/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache
# ------------------------------------------------------ # Imunify360 ModSecurity Rules # Copyright (C) 2026 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # ------------------------------------------------------ # Imunify360 ModSecurity Base Ruleset SecRule REQUEST_FILENAME "@endsWith .suspected" "id:77140165,phase:2,block,t:none,t:urlDecodeUni,t:normalizePath,severity:2,msg:'IM360 WAF: Block .suspected files||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_HEADERS:Content-Length "@rx ^([56789]\d{6,999}|\d{8,999})$" "id:77350155,pass,severity:5,phase:2,skipAfter:big_request_body,t:none,msg:'IM360 WAF: Huge request size||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360',tag:'noshow'" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS:/Cookie/ "@rx (\.\\\\\.\/|(\.\\\\\.\/|[\\\/]\.\.[\\\/]\.\.[\\\/]\.\.[\\\/])([^\/]+\/))" "chain,id:77140166,phase:2,pass,nolog,auditlog,severity:5,t:none,capture,t:urlDecodeUni,msg:'IM360 WAF: Track directory traversal attempt||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule TX:2 "!@streq fonts/" "t:none,setvar:'tx.bl_file_flag=1'" SecRule TX:bl_file_flag "@gt 0" "id:77350312,chain,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Block system file path in request||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS|!ARGS:/^buddyboss_theme_options\[boss_custom_css\]$/|!REQUEST_HEADERS:User-Agent|!ARGS:html|!ARGS:/^https?:/|!ARGS:jform[source]|!ARGS:scope|REQUEST_URI|REQUEST_HEADERS:/Cookie/|!ARGS:/\.jpg$/|!ARGS:/\.pdf$/ "@pmFromFile bl_os_files" "t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS:/Cookie/ "@rx (?i)(?:file|blob|ftps?|nfs|rsync|local_file|cvs|compress\.(?:zlib|bzip2)):\/\/|(\.\\\\\.\/|[\\\/]\.\.[\\\/]\.\.[\\\/]\.\.[\\\/])([^\/]+\/)" "chain,id:77350515,phase:2,pass,nolog,auditlog,severity:5,t:none,capture,t:urlDecode,msg:'IM360 WAF: Track OS file access attempt||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule MATCHED_VAR "@pmFromFile bl_path_files" "t:none,t:normalizePath" SecRule REQUEST_HEADERS:Content-Type "!@contains application/json" "chain,id:77350575,phase:2,block,nolog,auditlog,severity:2,t:none,capture,msg:'IM360 WAF: Block OS file access attempt||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS:/Cookie/ "@rx (?i)(?:file|blob|ftps?|nfs|rsync|local_file|cvs|compress\.(?:zlib|bzip2)):\/\/|(\.\\\\\.\/|[\\\/]\.\.[\\\/]\.\.[\\\/]\.\.[\\\/])([^\/]+\/)" "chain,t:none,t:urlDecode,capture" SecRule MATCHED_VAR "@rx [^\w]\/\.env\b[^.]" "chain,t:none,t:normalizePath" SecRule MATCHED_VAR "!@rx (?i)(^# BEGIN WordPress|^{\x22{0,2}bannedURLs\x22{0,2}\:})" "t:none" SecRule REQUEST_METHOD "@rx POST" "chain,id:77350516,phase:2,pass,nolog,auditlog,severity:5,t:none,capture,t:urlDecode,msg:'IM360 WAF: Track Java input||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS "@pmFromFile java_data" "t:none,t:normalizePath" SecRule REQUEST_FILENAME "!@pm /upgrade.php /sitemaps" "id:77210801,chain,msg:'IM360 WAF: Request Indicates a Security Scanner Scanned the Site||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,t:none,t:lowercase,t:normalizePath,severity:2,tag:'service_im360'" SecRule REQUEST_HEADERS:User-Agent "@pmFromFile bl_scanners" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:User-Agent "!@rx (?i)wordpress\/" "t:none" SecRule REQUEST_FILENAME "!