# ------------------------------------------------------ # Imunify360 ModSecurity Rules # Copyright (C) 2026 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # ------------------------------------------------------ # Imunify360 ModSecurity Base Ruleset SecRule ARGS "@rx \.\\\\\.\/\.\\\\\.\/|[\\\/]\.\.[\\\/]\.\.[\\\/]\.\.[\\\/]" "id:77350314,chain,phase:2,block,nolog,auditlog,severity:2,t:none,capture,setvar:tx.arg_name=%{MATCHED_VAR_NAME},setvar:tx.arg_value=%{MATCHED_VAR},t:none,t:urlDecode,msg:'IM360 WAF: Path traversal attack (CVE-2021-46417,CVE-2001-0780,CVE-2020-11798,CVE-2017-9833,CVE-2018-19753,CVE-2022-41412,CVE-2011-0063,CVE-2011-0049)||User:%{SCRIPT_USERNAME}||Path:%{REQUEST_FILENAME}||Arg:%{TX.arg_name}||Match:%{TX.arg_value}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:ChoiceURL "!@rx \.hmtl" "t:none,chain" SecRule REQUEST_FILENAME "@pmFromFile path_traversal" "t:none" SecRule REQUEST_URI "!@rx /wp-content/plugins/all-in-one-wp-migration/lib/view/assets/javascript/backups.min.js" "id:77140739,phase:2,pass,chain,nolog,auditlog,severity:5,msg:'IM360 WAF: [RBL] Dirb like fuzzing||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule &TX:rbl_whitelist_check "@eq 0" "chain,t:none" SecRule REQUEST_FILENAME "@pmFromFile userdata_dirb_URLs.data" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77140739',t:urlDecode,t:normalizePath,t:lowercase" SecRule REMOTE_HOST|ARGS|REQUEST_COOKIES "@pmFromFile bl_uri" "id:77142167,block,nolog,auditlog,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Block URI containing malicious URLs||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||SC:%{SCRIPT_FILENAME}||',tag:'service_im360'" SecRule REQUEST_HEADERS:Content-Type "@rx (?i)^(?:application|multipart|text)/[\w\-\.\+]{3,32}[^a-z]{1,256}(?:application|multipart|text)/[\w\-\.\+]{3,32}" "id:77350248,phase:1,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: [RBL] Multiple Content-Type Request Headers (CVE-2023-38199)||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350248',setvar:'tx.mult_cont_type=1'" SecRule TX:mult_cont_type "@gt 0" "chain,id:77350254,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Multiple Content-Type Request Headers (CVE-2023-38199)||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQBODY_ERROR "@eq 1" "t:none" SecRule &REQUEST_HEADERS:Content-Type "@gt 1" "id:77350255,phase:1,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Multiple Content-Type Request Headers (CVE-2023-38199)||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "@rx POST" "id:77350630,chain,phase:2,pass,log,severity:2,t:none,msg:'IM360 WAF: DB injection limit||ARG:%{MATCHED_VAR_NAME}||Injection:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS|!ARGS:exclude_domains "@pmFromFile bl_db_list_ext" "t:none, setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350630" SecRule REQUEST_METHOD "@rx POST" "id:77350576,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: DB injection block||ARG:%{MATCHED_VAR_NAME}||Injection:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule &TX:rbl_whitelist_check "@eq 0" "chain,t:none" SecRule ARGS|!ARGS:exclude_domains "@pmFromFile bl_db_list" "t:none" SecRule REQUEST_METHOD "@rx (?:TRACE|CONNECT)" "id:77350488,chain,phase:2,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Request method is not allowed||Method:%{REQUEST_METHOD}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule &REQUEST_COOKIES "!@eq 0" "chain,t:none" SecRule &REQUEST_HEADERS:Authorization "@eq 0" "chain,t:none" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "chain,t:none" SecRule TX:remote_addr "!@ipMatchFromFile rbl_whitelist" "t:none" SecRule REQUEST_HEADERS:Content-Length "!@rx ^$" "id:77350450,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: [RBL] HTTP Requests Desync Attempt (CVE-2024-40725)||MV1:%{REQUEST_HEADERS.Content-Length}||MV2:%{REQUEST_HEADERS.Transfer-Encoding}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:Transfer-Encoding "!