture,setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@pmFromFile php-variables.data\" \"id:933130,phase:2,block,capture,t:none,t:normalisePath,t:urlDecodeUni,msg:'PHP Injection Attack: Variables Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)\" \"id:933140,phase:2,block,capture,t:none,msg:'PHP Injection Attack: I/O Stream Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://\" \"id:933200,phase:2,block,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,msg:'PHP Injection Attack: Wrapper scheme detected',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* \"@pmFromFile php-function-names-933150.data\" \"id:933150,phase:2,block,capture,t:none,msg:'PHP Injection Attack: High-Risk PHP Function Name Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)\\b\\(?[\\\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:\\*.*\\*/|/.*)|#.*|[\\s\\v\\\"])*[\\\"']*\\)?[\\s\\v]*\\(.*\\)\" \"id:933160,phase:2,block,capture,t:none,msg:'PHP Injection Attack: High-Risk PHP Function Call Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* \"@rx [oOcC]:\\d+:\\\".+?\\\":\\d+:{.*}\" \"id:933170,phase:2,block,capture,t:none,msg:'PHP Injection Attack: Serialized Object Injection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* \"@rx \\$+(?:[a-zA-Z_\\x7f-\\xff][a-zA-Z0-9_\\x7f-\\xff]*|\\s*{.+})(?:\\s|\\[.+\\]|{.+}|/\\*.*\\*/|//.*|#.*)*\\(.*\\)\" \"id:933180,phase:2,block,capture,t:none,msg:'PHP Injection Attack: Variable Function Call Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* \"@rx (?:\\((?:.+\\)(?:[\\\"'][\\-0-9A-Z_a-z]+[\\\"'])?\\(.+|[^\\)]*string[^\\)]*\\)[\\s\\v\\\"'\\--\\.0-9A-\\[\\]_a-\\{\\}]+\\([^\\)]*)|(?:\\[[0-9]+\\]|\\{[0-9]+\\}|\\$[^\\(-\\),\\.-/;\\x5c]+|[\\\"'][\\-0-9A-Z\\x5c_a-z]+[\\\"'])\\(.+)\\);\" \"id:933210,phase:2,block,capture,t:none,t:urlDecode,t:replaceComments,t:removeWhitespace,msg:'PHP Injection Attack: Variable Function Call Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* \"@pmFromFile php-function-names-933151.data\" \"id:933151,phase:2,block,capture,t:none,msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',logdata:'Matched Data: %{TX.933151_TX_0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'OWASP_CRS',tag:'capec/1000/152/242',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.933151_tx_0=%{tx.0}',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule MATCHED_VARS \"@pm (\" \"capture,setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:933015,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:933016,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI\" \"id:933131,phase:2,block,capture,t:none,t:normalisePath,t:urlDecodeUni,msg:'PHP Injection Attack: Variables Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'OWASP_CRS',tag:'capec/1000/152/242',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)\\b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[\\s\\v]|/\\*.*\\*/|(?:#|//).*)*\\(.*\\)\" \"id:933161,phase:2,block,capture,t:none,msg:'PHP Injection Attack: Low-Value PHP Function Call Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'OWASP_CRS',tag:'capec/1000/152/242',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name \"@rx .*\\.(?:php\\d*|phtml)\\..*$\" \"id:933111,phase:2,block,capture,t:none,t:lowercase,msg:'PHP Injection Attack: PHP Script File Upload Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'OWASP_CRS',tag:'capec/1000/152/242',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@pm ?>\" \"id:933190,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'PHP Injection Attack: PHP Closing Tag Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'OWASP_CRS',tag:'capec/1000/152/242',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* \"@rx (?:\\((?:.+\\)(?:[\\\"'][\\-0-9A-Z_a-z]+[\\\"'])?\\(.+|[^\\)]*string[^\\)]*\\)[\\s\\v\\\"'\\--\\.0-9A-\\[\\]_a-\\{\\}]+\\([^\\)]*)|(?:\\[[0-9]+\\]|\\{[0-9]+\\}|\\$[^\\(-\\),\\.-/;\\x5c]+|[\\\"'][\\-0-9A-Z\\x5c_a-z]+[\\\"'])\\(.+)\\)(?:;|$)?\" \"id:933211,phase:2,block,capture,t:none,t:urlDecode,t:replaceComments,t:removeWhitespace,msg:'PHP Injection Attack: Variable Function Call Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-injection-php',tag:'paranoia-level/3',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:933018,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-REQUEST-933-APPLICATION-ATTACK-PHP\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:934011,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:934012,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx _(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|(?:\\beval|new[\\s\\v]+Function[\\s\\v]*)\\(|String\\.fromCharCode|function\\(\\)\\{|this\\.constructor|module\\.exports=|\\([\\s\\v]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][\\s\\v]*\\)|process(?:\\.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:\\.call)?\\(|binding|constructor|env|global|main(?:Module)?|process|require)|\\[[\\\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\\\"'`]\\])|(?:binding|constructor|env|global|main(?:Module)?|process|require)\\[|console(?:\\.(?:debug|error|info|trace|warn)(?:\\.call)?\\(|\\[[\\\"'`](?:debug|error|info|trace|warn)[\\\"'`]\\])|require(?:\\.(?:resolve(?:\\.call)?\\(|main|extensions|cache)|\\[[\\\"'`](?:(?:resolv|cach)e|main|extensions)[\\\"'`]\\])\" \"id:934100,phase:2,block,capture,t:none,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,t:base64Decode,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,msg:'Node.js Injection Attack 1/2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-javascript',tag:'platform-multi',tag:'attack-rce',tag:'attack-injection-generic',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',multiMatch,setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* \"@pmFromFile ssrf.data\" \"id:934110,phase:2,block,capture,t:none,msg:'Possible Server Side Request Forgery (SSRF) Attack: Cloud provider metadata URL in Parameter',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-ssrf',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/664',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?:__proto__|constructor\\s*(?:\\.|\\[)\\s*prototype)\" \"id:934130,phase:2,block,capture,t:none,t:urlDecodeUni,t:jsDecode,msg:'JavaScript Prototype Pollution',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-javascript',tag:'platform-multi',tag:'attack-rce',tag:'attack-injection-generic',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1/180/77',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',multiMatch,setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx Process[\\s\\v]*\\.[\\s\\v]*spawn[\\s\\v]*\\(\" \"id:934150,phase:2,block,capture,t:none,msg:'Ruby Injection Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-ruby',tag:'platform-multi',tag:'attack-rce',tag:'attack-injection-generic',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx while[\\s\\v]*\\([\\s\\v\\(]*(?:!+(?:false|null|undefined|NaN|[\\+\\-]?0|\\\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[\\+\\-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)\\b|\\{.*\\}|\\[.*\\]|\\\"[^\\\"]+\\\"|'[^']+'|`[^`]+`)).*\\)\" \"id:934160,phase:2,block,capture,t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,t:replaceComments,msg:'Node.js DoS attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-javascript',tag:'platform-multi',tag:'attack-rce',tag:'attack-injection-generic',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',multiMatch,setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx ^data:(?:(?:\\*|[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\v]*;[\\s\\v]*(?:charset[\\s\\v]*=[\\s\\v]*\\\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\\\"?|(?:[^\\s\\v -\\\"\\(-\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]e\\{\\}]|e[^!-\\\"\\(-\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\v]*=[\\s\\v]*[^!\\(-\\),/:-\\?\\[-\\]\\{\\}]+);?)*(?:[\\s\\v]*,[\\s\\v]*(?:(?:\\*|[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\v]*;[\\s\\v]*(?:charset[\\s\\v]*=[\\s\\v]*\\\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\\\"?|(?:[^\\s\\v -\\\"\\(-\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!-\\\"\\(-\\),/:-\\?\\[-\\]e\\{\\}]|e[^!