@pm /upgrade.php /sitemaps" "id:77350396,chain,msg:'IM360 WAF: Request indicates a Headless browser||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,t:none,t:lowercase,t:normalizePath,severity:5,tag:'service_im360'" SecRule &TX:rbl_whitelist_check "@eq 0" "chain,t:none" SecRule REQUEST_HEADERS:User-Agent "@rx (?i)headless" "t:none" SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pm acunetix -agreement vulnerability scanner myvar=1234 x-ratproxy-loop bytes=0-,5-0 X-Scanner" "id:77210810,chain,phase:2,pass,t:none,severity:2,msg:'IM360 WAF: Request Indicates a Security Scanner Scanned the Site||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule MATCHED_VAR "@rx (?:\(?acunetix(?:-(?:scanning|product|user)(?:-agreement)?)?(?: web vulnerability scanner)?)|(?:myvar=1234)|(?:x-ratproxy-loop)|(?:bytes=0-,5-0,5-1,5-2,5-3)|(?:X-Scanner)" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@pm nessustest appscan_fingerprint" "id:77210820,msg:'IM360 WAF: Request Indicates a Security Scanner Scanned the Site||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,t:none,t:lowercase,severity:2,tag:'service_im360'" SecRule REQUEST_HEADERS:User-Agent "@pmFromFile bl_agents" "id:77210831,chain,msg:'IM360 WAF: Rogue web site crawler||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,capture,pass,t:none,severity:5,tag:'service_im360'" SecRule REQUEST_HEADERS:User-Agent "(?i:(?:^(?:microsoft url|user-Agent|www\.weblogs\.com|(?:jakarta|\bvia(?:\s|crawler|http|bot)\b)|(google|i{0,1}explorer{0,1}\.exe|(ms){0,1}ie( [0-9.]{1,999}){0,1}\s{0,1}(compatible( browser){0,1}){0,1})$)|\bdatacha0s\b|; widows|\\\r|a(?: href=|d(?:sarobot|vanced email extractor)|gdm79@mail\.ru|miga-aweb\/3\.4|t(?:hens|tache|(?:omic_email_hunt|spid)er)|utoemailspider)|b(?:ackdoor|lack hole|utch__2\.1\.1|wh3_user_agent)|c(?:h(?:e(?:esebot|rrypicker)|ina(?: local browse 2\.|claw))|o(?:mpatible(?: ;(?: msie|\.)|-)|n(?:cealed defense|t(?:actbot\/|entsmartz)|veracrawler)|py(?:guard|rightcheck)|re-project\/1\.0)|rescent internet toolpak)|d(?:ig(?:imarc webreader|out4uagent)|ts agent)|e(?:ducate search vxb|mail(?:siphon|wolf|(?: extracto|reape)r|(siphon|spider)|(?:collec|harves|magne)t)|o browse|xtractorpro|(?:collecto|irgrabbe)r)|f(?:a(?:xobot|(?:ntombrows|stlwspid)er)|loodgate|oobar\/|ull web bot|(?:iddle|ranklin locato)r)|g(?:ameBoy, powered by nintendo|ecko\/25|rub(?: crawler|-client))|h(?:anzoweb|hjhj@yahoo|l_ftien_spider)|i(?:n(?:dy library|ternet(?: (?:exploiter sux|ninja)|-exprorer))|sc systems irc search 2\.1)|kenjin spider|larbin@unspecified|m(?:ailto:craftbot@yahoo\.com|i(?:crosoft (?:internet explorer\/5\.0$|url control)|ssigua)|o(?:r(?:feus fucking scanner|zilla)|siac 1.|zilla\/3\.mozilla\/2\.01$)|urzillo compatible)|n(?:ameofagent|e(?:ssus|(?:uralbot\/0\.|wt activeX; win3)2)|ikto|o(?: browser|kia-waptoolkit.{0,250} googlebot.{0,250}googlebot))|p(?:a(?:ckrat|nscient\.com)|cbrowser|e 1\.4|leasecrawl\/1\.|mafind|oe-component-client|ro(?:duction bot|gram shareware 1\.0\.|webwalker)|s(?:urf|ycheclone))|rsync|s(?:\.t\.a\.l\.k\.e\.r\.|afexplorer tl|e(?:archbot admin@google\.com|curity scan)|hai|itesnagger|(?:tress tes|urveybo)t)|t(?:ele(?:port pro|soft)|oata dragostea mea pentru diavola|uring machine|(?: {0,1}h {0,1}a {0,1}t {0,1}' {0,1}s g {0,1}o {0,1}t {0,1}t {0,1}a {0,1} h {0,1}u {0,1}r {0,1}|akeou|his is an exploi)t)|u(?:nder the rainbow 2\.|ser-agent:)|v(?:adixbot|oideye)|w(?:3mir|e(?:b(?: (?:by mail|downloader)|emailextract{0,1}|mole|vulnscan|(?:bandi|(?:altb|ro)o)t)|lls search ii|p Search 00)|i(?:ndows(?:-update-agent)|se(?:nut){0,1}bot)|ordpress(?: hash grabber|\/4\.01))|zeus(?: .{0,250}webster pro){0,1}|[a-z]surf[0-9][0-9]|(?:$botname\/$botvers|(script|sql) inject)ion|(compatible ; msie|msie .{1,250}; .