@rx ^$" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350450'" SecRule REQUEST_HEADERS_NAMES "@rx [\r\n\x00]" "id:77350453,phase:2,block,nolog,auditLog,severity:2,msg:'IM360 WAF: HTTP Requests Smuggling, injected headers names||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule &REQUEST_HEADERS:Content-Length "@gt 1" "id:77350451,phase:2,pass,nolog,auditLog,severity:5,msg:'IM360 WAF: HTTP Requests Smuggling, multiple Content-Length headers||MV:%{REQUEST_HEADERS.Content-Length}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'noshow',tag:'service_im360'" SecRule &REQUEST_HEADERS:Transfer-Encoding "@gt 1" "id:77350452,phase:2,pass,nolog,auditLog,severity:5,msg:'IM360 WAF: HTTP Requests Smuggling, multiple Transfer-Encoding headers||MV:%{REQUEST_HEADERS.Transfer-Encoding}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'noshow',tag:'service_im360'" SecRule REQUEST_LINE "@rx \x00" "id:77350454,phase:2,pass,nolog,auditLog,severity:5,t:none,t:normalisePath,t:urlDecode,msg:'IM360 WAF: Null-byte in request||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'noshow',tag:'service_im360'" SecRule REQUEST_FILENAME "@rx \.(asa|asax|ascx|backup|bak|bat|cdx|cer|cfg|cmd|com|config|conf|cs|csproj|csr|dat|db|dbf|dll|dos|htr|htw|ida|idc|idq|inc|ini|key|licx|lnk|log|mdb|old|pass|pdb|pol|printer|pwd|rdb|resources|resx|sql|swp|sys|vb|vbs|vbproj|vsdisco|webinfo|xsd|xsx)$" "id:77350457,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: Bad file extension||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||',tag:'service_im360'" SecRule TX:remote_addr "!@rx ^1(?:0|27|69\.254|72\.(?:1[6-9]|2[0-9]|3[0-1])|92\.168)\.|^::1$|(?:^[fF][cCdD])" "id:77350469,chain,phase:1,block,nolog,auditlog,severity:5,msg:'IM360 WAF: Suspicious bot detected||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:User-Agent "@rx (?i:wf\ssearch\/nutch|yandex\.com\/bots|mrsputnik|mail\.ru|heritrix)" "chain,t:none" SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-ualist.data" "chain,t:none" SecRule TX:remote_addr "!@ipMatchFromFile crawlers-iplist.data" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "!@rbl good-bots.rbl.imunify.com." "t:none" SecRule &TX:rbl_whitelist_check "@eq 0" "id:77914695,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Fake Googlebot detected (IP not in Google ranges)||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:User-Agent "@rx Googlebot" "chain,t:none" SecRule REQUEST_HEADERS:User-Agent "!@pm SentiBot Opebot Gwene" "chain,t:none" SecRule TX:remote_addr "!@ipMatch 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,::1" "chain,t:none" SecRule TX:remote_addr "!@ipMatchFromFile crawlers-google-iplist.data" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "!@rbl good-bots.rbl.imunify.com." "t:none" SecRule REQUEST_HEADERS:User-Agent "@rx (?:NAVER|inapp|Line\x2f|KakaoTalk).{0,999}(?:Googlebot|Bingbot|YandexBot)" "id:77945588,phase:1,block,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Contradictory User-Agent (mobile app + bot)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:User-Agent "@rx (?i:nuclei|vulnerability scanner|l9explore|masscan|mediatoolkitbot|feroxbuster|scaninfo)" "id:77350470,phase:1,block,nolog,auditlog,severity:2,msg:'IM360 WAF: Vulnerability scanner detected||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:User-Agent "@rx (?i:libcurl\/|zlib\/|libssh2\/|nghttp2\/)" "id:77350475,phase:1,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: Suspicious User-Agent detected||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS_NAMES "@rx ^(translate|content-encoding|lock-token|content-range|if|x-http-method-override|x-http-method|x-method-override)$" "id:77350471,phase:5,pass,nolog,auditlog,severity:5,t:none,t:lowercase,msg:'IM360 WAF: Suspicious Request Header Name||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "@rx POST" "id:77350473,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: Suspicious input wp-capabilities||MV:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_BASENAME "@contains .php" "chain,t:none" SecRule ARGS "@contains wp-capabilities" "t:none" SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!