-\\\"\\(-\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!-\\\"\\(-\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\v]*=[\\s\\v]*[^!\\(-\\),/:-\\?\\[-\\]\\{\\}]+);?)*)*\" \"id:934170,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'PHP data scheme attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-ssrf',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:934013,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:934014,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\\s\\v]*\\(\" \"id:934101,phase:2,block,capture,t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,msg:'Node.js Injection Attack 2/2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-javascript',tag:'platform-multi',tag:'attack-rce',tag:'attack-injection-generic',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',multiMatch,setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}\\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\\.(?:[0-9]{1,3}\\.[0-9]{5}|[0-9]{8})|(?:\\x5c\\x5c[\\-0-9a-z]\\.?_?)+|\\[[0-:a-f]+(?:[\\.0-9]+|%[0-9A-Z_a-z]+)?\\]|[a-z][\\--\\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\\s\\v]*&?@(?:(?:[0-9]{1,3}\\.){3}[0-9]{1,3}|[a-z][\\--\\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\\.0-9]{0,11}(?:\\xe2(?:\\x91[\\xa0-\\xbf]|\\x92[\\x80-\\xbf]|\\x93[\\x80-\\xa9\\xab-\\xbf])|\\xe3\\x80\\x82)+))\" \"id:934120,phase:2,block,capture,t:none,msg:'Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-ssrf',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/225/664',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx @\\{.*\\}\" \"id:934140,phase:2,block,capture,t:none,msg:'Perl Injection Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-perl',tag:'platform-multi',tag:'attack-rce',tag:'attack-injection-generic',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:934015,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:934016,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:934017,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:934018,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-REQUEST-934-APPLICATION-ATTACK-GENERIC\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:941011,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:941012,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_FILENAME \"!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122\" \"id:941010,phase:1,pass,t:none,nolog,ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* \"@detectXSS\" \"id:941100,phase:2,block,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,msg:'XSS Attack Detected via libinjection',logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-xss',tag:'xss-perf-disable',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)]*>[\\s\\S]*?\" \"id:941110,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,msg:'XSS Filter - Category 1: Script Tag Vector',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-xss',tag:'xss-perf-disable',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* \"@rx (?i).(?:\\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\\b.*?=)|!ENTITY[\\s\\v]+(?:%[\\s\\v]+)?[^\\s\\v]+[\\s\\v]+(?:SYSTEM|PUBLIC)|@import|;base64)\\b\" \"id:941130,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,msg:'XSS Filter - Category 3: Attribute Vector',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-xss',tag:'xss-perf-disable',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* \"@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\\(javascript\" \"id:941140,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,t:removeWhitespace,msg:'XSS Filter - Category 4: Javascript URI Vector',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-xss',tag:'xss-perf-disable',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* \"@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\\s\\v\\\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\\s\\v/]|[\\\"'](?:.*[\\s\\v/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[\\x08-\\n\\f-\\r ]*?=\" \"id:941160,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,msg:'NoScript XSS InjectionChecker: HTML Injection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-xss',tag:'xss-perf-disable',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* \"@rx (?i)(?:\\W|^)(?:javascript:(?:[\\s\\S]+[=\\x5c\\(\\[\\.<]|[\\s\\S]*?(?:\\bname\\b|\\x5c[ux]\\d))|data:(?:(?:[a-z]\\w+/\\w[\\w+-]+\\w)?[;,]|[\\s\\S]*?;[\\s\\S]*?\\b(?:base64|charset=)|[\\s\\S]*?,[\\s\\S]*?<[\\s\\S]*?\\w[\\s\\S]*?>))|@\\W*?i\\W*?m\\W*?p\\W*?o\\W*?r\\W*?t\\W*?(?:/\\*[\\s\\S]*?)?(?:[\\\"']|\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\()|[^-]*?-\\W*?m\\W*?o\\W*?z\\W*?-\\W*?b\\W*?i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g[^:]*?:\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\(\" \"id:941170,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,msg:'NoScript XSS InjectionChecker: Attribute Injection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-xss',tag:'xss-perf-disable',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* \"@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding \" \"id:941181,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,msg:'Node-Validator Deny List Keywords',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-xss',tag:'xss-perf-disable',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* \"@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W\" \"id:941320,phase:2,block,capture,t:none,t:jsDecode,t:lowercase,msg:'Possible XSS Attack Detected - HTML Tag Handler',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-xss',tag:'xss-perf-disable',tag:'OWASP_CRS',tag:'capec/1000/152/242/63',tag:'PCI/6.5.1',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* \"@rx (?i:[\\\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|\\x5cu006C)(?:o|\\x5cu006F)(?:c|\\x5cu0063)(?:a|\\x5cu0061)(?:t|\\x5cu0074)(?:i|\\x5cu0069)(?:o|\\x5cu006F)(?:n|\\x5cu006E)|(?:n|\\x5cu006E)(?:a|\\x5cu0061)(?:m|\\x5cu006D)(?:e|\\x5cu0065)|(?:o|\\x5cu006F)(?:n|\\x5cu006E)(?:e|\\x5cu0065)(?:r|\\x5cu0072)(?:r|\\x5cu0072)(?:o|\\x5cu006F)(?:r|\\x5cu0072)|(?:v|\\x5cu0076)(?:a|\\x5cu0061)(?:l|\\x5cu006C)(?:u|\\x5cu0075)(?:e|\\x5cu0065)(?:O|\\x5cu004F)(?:f|\\x5cu0066)).*?=)\" \"id:941330,phase:2,block,capture,t:none,t:htmlEntityDecode,t:compressWhitespace,msg:'IE XSS Filters - Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-xss',tag:'xss-perf-disable',tag:'OWASP_CRS',tag:'capec/1000/152/242',tag:'PCI/6.5.1',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* \"@rx (?i)[\\\"\\'][ ]*(?:[^a-z0-9~_:\\' ]|in).+?[.].+?=\" \"id:941340,phase:2,block,capture,t:none,t:htmlEntityDecode,t:compressWhitespace,msg:'IE XSS Filters - Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-xss',tag:'xss-perf-disable',tag:'OWASP_CRS',tag:'capec/1000/152/242',tag:'PCI/6.5.1',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* \"@rx {{.*?}}\" \"id:941380,phase:2,block,capture,t:none,msg:'AngularJS client side template injection detected',logdata:'Matched Data: Suspicious payload found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'attack-xss',tag:'xss-perf-disable',tag:'OWASP_CRS',tag:'capec/1000/152/242/63',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:941015,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:941016,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:941017,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:941018,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-REQUEST-941-APPLICATION-ATTACK-XSS\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:942011,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:942012,phase:2,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* \"@detectSQLi\" \"id:942100,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,msg:'SQL Injection Attack Detected via libinjection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',multiMatch,setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)\\b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*\\(|(?:information_schema|m(?:aster\\.