{0,250}windows xp)|(?:8484 boston projec|xmlrpc exploi)t|(sogou develop spider|sohu agent)|(?:demo bot|(?:d|e)browse)|(libwen-us|myie2|murzillo compatible|webaltbot|wisenutbot)))" "capture" SecRule ARGS|REQUEST_FILENAME "@pm /.adSensepostnottherenonobook /<invalid>hello.html /actSensepostnottherenonotive /acunetix-wvs-test-for-some-inexistent-file /antidisestablishmentarianism /appscan_fingerprint/mac_address /arachni- /cybercop /nessus_is_probing_you_ /nessustest /netsparker- /rfiinc.txt /thereisnowaythat-you-canbethere /w3af/remotefileinclude.html appscan_fingerprint w00tw00t.at.ISC.SANS.DFind w00tw00t.at.blackhats.romanian.anti-sec" "id:77211010,msg:'IM360 WAF: Request Indicates a Security Scanner Scanned the Site||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:2,tag:'service_im360'" SecRule REQUEST_PROTOCOL "!@rx HTTP\/\d+(?:\.\d+)?" "id:77210720,msg:'IM360 WAF: HTTP protocol version is not allowed by policy||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,t:none,severity:2,tag:'service_im360'" SecRule FILES_NAMES "@rx \.(?:tpl|p(h(l|p(r|s|t)?|\d|p\d|tml?|ar)))$" "id:77218400,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Stop upload of PHP files||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "id:77211070,msg:'IM360 WAF: HTTP Request Smuggling Attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:1,capture,pass,t:none,severity:2,tag:'service_im360'" SecRule REQUEST_HEADERS:Cookie|!REQUEST_COOKIES:/__utm/|ARGS_NAMES|ARGS|XML:/* "@pm php://" "id:77218420,chain,msg:'IM360 WAF: PHP Injection Attack: I/O Stream Found||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,capture,pass,t:none,t:lowercase,severity:2,tag:'service_im360'" SecRule MATCHED_VAR "@rx php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350619,phase:2,chain,pass,nolog,auditlog,severity:5,t:none,skipAfter:END_GENERIC_CONF,msg:'IM360 WAF: Argumnet with base64-encoded image||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS "@rx ^.{0,99}((iVBORw0KGgo|4AAQSkZJRgABAQEASABIAAD|data:image/\w{3,15};base64).{0,64})" "t:none,t:lowercase" SecRule ARGS "@pm xlink:href xhtml xmlns data:text/html formaction pattern= !entity @import ;base64" "id:77350507,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,t:lowercase,msg:'IM360 WAF: Suspicious XSS Like Input||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule MATCHED_VAR "!@rx /?(canvas fp:|(/[\w-]+/){0,10})?((data:)?image/)\w{3,4};base64" "chain,t:none" SecRule REQUEST_HEADERS:Cookie|!REQUEST_COOKIES:/__utm/|REQUEST_HEADERS:User-Agent|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i).(?:\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\b.{0,99}?=)|!entity[\s\x0b]+(?:%[\s\x0b]+)?[^\s\x0b]+[\s\x0b]+(?:system|PUBLIC)|@import|;base64)\b" "t:none" SecRule REQUEST_FILENAME "!@rx (?:xmlrpc|autodiscover|dbtunneling|admin-ajax|Exchange|specific_prices)" "id:77391379,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecodeUni,t:lowercase,msg:'IM360 WAF: Possible XSS in arguments||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS|ARGS|XML:/* "@detectXSS" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS "!@rx ^/?(canvas fp:|(/[\w\-]+/){0,10})?((data:)?image/)\w{3,4};base64" "id:77140164,chain,pass,nolog,auditlog,phase:2,severity:7,t:none,t:urlDecodeUni,setvar:TX.php_inject=+1,msg:'IM360 WAF: PHP Injection Low value||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||SC:%{SCRIPT_FILENAME}||',tag:'service_im360'" SecRule REQUEST_URI "!@pm /wc-api/KCO_WC_Validation/ /api/webhooks/update/product /mollie/checkout/webhook/ /admin-ajax" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:User-Agent "!