\x22\(\),\/:-\?\[-\]\{\}]+)\/(?:\*|[^!\x22\(\),\/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\x22?(?:iso-8859-15?|utf-8|windows-1252)\b\x22?|(?:[^\s\x0b-\x22\(\),\/:-\?\[-\]c\{\}]|c(?:[^!\x22\(\),\/:-\?\[-\]h\{\}]|h(?:[^!\x22\(\),\/:-\?\[-\]a\{\}]|a(?:[^!\x22\(\),\/:-\?\[-\]r\{\}]|r(?:[^!\x22\(\),\/:-\?\[-\]s\{\}]|s(?:[^!\x22\(\),\/:-\?\[-\]e\{\}]|e[^!\x22\(\),\/:-\?\[-\]t\{\}]))))))[^!\x22\(\),\/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),\/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\x22\(\),\/:-\?\[-\]\{\}]+)\/(?:\*|[^!\x22\(\),\/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\x22?(?:iso-8859-15?|utf-8|windows-1252)\b\x22?|(?:[^\s\x0b-\x22\(\),\/:-\?\[-\]c\{\}]|c(?:[^!\x22\(\),\/:-\?\[-\]h\{\}]|h(?:[^!\x22\(\),\/:-\?\[-\]a\{\}]|a(?:[^!\x22\(\),\/:-\?\[-\]r\{\}]|r(?:[^!\x22\(\),\/:-\?\[-\]s\{\}]|s(?:[^!\x22\(\),\/:-\?\[-\]e\{\}]|e[^!\x22\(\),\/:-\?\[-\]t\{\}]))))))[^!\x22\(\),\/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),\/:-\?\[-\]\{\}]+);?)*)*$" "id:77350474,phase:2,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Bad Accept Header||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS:action "@rx ^(nf_ajax_submit|nf_preview_update)$" "id:77350503,chain,phase:2,pass,nolog,auditlog,capture,severity:5,msg:'IM360 WAF: Ninja Forms Code Injection Attempt (CVE-2024-37934)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'wp_core'" SecRule ARGS:formData "!@rx ^{\"id\":\"(\d{1,999}\_\d{1,999}|\w{1,999}\-\d{1,999}|\d{1,999})\",\"fields\":" "t:none" SecRule ARGS:formdata "@detectSQLi" "id:77350661,phase:2,pass,nolog,auditlog,severity:5,chain,t:none,t:urlDecodeUni,msg:'IM360 WAF: SQL Injection attempt in WordPress Booking Calendar plugin <= 9.4.3 (CVE-2023-23991)||RSV:8.02||T:APACHE||Args:%{tx.all_args}||',tag:'wp_core'" SecRule ARGS_NAMES "!@rx ^$" "chain,capture" SecRule ARGS "!@rx ^$" "capture,setvar:'tx.all_args=%{tx.all_args}%{MATCHED_VAR_NAME}=%{MATCHED_VAR} '" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS "@rx (?i)(?:file|blob|ftps?|nfs|rsync|local_file|cvs|compress\.(?:zlib|bzip2))://" "id:77350504,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,capture,t:urlDecode,msg:'IM360 WAF: Block System File Attempt||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule MATCHED_VAR "@pmFromFile bl_os_files" "t:none,t:normalizePath" SecRule RESPONSE_BODY "@rx (?i)(?:<(?:title>Index of[^<]*?<h)1>index of|>\[To Parent Directory\]<\/a><br>)" "id:77350505,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Directory Listing Attempt||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|close)\b" "id:77350508,phase:5,pass,nolog,auditlog,severity:7,t:none,msg:'IM360 WAF: Suspicious Connection Header||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS:give_title "@rx ^O:\d+:" "id:77350513,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,msg:'IM360 WAF: Unsafe deserialization leading to RCE in WordPress plugin GiveWP < 3.14.2 (CVE-2024-37099)||RSV:8.02||T:APACHE||MV:%{TX.1}||',tag:'wp_core'" SecRule &ARGS:give-form-id "@gt 0" "t:none" SecRule ARGS:mfn-page-items "@rx ^O:\d+:|StripeObject" "id:77350514,pass,nolog,auditlog,phase:2,severity:5,t:none,t:urlDecode,msg:'IM360 WAF: PHP Object Injection in WordPress theme Betheme (CVE-2024-2694)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule ARGS "@rx ^O:\d+:|StripeObject" "id:77350656,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,t:urlDecode,msg:'IM360 WAF: PHP Object Injection in WordPress plugin Better Search Replace < 1.44 (CVE-2023-6933)||RSV:8.02||T:APACHE||User:%{ARGS.user}||WPU:%{TX.wp_user}||Args:%{tx.all_args}||',tag:'wp_core'" SecRule &ARGS:/better-search-replace/ "@gt 0" "t:none,chain" SecRule ARGS_NAMES "!