\\.sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql\\.db)|northwind|pg_(?:catalog|toast)|tempdb)\\b|s(?:chema(?:_name\\b|[^0-9A-Z_a-z]*\\()|(?:qlite_(?:temp_)?master|ys(?:aux|\\.database_name))\\b))\" \"id:942140,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Injection Attack: Common DB Names Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)\\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\\(\" \"id:942151,phase:2,block,capture,t:none,t:urlDecodeUni,t:lowercase,msg:'SQL Injection Attack: SQL function name detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_BASENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i:sleep\\(\\s*?\\d*?\\s*?\\)|benchmark\\(.*?\\,.*?\\))\" \"id:942160,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects blind sqli tests using sleep() or benchmark()',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:select|;)[\\s\\v]+(?:benchmark|if|sleep)[\\s\\v]*?\\([\\s\\v]*?\\(?[\\s\\v]*?[0-9A-Z_a-z]+\" \"id:942170,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)[\\\"'`](?:[\\s\\v]*![\\s\\v]*[\\\"'0-9A-Z_-z]|;?[\\s\\v]*(?:having|select|union\\b[\\s\\v]*(?:all|(?:distin|sele)ct))\\b[\\s\\v]*[^\\s\\v])|\\b(?:(?:(?:c(?:onnection_id|urrent_user)|database|schema|user)[\\s\\v]*?|select.*?[0-9A-Z_a-z]?user)\\(|exec(?:ute)?[\\s\\v]+master\\.|from[^0-9A-Z_a-z]+information_schema[^0-9A-Z_a-z]|into[\\s\\v\\+]+(?:dump|out)file[\\s\\v]*?[\\\"'`]|union(?:[\\s\\v]select[\\s\\v]@|[\\s\\v\\(0-9A-Z_a-z]*?select))|[\\s\\v]*?exec(?:ute)?.*?[^0-9A-Z_a-z]xp_cmdshell|[^0-9A-Z_a-z]iif[\\s\\v]*?\\(\" \"id:942190,phase:2,block,capture,t:none,t:urlDecodeUni,t:removeCommentsChar,msg:'Detects MSSQL code execution and information gathering attempts',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$\" \"id:942220,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the \\\"magic number\\\" crash',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)[\\s\\v\\(-\\)]case[\\s\\v]+when.*?then|\\)[\\s\\v]*?like[\\s\\v]*?\\(|select.*?having[\\s\\v]*?[^\\s\\v]+[\\s\\v]*?[^\\s\\v0-9A-Z_a-z]|if[\\s\\v]?\\([0-9A-Z_a-z]+[\\s\\v]*?[<->~]\" \"id:942230,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects conditional SQL injection attempts',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)alter[\\s\\v]*?[0-9A-Z_a-z]+.*?char(?:acter)?[\\s\\v]+set[\\s\\v]+[0-9A-Z_a-z]+|[\\\"'`](?:;*?[\\s\\v]*?waitfor[\\s\\v]+(?:time|delay)[\\s\\v]+[\\\"'`]|;.*?:[\\s\\v]*?goto)\" \"id:942240,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects MySQL charset switch and MSSQL DoS attempts',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i:merge.*?using\\s*?\\(|execute\\s*?immediate\\s*?[\\\"'`]|match\\s*?[\\w(),+-]+\\s*?against\\s*?\\()\" \"id:942250,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)union.*?select.*?from\" \"id:942270,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)select[\\s\\v]*?pg_sleep|waitfor[\\s\\v]*?delay[\\s\\v]?[\\\"'`]+[\\s\\v]?[0-9]|;[\\s\\v]*?shutdown[\\s\\v]*?(?:[#;\\{]|/\\*|--)\" \"id:942280,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)\\[?\\$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)\\]?\" \"id:942290,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Finds basic MongoDB SQL injection attempts',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)create[\\s\\v]+(?:function|procedure)[\\s\\v]*?[0-9A-Z_a-z]+[\\s\\v]*?\\([\\s\\v]*?\\)[\\s\\v]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\\s\\v]*?[0-9A-Z_a-z]+|iv[\\s\\v]*?\\([\\+\\-]*[\\s\\v\\.0-9]+,[\\+\\-]*[\\s\\v\\.0-9]+\\))|exec[\\s\\v]*?\\([\\s\\v]*?@|(?:lo_(?:impor|ge)t|procedure[\\s\\v]+analyse)[\\s\\v]*?\\(|;[\\s\\v]*?(?:declare|open)[\\s\\v]+[\\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\\s\\v]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)\" \"id:942320,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)create[\\s\\v]+function[\\s\\v].+[\\s\\v]returns|;[\\s\\v]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\\b[\\s\\v]*?[\\(\\[]?[0-9A-Z_a-z]{2,}\" \"id:942350,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)\\b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\\s\\v]+(?:char|group_concat|load_file)\\b[\\s\\v]*\\(?|end[\\s\\v]*?\\);)|[\\s\\v\\(]load_file[\\s\\v]*?\\(|[\\\"'`][\\s\\v]+regexp[^0-9A-Z_a-z]|[\\\"'0-9A-Z_-z][\\s\\v]+as\\b[\\s\\v]*[\\\"'0-9A-Z_-z]+[\\s\\v]*\\bfrom|^[^A-Z_a-z]+[\\s\\v]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\\s\\v]+[0-9A-Z_a-z]+|u(?:pdate[\\s\\v]+[0-9A-Z_a-z]+|nion[\\s\\v]*(?:all|(?:sele|distin)ct)\\b)|alter[\\s\\v]*(?:a(?:(?:ggregat|pplication[\\s\\v]*rol)e|s(?:sembl|ymmetric[\\s\\v]*ke)y|u(?:dit|thorization)|vailability[\\s\\v]*group)|b(?:roker[\\s\\v]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\\s\\v]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\\s\\v]*group|in)))|m(?:a(?:s(?:k|ter[\\s\\v]*key)|terialized)|e(?:ssage[\\s\\v]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\\s\\v]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\\s\\v]*schema|srobject))\\b)\" \"id:942360,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i:/\\*[!+](?:[\\w\\s=_\\-()]+)?\\*/)\" \"id:942500,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'MySQL in-line comment detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx ^(?:[^']*'|[^\\\"]*\\\"|[^`]*`)[\\s\\v]*;\" \"id:942540,phase:2,block,capture,t:none,t:urlDecodeUni,t:replaceComments,msg:'SQL Authentication bypass (split query)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)1\\.e[\\(-\\),]\" \"id:942560,phase:2,block,t:none,t:urlDecodeUni,t:replaceComments,msg:'MySQL Scientific Notation payload detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx [\\\"'`][\\[\\{].*[\\]\\}][\\\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|\\?[&\\|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|\\?[&\\|]?|#>>?|[<>]|<-)[\\\"'`][\\[\\{].*[\\]\\}][\\\"'`]|json_extract.*\\(.*\\)\" \"id:942550,phase:2,block,t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace,msg:'JSON-Based SQL Injection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:942013,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:942014,phase:2,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* \"@rx (?:^\\s*[\\\"'`;]+|[\\\"'`]+\\s*$)\" \"id:942110,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,msg:'SQL Injection Attack: Common Injection Testing Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* \"@rx (?i)!=|&&|\\|\\||>[=->]|<(?:<|=>?|>(?:[\\s\\v]+binary)?)|\\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\\\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\\b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[\\s\\v]*\\()|r(?:egexp|like)[\\s\\v]+binary|not[\\s\\v]+between[\\s\\v]+(?:0[\\s\\v]+and|(?:'[^']*'|\\\"[^\\\"]*\\\")[\\s\\v]+and[\\s\\v]+(?:'[^']*'|\\\"[^\\\"]*\\\"))|is[\\s\\v]+null|like[\\s\\v]+(?:null|[0-9A-Z_a-z]+[\\s\\v]+escape\\b)|(?:^|[^0-9A-Z_a-z])in[\\s\\v\\+]*\\([\\s\\v\\\"0-9]+[^\\(-\\)]*\\)|[!<->]{1,2}[\\s\\v]*all\\b\" \"id:942120,phase:2,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,msg:'SQL Injection Attack: SQL Operator Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES|ARGS|XML:/* \"@rx (?i)[\\s\\v\\\"'-\\)`]*?\\b([0-9A-Z_a-z]+)\\b[\\s\\v\\\"'-\\)`]*?(?:=|<=>|(?:sounds[\\s\\v]+)?like|glob|r(?:like|egexp))[\\s\\v\\\"'-\\)`]*?\\b([0-9A-Z_a-z]+)\\b\" \"id:942130,phase:2,block,capture,t:none,t:urlDecodeUni,t:replaceComments,msg:'SQL Injection Attack: SQL Boolean-based attack detected',logdata:'Matched Data: %{TX.0} found within %{TX.942130_MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.942130_matched_var_name=%{matched_var_name}',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:1 \"@streq %{TX.2}\" \"t:none,setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES|ARGS|XML:/* \"@rx (?i)[\\s\\v\\\"'-\\)`]*?\\b([0-9A-Z_a-z]+)\\b[\\s\\v\\\"'-\\)`]*?(?:![<->]|<[=->]?|>=?|\\^|is[\\s\\v]+not|not[\\s\\v]+(?:like|r(?:like|egexp)))[\\s\\v\\\"'-\\)`]*?\\b([0-9A-Z_a-z]+)\\b\" \"id:942131,phase:2,block,capture,t:none,t:urlDecodeUni,t:replaceComments,msg:'SQL Injection Attack: SQL Boolean-based attack detected',logdata:'Matched Data: %{TX.0} found within %{TX.942131_MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',multiMatch,setvar:'tx.942131_matched_var_name=%{matched_var_name}',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:1 \"!