@rx Shopify-Captain-Hook|Mollie HTTP client/1.0" "chain,t:none" SecRule REQUEST_HEADERS:Cookie|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_COOKIES:/__utm/ "@rx (?i)\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n|coll)|at)|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|zeof|nh?)|p(?:liti?|rintf)|(?:candi|ubst)r|y(?:mlink|slog)|oundex|rand|qrt)|f(?:ile(?:(?:siz|typ)e|owner|pro)|l(?:o(?:atval|ck|or)|ush)|(?:rea|mo)d|t(?:ell|ok)|unction|close|gets|stat|eof)|c(?:h(?:o(?:wn|p)|eckdate|root|dir|mod)|o(?:(?:(?:nsta|u)n|mpac)t|sh?)|lose(?:dir|log)|(?:urren|ryp)t|eil)|e(?:x(?:(?:trac|i)t|p(?:lode)?)|aster_da(?:te|ys)|r(?:ror_log|egi?)|mpty|cho)|l(?:o(?:g(?:1[0p])?|caltime)|i(?:nk(?:info)?|st)|(?:cfirs|sta)t|evenshtein)|d(?:i(?:(?:skfreespac)?e|r(?:name)?)|e(?:fined?|coct)|(?:oubleva)?l)|r(?:e(?:(?:quir|cod|nam)e|adlin[ek]|wind|set)|ange|ound|sort|trim)|m(?:b(?:split|ereg)|i(?:crotime|n)|a(?:i[ln]|x)|etaphone|y?sql|hash)|u(?:n(?:(?:tain|se)t|iqid|link)|s(?:leep|ort)|cfirst|mask)|a(?:s(?:(?:se|o)rt|inh?)|r(?:sort|ray)|tan[2h]?|cosh?|bs)|t(?:e(?:xtdomain|mpnam)|a(?:int|nh?)|ouch)|h(?:e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot)|p(?:a(?:thinfo|ck)|r(?:intf?|ev)|close|o[sw]|i)|g(?:et(?:t(?:ext|ype)|date)|mdate)|o(?:penlog|ctdec|rd)|b(?:asename|indec)|n(?:atsor|ex)t|k(?:sort|ey)|quotemeta|wordwrap|virtual)(?:\s|\/\/\*[^*]{0,100}\*\/|\/\/|#){0,5}\(\s{0,10}\$" "t:none" SecRule REQUEST_URI "!@pm /wc-api/KCO_WC_Validation/ /api/webhooks/update/product /mollie/checkout/webhook/ /graphql" "id:77350541,phase:5,pass,nolog,auditlog,severity:5,t:none,chain,t:none,t:normalizePath,msg:'IM360 WAF: Possible SQL injection attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:User-Agent "!@rx Shopify-Captain-Hook|Mollie HTTP client/1.0" "chain,t:none" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|!REQUEST_COOKIES:/__utm/|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:/session/|!ARGS:/SESSION/|!ARGS:Post|!ARGS:pwd|!ARGS:desc|!ARGS:text|!ARGS:/stateParameters/|!ARGS:/ast-page/|!ARGS:uri|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@detectSQLi" "t:none,t:urlDecode,t:utf8toUnicode" SecRule REQUEST_METHOD "@rx POST" "chain,id:77317989,phase:2,pass,nolog,auditlog,severity:5,t:none,capture,msg:'IM360 WAF: Suspicious XSS input||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||tx1:%{TX.1}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS|REQUEST_COOKIES "@pmFromFile bl_xss_input" "t:none,t:lowercase" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm cmd echo exec include printenv" "id:77211040,chain,msg:'IM360 WAF: SSI injection Attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,setvar:'tx.matched_var_name=%{MATCHED_VAR_NAME}||',t:none,severity:2,tag:'service_im360'" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx <\!--[^a-zA-Z0-9_]{0,999}?#[^a-zA-Z0-9_]{0,999}?(?:cmd|e(?:cho|xec)|include|printenv)" "capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecRule QUERY_STRING|REQUEST_BODY "@pm =http =ftp" "id:77211110,chain,msg:'IM360 WAF: Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,capture,pass,t:none,severity:2,tag:'service_im360'" SecRule QUERY_STRING|REQUEST_BODY "@rx (?i:(\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(ht|f)tps?:\/\/)" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "!@endsWith /modules/paypal/express_checkout/payment.php" "id:77211120,pass,chain,msg:'IM360 WAF: Remote File Inclusion Attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,t:none,t:lowercase,t:normalizePath,severity:5,tag:'service_im360',tag:'noshow'" SecRule ARGS|!REQUEST_FILENAME|!ARGS:jform[params][yt_link] "@rx ^(?i)(?:ft|htt)ps?([^\?]*)\?