@rx ^$" "chain,capture" SecRule ARGS "!@rx ^$" "capture,setvar:'tx.all_args=%{tx.all_args}%{MATCHED_VAR_NAME}=%{MATCHED_VAR} '" SecRule ARGS "@rx ^O:\d+:|StripeObject" "id:77350657,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,t:urlDecode,msg:'IM360 WAF: PHP Object Injection in WordPress plugin Better Search Replace < 1.44 (CVE-2023-6933)||RSV:8.02||T:APACHE||User:%{ARGS.user}||WPU:%{TX.wp_user}||Args:%{tx.all_args}||',tag:'wp_core'" SecRule &ARGS:/better-search-replace/ "@gt 0" "t:none" SecRule &ARGS:mfn-page-items "@ge 1" "id:77350520,chain,phase:5,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Capture suspicious payload on Betheme||Payload:%{ARGS.mfn-page-items}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS:mfn-page-item|ARGS:mfn-builder "@rx ^O:\d+:|StripeObject" "chain,t:none,t:urlDecode" SecRule &TX:trapped "@eq 0" "chain,t:none" SecRuleScript trap.lua "chain,t:none" SecRule &ARGS "@ge 0" "t:none" SecRule REQUEST_URI "@pm /wp-admin/post.php /wp-admin/admin-ajax.php" "id:77350522,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Capture suspicious script injects||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS:wrapper_class|ARGS:class "@rx (?i)(<script\b|onerror\b|javascript:|<img\b|<iframe\b|<object\b|<embed\b|<svg\b)" "chain,t:none,t:urlDecode,t:htmlEntityDecode" SecRule &TX:trapped "@eq 0" "chain,t:none" SecRuleScript trap.lua "chain,t:none" SecRule &ARGS "@ge 0" "t:none" SecRule REQUEST_METHOD "^GET$" "id:77350527,phase:2,chain,severity:5,pass,nolog,auditlog,msg:'IM360 WAF: Authenticated (Admin+) SQL Injection: Backuply - Backup, Restore, Migrate and Clone <= 1.3.4 plugin for WordPress (CVE-2024-8522)||WPU:%{tx.wp_user}||Logged:%{IP.wp_logged_in}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}',tag:'noshow',tag:'service_im360'" SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php$" "chain,t:urlDecode" SecRule ARGS:action "@contains backuply_update_serialization" "chain" SecRule ARGS:options "." "t:none" SecRule REQUEST_METHOD "^POST$" "id:77350759,phase:2,chain,severity:5,pass,nolog,auditlog,msg:'IM360 WAF: Admin user registration with key Main WP = 5.3.4 plugin for WordPress||WPU:%{tx.wp_user}||Logged:%{IP.wp_logged_in}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}',tag:'noshow',tag:'wp_core'" SecRule ARGS:user "@streq admin" "chain" SecRule ARGS:function "@streq register" "chain" SecRule ARGS:mainwpver "@rx ." "chain" SecRule ARGS:pubkey "@rx ." "t:none" SecRule REQUEST_METHOD "@rx POST" "id:77350572,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Link shorteners usage||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "!@contains /index.php?rp=/domain/check" "chain,t:none,t:normalizePath" SecRule ARGS "!@rx ^<!--|^<!DOCTYPE\shtml>" "chain,t:none" SecRule ARGS|!ARGS:/redirect_to/|!ARGS:exclude_domains|!ARGS:html|!ARGS:form|!ARGS:/body/|!ARGS:/data/|!ARGS:/desc/|!ARGS:/description/|!ARGS:/text/|!ARGS:exclude_domains|!ARGS:/info/|!ARGS:/comment/|!ARGS:/content/|!ARGS:fulldescr|!ARGS:json|!ARGS:/message/|!ARGS:saved_data|!ARGS:/txt/|!ARGS:utm_id "^(?:wget\s|curl\s)?\x22?https?://(goo\.su/\w{4,10}|rentry\.co/\w{8,20}/raw|raw\.githubusercontent\.com/|file\.io/\w{12}|code\.o2a6\.ru|interact\.sh|media\.cdnstaticjs\.com|c\.krobpra\.com|bit\.ly/\w{6,8}|tinyurl\.com/\w{5,10}|ow\.ly/\w{4,6}|goo\.gl/\w{5,7})" "t:none,capture" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350584,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Possible SQL injection in WordPress Email Subscribers by Icegram Express Plugin <= 5.7.14 (CVE-2024-44004)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_plugin_email_subscribers'" SecRule REQUEST_URI "@rx /wp-admin/admin-post\.php$" "chain,t:none,t:lowercase,t:normalizePath" SecRule ARGS "@detectSQLi" "t:none" SecRule REQUEST_HEADERS:/^Sec-WebSocket/ "@rx ." "id:77350758,phase:2,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Web socket interaction||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||User:%{ARGS.user}||MV:%{TX.1}||',tag:'service_im360'" SecRule REQUEST_HEADERS|REQUEST_URI|ARGS "@rx ^wss:\/\/([a-z0-9\-]{1,64}\.