@streq %{TX.2}\" \"t:none,setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)\\b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*\\(\" \"id:942150,phase:2,block,capture,t:none,t:urlDecodeUni,t:lowercase,msg:'SQL Injection Attack: SQL function name detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:/\\*)+[\\\"'`]+[\\s\\v]?(?:--|[#\\{]|/\\*)?|[\\\"'`](?:[\\s\\v]*(?:(?:x?or|and|div|like|between)[\\s\\v\\-0-9A-Z_a-z]+[\\(-\\)\\+-\\-<->][\\s\\v]*[\\\"'0-9`]|[!=\\|](?:[\\s\\v -!\\+\\-0-9=]+.*?[\\\"'-\\(`].*?|[\\s\\v -!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+[\\\"'-\\(0-9A-Z_-z]|;)|(?:[<>~]+|[\\s\\v]*[^\\s\\v0-9A-Z_a-z]?=[\\s\\v]*|[^0-9A-Z_a-z]*?[\\+=]+[^0-9A-Z_a-z]*?)[\\\"'`])|[0-9][\\\"'`][\\s\\v]+[\\\"'`][\\s\\v]+[0-9]|^admin[\\s\\v]*?[\\\"'`]|[\\s\\v\\\"'-\\(`][\\s\\v]*?glob[^0-9A-Z_a-z]+[\\\"'-\\(0-9A-Z_-z]|[\\s\\v]is[\\s\\v]*?0[^0-9A-Z_a-z]|where[\\s\\v][\\s\\v,-\\.0-9A-Z_a-z]+[\\s\\v]=\" \"id:942180,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects basic SQL authentication bypass attempts 1/3',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* \"@rx (?i),.*?[\\\"'\\)0-9`-f][\\\"'`](?:[\\\"'`].*?[\\\"'`]|(?:\\r?\\n)?\\z|[^\\\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\\s\\v]*?\\([\\s\\v]*?space[\\s\\v]*?\\(\" \"id:942200,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:&&|\\|\\||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[\\s\\v\\(]+[0-9A-Z_a-z]+[\\s\\v\\)]*?[!\\+=]+[\\s\\v0-9]*?[\\\"'-\\)=`]|[0-9](?:[\\s\\v]*?(?:and|between|div|like|x?or)[\\s\\v]*?[0-9]+[\\s\\v]*?[\\+\\-]|[\\s\\v]+group[\\s\\v]+by.+\\()|/[0-9A-Z_a-z]+;?[\\s\\v]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[\\s\\v]*?(?:alter|drop|(?:insert|update)[\\s\\v]*?[0-9A-Z_a-z]{2,})|@.+=[\\s\\v]*?\\([\\s\\v]*?select|[^0-9A-Z_a-z]SET[\\s\\v]*?@[0-9A-Z_a-z]+\" \"id:942210,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects chained SQL injection attempts 1/2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)[\\\"'`][\\s\\v]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\\|\\||&&)[\\s\\v]+[\\s\\v0-9A-Z_a-z]+=[\\s\\v]*?[0-9A-Z_a-z]+[\\s\\v]*?having[\\s\\v]+|like[^0-9A-Z_a-z]*?[\\\"'0-9`])|[0-9A-Z_a-z][\\s\\v]+like[\\s\\v]+[\\\"'`]|like[\\s\\v]*?[\\\"'`]%|select[\\s\\v]+?[\\s\\v\\\"'-\\),-\\.0-9A-\\[\\]_-z]+from[\\s\\v]+\" \"id:942260,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects basic SQL authentication bypass attempts 2/3',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)\\)[\\s\\v]*?when[\\s\\v]*?[0-9]+[\\s\\v]*?then|[\\\"'`][\\s\\v]*?(?:[#\\{]|--)|/\\*![\\s\\v]?[0-9]+|\\b(?:(?:binary|cha?r)[\\s\\v]*?\\([\\s\\v]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[\\s\\v]+[0-9A-Z_a-z]+\\()|(?:\\|\\||&&)[\\s\\v]*?[0-9A-Z_a-z]+\\(\" \"id:942300,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects MySQL comments, conditions and ch(a)r injections',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:\\([\\s\\v]*?select[\\s\\v]*?[0-9A-Z_a-z]+|coalesce|order[\\s\\v]+by[\\s\\v]+if[0-9A-Z_a-z]*?)[\\s\\v]*?\\(|\\*/from|\\+[\\s\\v]*?[0-9]+[\\s\\v]*?\\+[\\s\\v]*?@|[0-9A-Z_a-z][\\\"'`][\\s\\v]*?(?:(?:[\\+\\-=@\\|]+[\\s\\v]+?)+|[\\+\\-=@\\|]+)[\\(0-9]|@@[0-9A-Z_a-z]+[\\s\\v]*?[^\\s\\v0-9A-Z_a-z]|[^0-9A-Z_a-z]!+[\\\"'`][0-9A-Z_a-z]|[\\\"'`](?:;[\\s\\v]*?(?:if|while|begin)|[\\s\\v0-9]+=[\\s\\v]*?[0-9])|[\\s\\v\\(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[\\s\\v\\(]\" \"id:942310,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects chained SQL injection attempts 2/2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)[\\\"'`][\\s\\v]*?\\b(?:x?or|div|like|between|and)\\b[\\s\\v]*?[\\\"'`]?[0-9]|\\x5cx(?:2[37]|3d)|^(?:.?[\\\"'`]$|[\\\"'\\x5c`]*?(?:[\\\"'0-9`]+|[^\\\"'`]+[\\\"'`])[\\s\\v]*?\\b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\\|\\||&&)\\b[\\s\\v]*?[\\\"'0-9A-Z_-z][!&\\(-\\)\\+-\\.@])|[^\\s\\v0-9A-Z_a-z][0-9A-Z_a-z]+[\\s\\v]*?[\\-\\|][\\s\\v]*?[\\\"'`][\\s\\v]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[\\s\\v]+(?:and|x?or|div|like|between)\\b[\\s\\v]*?[\\\"'0-9`]+|[\\-0-9A-Z_a-z]+[\\s\\v](?:and|x?or|div|like|between)\\b[\\s\\v]*?[^\\s\\v0-9A-Z_a-z])|[^\\s\\v0-:A-Z_a-z][\\s\\v]*?[0-9][^0-9A-Z_a-z]+[^\\s\\v0-9A-Z_a-z][\\s\\v]*?[\\\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]\" \"id:942330,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects classic SQL injection probings 1/3',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)in[\\s\\v]*?\\(+[\\s\\v]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[\\s\\v]+|(?:\\|\\||&&)[\\s\\v]*)[\\s\\v\\+0-9A-Z_a-z]+(?:regexp[\\s\\v]*?\\(|sounds[\\s\\v]+like[\\s\\v]*?[\\\"'`]|[0-9=]+x)|[\\\"'`](?:[\\s\\v]*?(?:[0-9][\\s\\v]*?(?:--|#)|is[\\s\\v]*?(?:[0-9].+[\\\"'`]?[0-9A-Z_a-z]|[\\.0-9]+[\\s\\v]*?[^0-9A-Z_a-z].*?[\\\"'`]))|[%-&<->\\^]+[0-9][\\s\\v]*?(?:=|x?or|div|like|between|and)|(?:[^0-9A-Z_a-z]+[\\+\\-0-9A-Z_a-z]+[\\s\\v]*?=[\\s\\v]*?[0-9][^0-9A-Z_a-z]+|\\|?[\\-0-9A-Z_a-z]{3,}[^\\s\\v,\\.0-9A-Z_a-z]+)[\\\"'`]|[\\s\\v]*(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[\\s\\v]+|(?:\\|\\||&&)[\\s\\v]*)(?:array[\\s\\v]*\\[|[0-9A-Z_a-z]+(?:[\\s\\v]*!?~|[\\s\\v]+(?:not[\\s\\v]+)?similar[\\s\\v]+to[\\s\\v]+)|(?:tru|fals)e\\b))|\\bexcept[\\s\\v]+(?:select\\b|values[\\s\\v]*?\\()\" \"id:942340,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects basic SQL authentication bypass attempts 3/3',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i:^[\\W\\d]+\\s*?(?:alter|union)\\b)\" \"id:942361,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects basic SQL injection based on keyword alter or union',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\\s\\v]+(?:char|group_concat|load_file)[\\s\\v]?\\(?|end[\\s\\v]*?\\);|[\\s\\v\\(]load_file[\\s\\v]*?\\(|[\\\"'`][\\s\\v]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][\\s\\v]+as\\b[\\s\\v]*[\\\"'0-9A-Z_-z]+[\\s\\v]*\\bfrom|^[^A-Z_a-z]+[\\s\\v]*?(?:create[\\s\\v]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[\\s\\v]*(?:all|(?:sele|distin)ct))|alter[\\s\\v]*(?:a(?:(?:ggregat|pplication[\\s\\v]*rol)e|s(?:sembl|ymmetric[\\s\\v]*ke)y|u(?:dit|thorization)|vailability[\\s\\v]*group)|b(?:roker[\\s\\v]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\\s\\v]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\\s\\v]*group|in)))|m(?:a(?:s(?:k|ter[\\s\\v]*key)|terialized)|e(?:ssage[\\s\\v]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\\s\\v]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\\s\\v]*schema|srobject)))\\b)\" \"id:942362,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)[\\\"'`](?:[\\s\\v]*?(?:(?:\\*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?[\\\"'`]|(?:x?or|div|like|between|and)[\\s\\v][^0-9]+[\\-0-9A-Z_a-z]+.*?)[0-9]|[^\\s\\v0-9\\?A-Z_a-z]+[\\s\\v]*?[^\\s\\v0-9A-Z_a-z]+[\\s\\v]*?[\\\"'`]|[^\\s\\v0-9A-Z_a-z]+[\\s\\v]*?[^A-Z_a-z].*?(?:#|--))|.*?\\*[\\s\\v]*?[0-9])|\\^[\\\"'`]|[%\\(-\\+\\-<>][\\-0-9A-Z_a-z]+[^\\s\\v0-9A-Z_a-z]+[\\\"'`][^,]\" \"id:942370,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects classic SQL injection probings 2/3',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)\\b(?:having\\b(?:[\\s\\v]+(?:[0-9]{1,10}|'[^=]{1,10}')[\\s\\v]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\\\"'][^=]{1,10}[ \\\"'<-\\?\\[]+))|ex(?:ecute(?:\\(|[\\s\\v]{1,5}[\\$\\.0-9A-Z_a-z]{1,5}[\\s\\v]{0,3})|ists[\\s\\v]*?\\([\\s\\v]*?select\\b)|(?:create[\\s\\v]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)\\()|select.*?case|from.*?limit|order[\\s\\v]by|exists[\\s\\v](?:[\\s\\v]select|s(?:elect[^\\s\\v](?:if(?:null)?[\\s\\v]\\(|top|concat)|ystem[\\s\\v]\\()|\\bhaving\\b[\\s\\v]+[0-9]{1,10}|'[^=]{1,10}')\" \"id:942380,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Injection Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)\\b(?:or\\b(?:[\\s\\v]?(?:[0-9]{1,10}|[\\\"'][^=]{1,10}[\\\"'])[\\s\\v]?[<->]+|[\\s\\v]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\\s\\v]*?[<->])?)|xor\\b[\\s\\v]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\\s\\v]*?[<->])?)|'[\\s\\v]+x?or[\\s\\v]+.{1,20}[!\\+\\-<->]\" \"id:942390,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Injection Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)\\band\\b(?:[\\s\\v]+(?:[0-9]{1,10}[\\s\\v]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\\\"'][^=]{1,10}[\\\"']) ?