+$" "t:none,t:lowercase,t:htmlEntityDecode" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm expires domain set-cookie" "id:77211160,chain,msg:'IM360 WAF: Session Fixation Attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,t:none,t:lowercase,severity:5,tag:'service_im360',tag:'noshow'" SecRule MATCHED_VAR "@rx (?i)(?:\.cookie\b.{0,999}?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" "capture,t:none,t:urlDecodeUni" SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session-id cfid cftoken cfsid jservsession jwsession" "id:77211170,chain,msg:'IM360 WAF: Session Fixation: SessionID Parameter Name with Off-Domain Referer||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,t:none,t:lowercase,severity:5,tag:'service_im360'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_URI "!@pm cpanel AdminTranslations /manager/ supportkb.php /etc/designs/ updraftplus /staff/addonmodules.php /cpsess /ispmgr /whm /mdb-api/ /connectors/index.php /wp-json/ /wp-load.php" "id:77211190,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Remote File Access Attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:Referer "!@contains action=elementor" "chain,t:none" SecRule ARGS "!@rx (^\x22?#|^\x22?\<\!DOCTYPE\shtml)" "chain,t:none" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:code|!ARGS:/content/|!ARGS:/data/|!ARGS:/description/|!ARGS:/install.values..\w+..fileDenyPattern./|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1|!ARGS:force|!REQUEST_COOKIES:/^ph_/|!ARGS:images[]|!ARGS:/^misc-htaccess_/|!ARGS:aiowps_save_htaccess|!ARGS:submithtaccess|!ARGS:site_details|!ARGS:contextpath|!ARGS:response|!ARGS:html "(?:([\W\S])(?:\.(?:ht(?:group|passwd)|www_{0,1}acl)|boot\.ini|global\.asa|httpd\.conf\S)\b|\.\/etc\/|^\/etc\/)" "t:none" SecRule REQUEST_URI "!@pm cpanel AdminTranslations /manager/ supportkb.php /etc/designs/ updraftplus /staff/addonmodules.php /cpsess /ispmgr /whm /mdb-api/ /connectors/index.php /wp-json/ /wp-load.php github-apps-plesk" "id:77350568,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Remote File Access Attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:Referer "!@contains action=elementor" "chain,t:none" SecRule ARGS "!@rx (^\x22?#|^\x22?\<\!DOCTYPE\shtml)" "chain,t:none" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:code|!ARGS:/content/|!ARGS:/data/|!ARGS:/description/|!ARGS:/install.values..\w+..fileDenyPattern./|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1|!ARGS:force|!REQUEST_COOKIES:/^ph_/|!ARGS:images[]|!ARGS:/^misc-htaccess_/|!ARGS:aiowps_save_htaccess|!ARGS:submithtaccess|!ARGS:site_details|!ARGS:contextpath|!ARGS:response|!ARGS:html "\b(wget|curl|rm|mv|chmod|cat|file_put_contents|rename_to=|touch|echo|base64_decode|/(home|var|www|tpm)/)\b.+\.htaccess[^\<\-\.]" "t:none" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm cmd .exe" "id:77211200,chain,msg:'IM360 WAF: System Command Access||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,t:none,t:cmdLine,severity:2,tag:'service_im360'" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx \b(?:cmd(?:\b[^a-zA-Z0-9_]{0,999}?\/c|(?:32){0,1}\.exe\b)|(?:ftp|n(?:c|et|map)|rcmd|telnet|w(?:guest|sh))\.exe\b)" "capture,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:__INSIDE_setLock|!ARGS:action_name|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:imgdata2|!ARGS:inparam_dop|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:prev_sql_query|!ARGS:sql_query|!ARGS:text|!ARGS:/^where_clause(?:\[\d*])?