[a-z0-9\-]{2,10})" "t:none,capture" SecRule REQUEST_HEADERS:/^Sec-WebSocket/ "@rx ." "id:77350760,phase:2,chain,pass,nolog,auditlog,t:base64Decode,severity:5,msg:'IM360 WAF: Web socket interaction||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||User:%{ARGS.user}||MV:%{TX.1}||',tag:'service_im360'" SecRule REQUEST_HEADERS|REQUEST_URI|ARGS "@rx ^wss:\/\/([a-z0-9\-]{1,64}\.[a-z0-9\-]{2,10})" "capture" SecRule REQUEST_HEADERS|REQUEST_URI "@rx (wss:\/\/([a-z0-9\-]{1,64}\.[a-z0-9\-]{2,10})|Sec-WebSocket)" "id:77350761,phase:2,pass,nolog,auditlog,t:base64Decode,severity:5,msg:'IM360 WAF: Web socket interaction||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||User:%{ARGS.user}||MV:%{TX.1}||',tag:'service_im360'" SecRule REQUEST_METHOD "@rx ^GET$" "id:77350660,chain,phase:2,pass,nolog,auditlog,t:none,msg:'IM360 WAF: Detected access to WP File Manager backup file||IP:REMOTE_ADDR=%{tx.remote_addr}||URI:%{REQUEST_URI}',tag:'wp_plugin_file_manager'" SecRule REQUEST_URI "@rx backup_20(22|23|24|25)_[0-9]{2}_[0-9]{2}_[0-9]{2}_[0-9]{2}_[0-9]{2}-\d{1,4}" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350635,phase:2,chain,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Fake plugin interaction||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||User:%{ARGS.user}||Args:%{tx.all_args}||',tag:'wp_core'" SecRule REQUEST_URI "@rx /plugins/clk2(-1)?/\w{3,99}\.php" "chain,t:none,t:normalizePath" SecRule ARGS_NAMES "!@rx ^$" "chain,capture" SecRule ARGS "!@rx ^$" "capture,setvar:'tx.all_args=%{tx.all_args}%{MATCHED_VAR_NAME}.%{MATCHED_VAR}'" SecRule REQUEST_FILENAME "@rx (?:\/global-protect\/login.esp$|\/sslmgr$)" "id:77182644,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Access to PaloAlto admin pages||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "@streq POST" "id:77199558,phase:2,chain,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: Jupiter X Core arbitrary URI LFI/RCE attempt (CVE-2025-0366)||WPU:%{TX.wp_user}||URI:%{REQUEST_URI}||MV:%{MATCHED_VAR}||',tag:'wp_core',tag:'noshow'" SecRule REQUEST_URI "@rx /wp-admin/(admin-ajax|post)\.php$" "chain" SecRule ARGS "@rx (php://|file://|expect://|zip://|data://|\.\./|\.\.\\|phar://)" "t:none,t:lowercase,t:urlDecodeUni" SecRule TX:remote_addr "@ipMatchFromFile danme_top100" "id:77441835,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Capture suspicious IP activity||RSV:8.02||T:APACHE||WPU:%{TX.wp_user}||',tag:'service_im360',tag:'noshow'" SecRule &TX:trapped "@eq 0" "chain,t:none" SecRuleScript trap.lua "chain,t:none" SecRule &ARGS "@ge 0" "t:none" SecRule REQUEST_METHOD "@streq GET" "id:77451267,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: Craft CMS RCE Exploit Attempt. PHP tags injection (CVE-2025-32432)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',t:none,t:lowercase,chain,tag:'other_apps'" SecRule ARGS:p "@beginsWith admin/" "t:none,t:lowercase,chain" SecRule ARGS "@rx <\?(?:=|php).+" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77451266,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: Craft CMS RCE Exploit Attempt. Class injection (CVE-2024-58136)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',t:none,t:lowercase,chain,tag:'other_apps'" SecRule REQUEST_URI "@rx \/(?:index\.php)?\?p=(?:admin\/)?actions\/assets\/generate-transform" "t:none,t:lowercase,chain" SecRule REQUEST_BODY "@contains __class" "t:none,t:urlDecodeUni" SecRule REQUEST_URI "@rx /wp-content/plugins/widget-options/.