[<->]+)\" \"id:942400,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Injection Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)\\b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[1-2]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?\\(\" \"id:942410,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Injection Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)\" \"id:942470,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Injection Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)\\b(?:(?:d(?:bms_[0-9A-Z_a-z]+\\.|elete\\b[^0-9A-Z_a-z]*?\\bfrom)|(?:group\\b.*?\\bby\\b.{1,100}?\\bhav|overlay\\b[^0-9A-Z_a-z]*?\\(.*?\\b[^0-9A-Z_a-z]*?plac)ing|in(?:ner\\b[^0-9A-Z_a-z]*?\\bjoin|sert\\b[^0-9A-Z_a-z]*?\\binto|to\\b[^0-9A-Z_a-z]*?\\b(?:dump|out)file)|load\\b[^0-9A-Z_a-z]*?\\bdata\\b.*?\\binfile|s(?:elect\\b.{1,100}?\\b(?:(?:.*?\\bdump\\b.*|(?:count|length)\\b.{1,100}?)\\bfrom|(?:data_typ|from\\b.{1,100}?\\bwher)e|instr|to(?:_(?:cha|numbe)r|p\\b.{1,100}?\\bfrom))|ys_context)|u(?:nion\\b.{1,100}?\\bselect|tl_inaddr))\\b|print\\b[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?\\(a|@@version|;[^0-9A-Z_a-z]*?\\b(?:drop|shutdown))\\b|'(?:dbo|msdasql|s(?:a|qloledb))'\" \"id:942480,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Injection Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES|ARGS|XML:/* \"@rx ((?:[~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>][^~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>]*?){12})\" \"id:942430,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)',logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx /\\*!?|\\*/|[';]--|--(?:[\\s\\v]|[^\\-]*?-)|[^&\\-]#.*?[\\s\\v]|;?\\x00\" \"id:942440,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Comment Sequence Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule MATCHED_VARS \"!@rx ^ey[\\-0-9A-Z_a-z]+\\.ey[\\-0-9A-Z_a-z]+\\.[\\-0-9A-Z_a-z]+$\" \"t:none,setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i:\\b0x[a-f\\d]{3,})\" \"id:942450,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Hex Encoding Identified',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?:`(?:(?:[\\w\\s=_\\-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)\" \"id:942510,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQLi bypass attempt by ticks or backticks detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)[\\\"'`][\\s\\v]*?(?:(?:is[\\s\\v]+not|not[\\s\\v]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[\\s\\v]+like)\\b|[%-&\\*-\\+\\-/<->\\^\\|])\" \"id:942520,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects basic SQL authentication bypass attempts 4.0/4',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\\\"]*?(?:\\\"[^\\\"]*?\\\"[^\\\"]*?)*?\\\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[\\s\\v]*([0-9A-Z_a-z]+)\\b\" \"id:942521,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects basic SQL authentication bypass attempts 4.1/4',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:1 \"@rx ^(?:and|or)$\" \"t:none,setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES|ARGS|XML:/* \"@rx ^.*?\\x5c['\\\"`](?:.*?['\\\"`])?\\s*(?:and|or)\\b\" \"id:942522,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects basic SQL authentication bypass attempts 4.1/4',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_BASENAME|REQUEST_FILENAME \"@detectSQLi\" \"id:942101,phase:1,block,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,msg:'SQL Injection Attack Detected via libinjection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent \"@rx (?i)\\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\\(\" \"id:942152,phase:1,block,capture,t:none,t:urlDecodeUni,t:lowercase,msg:'SQL Injection Attack: SQL function name detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent \"@rx (?i)create[\\s\\v]+(?:function|procedure)[\\s\\v]*?[0-9A-Z_a-z]+[\\s\\v]*?\\([\\s\\v]*?\\)[\\s\\v]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\\s\\v]*?[0-9A-Z_a-z]+|iv[\\s\\v]*?\\([\\+\\-]*[\\s\\v\\.0-9]+,[\\+\\-]*[\\s\\v\\.0-9]+\\))|exec[\\s\\v]*?\\([\\s\\v]*?@|(?:lo_(?:impor|ge)t|procedure[\\s\\v]+analyse)[\\s\\v]*?\\(|;[\\s\\v]*?(?:declare|open)[\\s\\v]+[\\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\\s\\v]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)\" \"id:942321,phase:1,block,capture,t:none,t:urlDecodeUni,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:942015,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:942016,phase:2,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)\\W+\\d*?\\s*?\\bhaving\\b\\s*?[^\\s\\-]\" \"id:942251,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects HAVING injections',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx [\\\"'`][\\s\\d]*?[^\\w\\s]\\W*?\\d\\W*?.*?[\\\"'`\\d]\" \"id:942490,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Detects classic SQL injection probings 3/3',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES \"@rx ((?:[~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>][^~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>]*?){8})\" \"id:942420,phase:1,block,capture,t:none,t:urlDecodeUni,msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)',logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES|ARGS|XML:/* \"@rx ((?:[~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>][^~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>]*?){6})\" \"id:942431,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)',logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS \"@rx \\W{4}\" \"id:942460,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?:'(?:(?:[\\w\\s=_\\-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')\" \"id:942511,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQLi bypass attempt by ticks detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx ';\" \"id:942530,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQLi query termination detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:942017,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:942018,phase:2,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES \"@rx ((?:[~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>][^~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>]*?){3})\" \"id:942421,phase:1,block,capture,t:none,t:urlDecodeUni,msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)',logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/4',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES|ARGS|XML:/* \"@rx ((?:[~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>][^~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\\\"'´’‘`<>]*?){2})\" \"id:942432,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)',logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',tag:'paranoia-level/4',ver:'OWASP_CRS/4.0.0-rc2',severity:'WARNING',setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-REQUEST-942-APPLICATION-ATTACK-SQLI\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:943011,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:943012,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)\" \"id:943100,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'Possible Session Fixation Attack: Setting Cookie Values in HTML',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-fixation',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/21/593/61',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES \"@rx ^(?:jsessionid|aspsessionid|asp\\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$\" \"id:943110,phase:2,block,capture,t:none,t:lowercase,msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-fixation',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/21/593/61',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_HEADERS:Referer \"@rx ^(?:ht|f)tps?://(.*?)/\" \"capture,chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:1 \"!