$/|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm cd chmod cmd .exe echo net tclsh telnet tftp traceroute tracert g++ gcc chgrp chown chsh cpp finger ftp id ls lsof nasm nc nmap passwd perl ping ps python telnet uname xterm rm kill mail" "id:77211210,chain,msg:'IM360 WAF: System Command Injection Attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,t:cmdLine,severity:5,tag:'service_im360',tag:'noshow'" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:prev_sql_query|!ARGS:sql_query|!ARGS:text|!ARGS:/^where_clause(?:\[\d*])?$/|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx (?:\b(?:c(?:d(?:\b[^a-zA-Z0-9_]{0,999}?[\/]|[^a-zA-Z0-9_]{0,999}?\.\.)|hmod.{0,40}?\+.{0,3}x|md(?:\b[^a-zA-Z0-9_]{0,999}?\/c|(?:\.exe|32)\b))|(?:echo\b[^a-zA-Z0-9_]{0,999}?\by{1,999}|n(?:et(?:\b[^a-zA-Z0-9_]{1,999}?\blocalgroup|\.exe)|(?:c|map)\.exe)|t(?:clsh8{0,1}|elnet\.exe|ftp|racer(?:oute|t))|(?:ftp|rcmd|w(?:guest|sh))\.exe)\b)|[;\x60|][^a-zA-Z0-9_]{0,999}?\b(?:g(?:\+\+|cc\b)|(?:c(?:h(?:grp|mod|own|sh)|md|pp)|echo|f(?:inger|tp)|id[^=]|ls(?:of){0,1}|n(?:asm|c|map)|p(?:asswd|erl|ing|s|ython)|telnet|uname|(?:xte){0,1}rm|(?:kil|mai)l)\b))" "capture,t:none,t:cmdLine,t:lowercase" SecRule REQUEST_HEADERS:User-Agent "!@rx Shopify-Captain-Hook|Mollie HTTP client/1.0" "id:77211230,chain,msg:'IM360 WAF: PHP Injection Attack||RSV:8.02||T:APACHE||',phase:2,capture,pass,nolog,auditlog,t:none,severity:5,tag:'service_im360',setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77211230" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!ARGS:textarea|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm ftp_ fget fgets fgetc fscanf fwrite fopen fread gzencode gzwrite gzcompress gzopen gzread session_start scandir readfile readgzfile readdir move_uploaded_file proc_open bzopen call_user_func $_get $_post $_session" "chain,t:none,t:lowercase" SecRule MATCHED_VAR "(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get[sc]?s?|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" "t:none" SecRule REQUEST_HEADERS:Cookie "@rx (^|;)=(;|$)" "chain,id:77220020,phase:1,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: DoS vulnerability in Apache 2.2.17 - 2.2.21 (CVE-2012-0021)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "!@rx \/exchange_1C_Opencart\.php" "t:none" SecRule QUERY_STRING|REQUEST_FILENAME|REQUEST_HEADERS:Accept|REQUEST_HEADERS:Content-Type|REQUEST_HEADERS:Cookie|REQUEST_HEADERS:Host|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:WWW-Authenticate "@rx ^(?:\'\w+?=)?\(\)\s{" "id:77221260,msg:'IM360 WAF: Shellshock Command Injection Vulnerabilities in GNU Bash through 4.3 bash43-026 (CVE-2014-7187 CVE-2014-7186 CVE-2014-7169 CVE-2014-6278 CVE-2014-6277 CVE-2014-6271)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,severity:2,tag:'service_im360'" SecRule REQUEST_FILENAME "!@contains /images/stories/virtuemart/product/resized/" "id:77211270,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Arbitrary code execution vulnerability in Request URI||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS|ARGS_NAMES|REQUEST_URI|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx (?:^|[^a-zA-Z0-9_-])(?:print|echo|eval|exec)\s{0,10}\(" "t:none,t:urlDecodeUni,capture" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@contains [!!]" "id:77211320,msg:'IM360 WAF: XSS vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,t:urlDecode,severity:5,tag:'service_im360',tag:'noshow'" SecRule RESPONSE_STATUS "@streq 406" "id:77210100,phase:3,pass,nolog,ctl:responseBodyAccess=On,severity:5,tag:'service_im360'" SecRule RESPONSE_STATUS "@streq 406" "id:77210101,chain,phase:4,pass,nolog,auditlog,severity:2,msg:'IM360 WAF: Multiple XSS vulnerabilities in the Apache HTTP Server 2.4.x before 2.4.3 (CVE-2012-2687)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule RESPONSE_BODY "@contains Available variants:" "t:none" SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "id:77210210,msg:'IM360 WAF: Apache Error: Invalid URI in Request||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:5,pass,t:none,severity:5,tag:'service_im360',tag:'noshow'" SecRule REQBODY_ERROR "!