*\.php" "id:77708353,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: RCE in Widget Options plugin for WordPress < 4.0.8 (CVE-2024-8672)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS_POST|ARGS_GET "@rx (?i)(?:eval\s*\(|base64_decode\s*\(|system\s*\(|exec\s*\(|shell_exec\s*\(|passthru\s*\(|popen\s*\(|proc_open\s*\(|pcntl_exec\s*\(|assert\s*\(|preg_replace\s*\(\s*['\"]\/\.\*\/e)" "t:none" SecRule REQUEST_URI "@rx /wp-content/plugins/widget-options/includes/.*\.php" "id:77708354,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: RCE in Widget Options plugin for WordPress < 4.0.8 (CVE-2024-8672)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS_POST:widget_options|ARGS_GET:widget_options "@rx (?i)(?:php\s*:|data\s*:|expect\s*:|input\s*:|file\s*:|phar\s*:|zip\s*:|data\s*:)" "t:none" SecRule REQUEST_URI "@rx /wp-content/plugins/widget-options/includes/.*\.php" "id:77708355,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: RCE in Widget Options plugin for WordPress < 4.0.8 (CVE-2024-8672)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS_POST:display_logic|ARGS_GET:display_logic "@rx (?i)(?:;|\||&|\$|\(|\)|\{|\}|\[|\]|`|\\|\/|\*|\+|\-|\%|\^|\~|\!|\@|\#|\$|\%|\^|\&|\*|\(|\)|\_|\+|\{|\}|\[|\]|\:|\"|\'|\<|\>|\?|\/)" "t:none" SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" "id:77166412,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:lowercase,msg:'IM360 WAF: WordPress Form Maker by 10Web plugin - Stored XSS in Theme Settings (CVE-2024-10680)||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:page "@streq themes_fm" "chain,t:none,t:lowercase" SecRule ARGS:task "@rx ^(?:save|apply|save_theme|apply_theme|save_db)$" "chain,t:none,t:lowercase" SecRule ARGS|XML:/* "@detectXSS" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase" SecRule ARGS:order "!@rx ^\s*(?:asc|desc)\s*$" "id:77166413,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:lowercase,msg:'IM360 WAF: The Events Calendar - Potential SQL Injection in order parameter (CVE-2024-8275)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule MATCHED_VAR "@rx [\(\),']|select\s|union\s|sleep\s*\(|benchmark\s*\(" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_METHOD "!@streq GET" "id:77391380,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: Possible SQLi in arguments||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith .php" "t:none,chain" SecRule REQUEST_HEADERS|ARGS|XML:/* "@detectSQLi" "capture,t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_FILENAME "@endsWith .php" "id:77350422,chain,phase:2,block,severity:2,nolog,auditlog,t:none,msg:'IM360 WAF: Malicious WordPress user detected for OxyExtras WordPress Plugin||WPU:%{ARGS.log}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule ARGS:log|TX:wp_cookie "@contains wp-configuser" "t:none" SecRule REQUEST_URI "!@rx \/(robots|ads|humans|security|sitemap|license)\.txt$" "id:77350416,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:htmlEntityDecode,msg:'IM360 WAF: [RBL] Link to txt files in request||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||TX:%{TX.0}',tag:'service_im360',tag:'noshow'" SecRule REQUEST_URI|ARGS|!ARGS:/redirect_to/|!ARGS:/body/|!ARGS:/content/|!ARGS:/comment/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text "@rx (?:https?:\/\/)(?:(?:(?:[?:a-zA-Z0-9-]{1,299}\.){0,3}[a-zA-Z]{2,199}|(?:\d{1,3}\.){3}\d{1,3})(?:\:\d{1,5})?)(?:\/\S{0,99})?(?:\/raw(?:\/[a-zA-Z0-9]{1,99}){0,1}|\.txt)$" "t:none" SecRule &ARGS:/^-d/ "@gt 0" "id:77350417,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Attempt to modify PHP functions via URL parameters||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow',setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350417'" SecRule REQUEST_FILENAME "@pmFromFile bl_web_files" "id:77316758,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Private file access||QS:%{QUERY_STRING}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_METHOD "!