@endsWith %{request_headers.host}\" \"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS_NAMES \"@rx ^(?:jsessionid|aspsessionid|asp\\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$\" \"id:943120,phase:2,block,capture,t:none,t:lowercase,msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-fixation',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/21/593/61',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule &REQUEST_HEADERS:Referer \"@eq 0\" \"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:943013,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:943014,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:943015,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:943016,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:943017,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:943018,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:944011,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:944012,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx java\\.lang\\.(?:runtime|processbuilder)\" \"id:944100,phase:2,block,t:none,t:lowercase,msg:'Remote Command Execution: Suspicious Java class detected',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/137/6',tag:'PCI/6.5.2',tag:'paranoia-level/1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:runtime|processbuilder)\" \"id:944110,phase:2,block,t:none,t:lowercase,msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/248',tag:'PCI/6.5.2',tag:'paranoia-level/1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:unmarshaller|base64data|java\\.)\" \"setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/248',tag:'PCI/6.5.2',tag:'paranoia-level/1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|XML://@* \"@pmFromFile java-classes.data\" \"id:944130,phase:2,block,t:none,msg:'Suspicious Java class detected',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/248',tag:'PCI/6.5.2',tag:'paranoia-level/1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name \"@rx .*\\.(?:jsp|jspx)\\.*$\" \"id:944140,phase:2,block,capture,t:none,t:lowercase,msg:'Java Injection Attack: Java Script File Upload Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-injection-java',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/152/242',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?i)(?:\\$|$?)(?:\\{|&l(?:brace|cub);?)(?:[^\\}]{0,15}(?:\\$|$?)(?:\\{|&l(?:brace|cub);?)|jndi|ctx)\" \"id:944150,phase:2,block,t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,log,msg:'Potential Remote Command Execution: Log4j / Log4shell',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/137/6',tag:'PCI/6.5.2',tag:'paranoia-level/1',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:944013,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:944014,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?i)(?:\\$|$?)(?:\\{|&l(?:brace|cub);?)(?:[^\\}]*(?:\\$|$?)(?:\\{|&l(?:brace|cub);?)|jndi|ctx)\" \"id:944151,phase:2,block,t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,log,msg:'Potential Remote Command Execution: Log4j / Log4shell',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/137/6',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx \\xac\\xed\\x00\\x05\" \"id:944200,phase:2,block,msg:'Magic bytes Detected, probable java serialization in use',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/248',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:rO0ABQ|KztAAU|Cs7QAF)\" \"id:944210,phase:2,block,msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/248',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944240,phase:2,block,t:none,t:lowercase,msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/248',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx java\\b.+(?:runtime|processbuilder)\" \"id:944250,phase:2,block,t:lowercase,msg:'Remote Command Execution: Suspicious Java method detected',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/248',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:class\\.module\\.classLoader\\.resources\\.context\\.parent\\.pipeline|springframework\\.context\\.support\\.FileSystemXmlApplicationContext)\" \"id:944260,phase:2,block,t:urlDecodeUni,msg:'Remote Command Execution: Malicious class-loading payload',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/248',tag:'PCI/6.5.2',tag:'paranoia-level/2',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:944015,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:944016,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)\" \"id:944300,phase:2,block,t:none,msg:'Base64 encoded string matched suspicious keyword',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/248',tag:'PCI/6.5.2',tag:'paranoia-level/3',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:944017,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:944018,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?i)(?:\\$|$?)(?:\\{|&l(?:brace|cub);?)\" \"id:944152,phase:2,block,t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,log,msg:'Potential Remote Command Execution: Log4j / Log4shell',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-rce',tag:'OWASP_CRS',tag:'capec/1000/152/137/6',tag:'PCI/6.5.2',tag:'paranoia-level/4',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-REQUEST-944-APPLICATION-ATTACK-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:BLOCKING_PARANOIA_LEVEL \"@ge 1\" \"id:949052,phase:1,pass,t:none,nolog,setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@ge 1\" \"id:949152,phase:1,pass,t:none,nolog,setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:BLOCKING_PARANOIA_LEVEL \"@ge 2\" \"id:949053,phase:1,pass,t:none,nolog,setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@ge 2\" \"id:949153,phase:1,pass,t:none,nolog,setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:BLOCKING_PARANOIA_LEVEL \"@ge 3\" \"id:949054,phase:1,pass,t:none,nolog,setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@ge 3\" \"id:949154,phase:1,pass,t:none,nolog,setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:BLOCKING_PARANOIA_LEVEL \"@ge 4\" \"id:949055,phase:1,pass,t:none,nolog,setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@ge 4\" \"id:949155,phase:1,pass,t:none,nolog,setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecAction \"id:949059,phase:2,pass,t:none,nolog,setvar:'tx.blocking_inbound_anomaly_score=0'\"" 2024/01/09 18:41:04 [DEBUG] Added SecAction actions="id:949059,phase:2,pass,t:none,nolog,setvar:'tx.blocking_inbound_anomaly_score=0'" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecAction \"id:949159,phase:2,pass,t:none,nolog,setvar:'tx.detection_inbound_anomaly_score=0'\"" 2024/01/09 18:41:04 [DEBUG] Added SecAction actions="id:949159,phase:2,pass,t:none,nolog,setvar:'tx.detection_inbound_anomaly_score=0'" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:BLOCKING_PARANOIA_LEVEL \"@ge 1\" \"id:949060,phase:2,pass,t:none,nolog,setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@ge 1\" \"id:949160,phase:2,pass,t:none,nolog,setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:BLOCKING_PARANOIA_LEVEL \"@ge 2\" \"id:949061,phase:2,pass,t:none,nolog,setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@ge 2\" \"id:949161,phase:2,pass,t:none,nolog,setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:BLOCKING_PARANOIA_LEVEL \"@ge 3\" \"id:949062,phase:2,pass,t:none,nolog,setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@ge 3\" \"id:949162,phase:2,pass,t:none,nolog,setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:BLOCKING_PARANOIA_LEVEL \"@ge 4\" \"id:949063,phase:2,pass,t:none,nolog,setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@ge 4\" \"id:949163,phase:2,pass,t:none,nolog,setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"BEGIN-REQUEST-BLOCKING-EVAL\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE \"@ge %{tx.inbound_anomaly_score_threshold}\" \"id:949111,phase:1,deny,t:none,msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',tag:'anomaly-evaluation',ver:'OWASP_CRS/4.0.0-rc2',chain\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:EARLY_BLOCKING \"@eq 1\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE \"@ge %{tx.inbound_anomaly_score_threshold}\" \"id:949110,phase:2,deny,t:none,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',tag:'anomaly-evaluation',ver:'OWASP_CRS/4.0.0-rc2'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:949012,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:949013,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:949014,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:949015,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:949016,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:949017,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:949018,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-REQUEST-949-BLOCKING-EVALUATION\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:950011,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:950012,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>\\[To Parent Directory\\]
)\" \"id:950130,phase:4,block,capture,t:none,msg:'Directory Listing',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54/127',tag:'PCI/6.5.6',ver:'OWASP_CRS/4.0.0-rc2',severity:'ERROR',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx ^#\\!\\s?/\" \"id:950140,phase:4,block,capture,t:none,msg:'CGI source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116',tag:'PCI/6.5.6',ver:'OWASP_CRS/4.0.0-rc2',severity:'ERROR',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:950013,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:950014,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_STATUS \"@rx ^5\\d{2}$\" \"id:950100,phase:3,block,capture,t:none,msg:'The Application Returned a 500-Level Status Code',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-disclosure',tag:'PCI/6.5.6',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/152',ver:'OWASP_CRS/4.0.0-rc2',severity:'ERROR',setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:950015,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:950016,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:950017,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:950018,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-RESPONSE-950-DATA-LEAKAGES\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:951011,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:951012,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"!@pmFromFile sql-errors.data\" \"id:951100,phase:4,pass,t:none,nolog,tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-disclosure',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',skipAfter:END-SQL-ERROR-MATCH-PL1\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i:JET Database Engine|Access Database Engine|\\[Microsoft\\]\\[ODBC Microsoft Access Driver\\])\" \"id:951110,phase:4,block,capture,t:none,msg:'Microsoft Access SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-msaccess',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\\.sql\\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)\" \"id:951120,phase:4,block,capture,t:none,msg:'Oracle SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-oracle',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i:DB2 SQL error:|\\[IBM\\]\\[CLI Driver\\]\\[DB2/6000\\]|CLI Driver.*DB2|DB2 SQL error|db2_\\w+\\()\" \"id:951130,phase:4,block,capture,t:none,msg:'DB2 SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-db2',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i:\\[DM_QUERY_E_SYNTAX\\]|has occurred in the vicinity of:)\" \"id:951140,phase:4,block,capture,t:none,msg:'EMC SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-emc',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i)Dynamic SQL Error\" \"id:951150,phase:4,block,capture,t:none,msg:'firebird SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-firebird',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i)Exception (?:condition )?\\d+\\. Transaction rollback\\.\" \"id:951160,phase:4,block,capture,t:none,msg:'Frontbase SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-frontbase',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i)org\\.hsqldb\\.jdbc\" \"id:951170,phase:4,block,capture,t:none,msg:'hsqldb SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-hsqldb',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i:An illegal character has been found in the statement|com\\.informix\\.jdbc|Exception.*Informix)\" \"id:951180,phase:4,block,capture,t:none,msg:'informix SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-informix',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\\W.*Driver)\" \"id:951190,phase:4,block,capture,t:none,msg:'ingres SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-ingres',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i:Warning: ibase_|Unexpected end of command in statement)\" \"id:951200,phase:4,block,capture,t:none,msg:'interbase SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-interbase',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)\" \"id:951210,phase:4,block,capture,t:none,msg:'maxDB SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-maxdb',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i)(?:System\\.Data\\.OleDb\\.OleDbException|\\[Microsoft\\]\\[ODBC SQL Server Driver\\]|\\[Macromedia\\]\\[SQLServer JDBC Driver\\]|\\[SqlException|System\\.Data\\.SqlClient\\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\\(\\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\\.|ADODB\\.Field \\(0x800A0BCD\\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\\WSystem\\.Data\\.SqlClient\\.|Conversion failed when converting the varchar value .*? to data type int\\.)\" \"id:951220,phase:4,block,capture,t:none,msg:'mssql SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-mssql',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\\(\\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\\.)|\\[MySQL\\]\\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\\(-\\)_a-z]{1,26})?|(?:ERROR [0-9]{4} \\([0-9a-z]{5}\\)|XPATH syntax error):\" \"id:951230,phase:4,block,capture,t:none,msg:'mysql SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-mysql',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)\\(\\) \\[:|Warning.{1,20}\\bpg_.*|valid PostgreSQL result|Npgsql\\.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er\" \"id:951240,phase:4,block,capture,t:none,msg:'postgres SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-pgsql',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\\.Exception|System\\.Data\\.SQLite\\.SQLiteException)\" \"id:951250,phase:4,block,capture,t:none,msg:'sqlite SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-sqlite',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)\" \"id:951260,phase:4,block,capture,t:none,msg:'Sybase SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-sybase',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116/54',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-SQL-ERROR-MATCH-PL1\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:951013,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:951014,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:951015,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:951016,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:951017,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:951018,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-RESPONSE-951-DATA-LEAKAGES-SQL\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:952011,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:952012,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@pmFromFile java-code-leakages.data\" \"id:952100,phase:4,block,capture,t:none,msg:'Java Source Code Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116',tag:'PCI/6.5.6',ver:'OWASP_CRS/4.0.0-rc2',severity:'ERROR',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@pmFromFile java-errors.data\" \"id:952110,phase:4,block,capture,t:none,msg:'Java Errors',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-java',tag:'platform-multi',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116',tag:'PCI/6.5.6',ver:'OWASP_CRS/4.0.0-rc2',severity:'ERROR',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:952013,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:952014,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:952015,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:952016,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:952017,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:952018,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecMarker \"END-RESPONSE-952-DATA-LEAKAGES-JAVA\"" 2024/01/09 18:41:04 [DEBUG] Added secmark rule 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:953011,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:953012,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP\"" 2024/01/09 18:41:04 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@pmFromFile php-errors.data\" \"id:953100,phase:4,block,capture,t:none,msg:'PHP Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116',tag:'PCI/6.5.6',ver:'OWASP_CRS/4.0.0-rc2',severity:'ERROR',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b\" \"id:953110,phase:4,block,capture,t:none,msg:'PHP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116',tag:'PCI/6.5.6',ver:'OWASP_CRS/4.0.0-rc2',severity:'ERROR',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?i)<\\?