@rx ^(GET|POST|OPTIONS|HEAD|CONNECT|PUT|DELETE|PATCH|COPY|LOCK|UNLOCK|MOVE|TRACE|PROPFIND|PROPPATCH|MKCOL|MKCALENDAR|LOCK|UNLOCK|COPY|MOVE|MERGE|SEARCH|REPORT|PURGE|PURGEALL|URLPURGE|BAN|CACHE|CCM_POST|SSTP_DUPLEX_POST|RPC_OUT_DATA|RPC_IN_DATA|TEXT|JSON|AJAX|FLURP|OPENVASVT|OPENVAS|SECUPRESS_TEST_\\d{10}|NESSUS|TRACK|DEBUG|ACL|VIEW|REQUESTS|BDMTHD|BADMTHD)$" "id:77350289,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Request method is unknown||Method: %{REQUEST_METHOD}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_METHOD "!@streq ^$" "t:none,chain" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "t:none,chain" SecRule TX:remote_addr "!@ipMatchFromFile rbl_whitelist" "t:none" SecRule REQUEST_METHOD "@rx ^(PUT|DELETE|PATCH|COPY|LOCK|UNLOCK|MOVE|TRACE)$" "id:77350476,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Request method is not safe and no propper authorization||Method: %{REQUEST_METHOD}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule &REQUEST_COOKIES "!@eq 0" "chain,t:none" SecRule &REQUEST_HEADERS:Authorization "@eq 0" "chain,t:none" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "t:none,chain" SecRule TX:remote_addr "!@ipMatchFromFile rbl_whitelist" "t:none" SecRule REQUEST_METHOD "@rx ^(CCM_POST|SSTP_DUPLEX_POST|RPC_OUT_DATA|RPC_IN_DATA|TEXT|JSON|AJAX|FLURP|OPENVASVT|OPENVAS|SECUPRESS_TEST_\\d{10}|NESSUS|TRACK|DEBUG|ACL|BDMTHD|BADMTHD)$" "id:77350477,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Request method is not a standard method or for testing||Method: %{REQUEST_METHOD}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "t:none" SecRule REQUEST_METHOD "@rx ^$" "id:77350479,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Request method is empty||Method: %{REQUEST_METHOD}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "t:none" SecRule FILES "@rx (?i)^[^\n]+?(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)\W?\.\w+$" "id:77350275,phase:2,pass,nolog,auditlog,severity:5,t:none,capture,ctl:auditLogParts=-C,ctl:auditLogParts=-E,msg:'IM360 WAF: Track suspicious file upload||MV:%{TX.0}||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)(?:\W|$)" "id:77350288,phase:2,pass,nolog,auditlog,severity:5,t:none,ctl:auditLogParts=-C,ctl:auditLogParts=-E,msg:'IM360 WAF: File Extension track on upload||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360',tag:'noshow'" SecRule RESPONSE_STATUS "@rx ^3\d" "id:77350378,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Redirect tracking||Location:%{MATCHED_VAR}||Host:%{SERVER_NAME}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',setvar:tx.unique=%{SERVER_NAME}%{TIME},tag:'service_im360',tag:'noshow'" SecRule TX:unique "@rx ff[7-9a-d]$" "chain,t:none,capture,t:sha1,t:hexEncode,t:lowercase" SecRule RESPONSE_HEADERS:Location "!@contains %{SERVER_NAME}" "t:none" SecRule RESPONSE_STATUS "@rx ^3\d" "id:77350381,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Redirect tracking||Location:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',setvar:tx.unique=%{SERVER_NAME}%{TIME},tag:'service_im360',tag:'noshow'" SecRule TX:unique "@rx fff[7-9a-d]$" "chain,t:none,capture,t:sha1,t:hexEncode,t:lowercase" SecRule RESPONSE_HEADERS:Location "!@rx ^$" "t:none" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350339,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Suspicious input via wp-json||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI|ARGS:rest_route "!