(?:=|php)?\\s+\" \"id:953120,phase:4,block,capture,t:none,msg:'PHP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116',tag:'PCI/6.5.6',ver:'OWASP_CRS/4.0.0-rc2',severity:'ERROR',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:953013,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:953014,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@pmFromFile php-errors-pl2.data\" \"id:953101,phase:4,block,capture,t:none,msg:'PHP Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-php',tag:'platform-multi',tag:'attack-disclosure',tag:'paranoia-level/2',tag:'OWASP_CRS',tag:'capec/1000/118/116',tag:'PCI/6.5.6',ver:'OWASP_CRS/4.0.0-rc2',severity:'ERROR',setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:953015,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:953016,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:953017,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:953018,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecMarker \"END-RESPONSE-953-DATA-LEAKAGES-PHP\"" 2024/01/09 18:41:05 [DEBUG] Added secmark rule 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:954011,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:954012,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx [a-z]:\\x5cinetpub\\b\" \"id:954100,phase:4,block,capture,t:none,t:lowercase,msg:'Disclosure of IIS install location',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-iis',tag:'platform-windows',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116',ver:'OWASP_CRS/4.0.0-rc2',severity:'ERROR',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (?:Microsoft OLE DB Provider for SQL Server(?:.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \\(0x80040e31\\)
Timeout expired
)|

internal server error

.*?

part of the server has crashed or it has a configuration error\\.

|cannot connect to the server: timed out)\" \"id:954110,phase:4,block,capture,t:none,msg:'Application Availability Error',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-iis',tag:'platform-windows',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'PCI/6.5.6',tag:'OWASP_CRS',tag:'capec/1000/118/116',ver:'OWASP_CRS/4.0.0-rc2',severity:'ERROR',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@pmFromFile iis-errors.data\" \"id:954120,phase:4,block,capture,t:none,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-iis',tag:'platform-windows',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116',tag:'PCI/6.5.6',ver:'OWASP_CRS/4.0.0-rc2',severity:'ERROR',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_STATUS \"!@rx ^404$\" \"id:954130,phase:4,block,capture,t:none,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'application-multi',tag:'language-multi',tag:'platform-iis',tag:'platform-windows',tag:'attack-disclosure',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/118/116',tag:'PCI/6.5.6',ver:'OWASP_CRS/4.0.0-rc2',severity:'ERROR',chain\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx \\bServer Error in.{0,50}?\\bApplication\\b\" \"capture,t:none,setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:954013,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 2\" \"id:954014,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:954015,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 3\" \"id:954016,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:954017,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 4\" \"id:954018,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecMarker \"END-RESPONSE-954-DATA-LEAKAGES-IIS\"" 2024/01/09 18:41:05 [DEBUG] Added secmark rule 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:955011,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule TX:DETECTION_PARANOIA_LEVEL \"@lt 1\" \"id:955012,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@pmFromFile web-shells-php.data\" \"id:955100,phase:4,block,capture,t:none,msg:'Web shell detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx (r57 Shell Version [0-9.]+|r57 shell)\" \"id:955110,phase:4,block,capture,t:none,msg:'r57 web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx ^.*? - WSO [0-9.]+\" \"id:955120,phase:4,block,capture,t:none,msg:'WSO web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx B4TM4N SH3LL.*\" \"id:955130,phase:4,block,capture,t:none,msg:'b4tm4n web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx Mini Shell.*Developed By LameHacker\" \"id:955140,phase:4,block,capture,t:none,msg:'Mini Shell web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx \\.:: .* ~ Ashiyane V [0-9.]+ ::\\.\" \"id:955150,phase:4,block,capture,t:none,msg:'Ashiyane web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx Symlink_Sa [0-9.]+\" \"id:955160,phase:4,block,capture,t:none,msg:'Symlink_Sa web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx CasuS [0-9.]+ by MafiABoY\" \"id:955170,phase:4,block,capture,t:none,msg:'CasuS web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx ^\\r\\n\\r\\nGRP WebShell [0-9.]+ \" \"id:955180,phase:4,block,capture,t:none,msg:'GRP WebShell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\\n$\" \"id:955190,phase:4,block,capture,t:none,msg:'NGHshell web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - \" \"id:955200,phase:4,block,capture,t:none,msg:'SimAttacker web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx ^<!DOCTYPE html>\\n<html>\\n<!-- By Artyum .*<title>Web Shell\" \"id:955210,phase:4,block,capture,t:none,msg:'Unknown web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx lama's'hell v. [0-9.]+\" \"id:955220,phase:4,block,capture,t:none,msg:'lama\\'s\\'hell web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx ^ *\\n[ ]+\\n[ ]+lostDC - \" \"id:955230,phase:4,block,capture,t:none,msg:'lostDC web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx ^<title>PHP Web Shell\\r\\n\\r\\n\\r\\n \" \"id:955240,phase:4,block,capture,t:none,msg:'Unknown web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx ^\\n\\n
Input command :
\\n
\" \"id:955250,phase:4,block,capture,t:none,msg:'Unknown web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx ^\\n\\nRu24PostWebShell - \" \"id:955260,phase:4,block,capture,t:none,msg:'Ru24PostWebShell web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King\" \"id:955270,phase:4,block,capture,t:none,msg:'s72 Shell web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx ^\\r\\n\\r\\n\\r\\nPhpSpy Ver [0-9]+\" \"id:955280,phase:4,block,capture,t:none,msg:'PhpSpy web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx ^ \\n\\n\\n\\ng00nshell v[0-9.]+ \" \"id:955290,phase:4,block,capture,t:none,msg:'g00nshell web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@contains <title>punkholicshell\" \"id:955300,phase:4,block,capture,t:none,t:removeWhitespace,t:lowercase,msg:'PuNkHoLic shell web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx ^\\n \\n azrail [0-9.]+ by C-W-M\" \"id:955310,phase:4,block,capture,t:none,msg:'azrail web shell',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:'language-php',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/225/122/17/650',ver:'OWASP_CRS/4.0.0-rc2',severity:'CRITICAL',setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"" 2024/01/09 18:41:05 [DEBUG] Parsing directive line="SecRule RESPONSE_BODY \"@rx >SmEvK_PaThAn Shell v[0-9]+ coded by \\n.*? ~ Shell I\\n\\n