@rx ^(?:/|/shop/|/arielestulin/|/blog/|/mbs/|/jdwp/|/wp/|/wordpress/|/no/|/is/|/wp-ig/|/famblystuff/|/row/|/pt/|/v1/|/euro/|/lando_/|/store/|/usa/|)$|/wp/v2/media|/autosaves|paddle/check|nxtal/productimporter|nxtal/productimporter|wc-stripe|ws-form|/wcgs/|/stripe-|/stripepayment|/fastpixel-website-accelerator/|/zip_ai/|/wpgmzA" "chain,t:none" SecRule REQUEST_URI|ARGS:rest_route "@rx json/|/v\d/" "chain,t:none" SecRule ARGS "@rx (exec|passthru|proc_open|eval|shell_exec|fwrite|system|ob_start|assert|file_(?:put|get)_contents|thrownewexception|curl_exec)\(" "t:none,t:base64Decode" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350361,chain,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Suspicious PHP objects in reguest||MVN:%{tx.mvn}||MV:%{TX.1}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@rx \.ph[p\d]{1,2}$|json/" "chain,t:none" SecRule ARGS|REQUEST_COOKIES "@pmFromFile bl_chains" "chain,t:none,t:removeNulls,t:urlDecode,setvar:tx.mvn=%{MATCHED_VAR_NAME}" SecRule MATCHED_VAR "@rx (.{0,100}[\00\x00\x0a\x0d].{0,300})" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350336,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Tracking PHP object||MVN:%{tx.mvn}||WPU:%{TX.wp_user}||MV:%{tx.mv}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_URI "@rx \.ph[p\d]{1,2}$|json/" "chain,t:none" SecRule ARGS|REQUEST_COOKIES "@rx (.{0,100}[\00\x00\x0a\x0d].{0,300})" "chain,t:none,t:urlDecode,setvar:tx.mv=%{TX.1},setvar:tx.mvn=%{MATCHED_VAR_NAME}" SecRule MATCHED_VAR "@rx O:\d+:\x22[^\x22]+\x22:\d+:\{[is]:[^:]+:\x22[^\x22]+\x22" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx (?i)post" "id:77350360,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Tracking PHP object||MVN:%{tx.mvn}||WPU:%{TX.wp_user}||MV:%{tx.mv}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_URI "@rx \.ph[p\d]{1,2}$|json/" "chain,t:none" SecRule ARGS|REQUEST_COOKIES "@rx O:\d+:\x22[^\x22]+\x22:\d+:\{[is]:[^:]+:\x22[^\x22]+\x22" "chain,t:none,t:urlDecode,setvar:tx.mv=%{MATCHED_VAR},setvar:tx.mvn=%{MATCHED_VAR_NAME}" SecRule MATCHED_VAR "!@pm GoogleAnalyticsVisit" "t:none" SecRule REQUEST_METHOD "POST|PUT" "chain,id:77350380,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Track script injection (17830)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'noshow'" SecRule ARGS|REQUEST_BODY "@rx <script[^>]*type=['\"]text/javascript['\"][^>]*data-cfasync=['\"]false['\"][^>]*>.{0,999}<\/script>" "t:none" SecRule REQUEST_URI "@rx \/wp-content\/uploads\/gravity_forms\/(\w\/){4}\w+\.php|\/cache\/(\w\/){4}\w+\.php" "id:77350394,phase:2,pass,nolog,auditLog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Check files in gravity_forms',chain,tag:'service_im360',tag:'noshow'" SecRuleScript trap.lua "t:none,chain" SecRule &ARGS "@ge 0" "t:none,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77350394'" SecRule ARGS:id "@rx (/bin/|/etc/|/usr/|/var/|/opt/|/tmp/|/sbin/|wget|curl|python|perl|php|netcat|bash|ksh|csh|tcsh|zsh|exec|cmd|\$IFS|exec|shell_exec|proc_open|php|\?\>)" "id:77350412,chain,nolog,auditlog,phase:2,pass,severity:5,msg:'IM360 WAF: Non-integer base64 id with payload||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRuleScript trap.lua "t:none,chain" SecRule ARGS:id "@rx ." "t:none" SecRule REQUEST_METHOD "POST" "id:77350414,chain,phase:2,pass,nolog,auditLog,severity:5,msg:'IM360 WAF: Known malicious action||SC:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS:up "up" "t:none,chain" SecRuleScript trap.lua "t:none,chain" SecRule FILES_NAMES "\.php\d?|\.js" "t:none" SecRule REQUEST_URI "@rx \/plugins\/\w{4}(?:\.php)?\/\w{4}\.php" "id:77350391,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Interaction with fake plugin||MV:%{MATCHED_VAR}||WPU:%{TX.wp_user}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@contains xmlrpc.php" "id:77350444,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: Block request to XMLRPC with suspicious referer||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:Referer "@rx ^(www.google.com|https?://facebook.com)$|^$" "t:none" SecRule REQUEST_HEADERS:User-Agent "@rx (?i)(?:python-requests|python-urllib|curl|wget).{1,256}(?:firefox|chrome|opera|safari)" "id:77350947,pass,nolog,auditlog,severity:5,phase:5,t:none,msg:'IM360 WAF: Suspicious scrapping User-Agent||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'"