@eq 0" "id:77210231,chain,msg:'IM360 WAF: XMLRPC protection||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,severity:5,tag:'service_im360'" SecRule REQUEST_HEADERS:Content-Type "xml" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "t:none,t:lowercase" SecRule REQUEST_HEADERS:Content-Length "!@rx ^[0-9]{1,99}$" "id:77210260,msg:'IM360 WAF: Content-Length HTTP header is not numeric or Integer overflow in CGit before 0.12 (CVE-2016-1901)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:1,pass,t:none,severity:5,tag:'service_im360'" SecRule REQUEST_METHOD "@streq HEAD" "id:77210270,chain,msg:'IM360 WAF: HEAD Request with Body Content||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:1,pass,t:none,severity:2,tag:'service_im360'" SecRule REQUEST_HEADERS:Content-Length "!^0{0,1}$" "t:none" SecRule REQUEST_METHOD "@streq POST" "id:77210280,chain,msg:'IM360 WAF: HTTP/1.0 POST request missing Content-Length Header||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:1,pass,t:none,severity:5,tag:'service_im360'" SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" "chain" SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "t:none" SecRule REQUEST_BASENAME "@endsWith .pdf" "id:77210341,chain,msg:'IM360 WAF: Range: Too many fields for pdf request (35 or more)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,capture,pass,nolog,auditlog,t:none,severity:2,tag:'service_im360'" SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=((\d+)?\-(\d+)?\s*,?\s*){35}" "t:none" SecRule REQUEST_HEADERS:Connection "\b(close|keep-alive),[\t\n\r ]{0,1}(close|keep-alive)\b" "id:77210350,msg:'IM360 WAF: Multiple/Conflicting Connection Header Data Found||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,t:none,severity:5,tag:'service_im360',tag:'noshow'" SecRule REQUEST_HEADERS:Content-Type "@rx ^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" "id:77210380,chain,msg:'IM360 WAF: URL Encoding Abuse Attack Attempt||RSV:8.02||T:APACHE||Payload:%{TX.0}||',phase:2,pass,t:none,severity:5,tag:'service_im360'" SecRule &ARGS:message_backup "@eq 0" "chain,t:none" SecRule REQUEST_BODY|XML:/* "@rx \%([\S\W]|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain,capture" SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" "t:none" SecRule REQUEST_URI "@rx \%([\S\W]|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "id:77210381,chain,msg:'IM360 WAF: URL Encoding Abuse Attack Attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,t:none,severity:5,tag:'service_im360',tag:'noshow'" SecRule REQUEST_URI "@validateUrlEncoding" "t:none" SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" "id:77210400,msg:'IM360 WAF: Unicode Full/Half Width Abuse Attack Attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,t:none,severity:5,tag:'service_im360'" SecRule REQUEST_URI "!@rx \/wc-api\/KCO_WC_Validation\/" "chain,id:77217210,msg:'IM360 WAF: Invalid HTTP Request Line||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,t:urlDecode,t:normalizePath,severity:5,tag:'service_im360'" SecRule REQUEST_LINE "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#]*)?(?:#[\S]*)?)$" "t:none,t:urlDecode,t:normalizePath" SecRule !REQUEST_COOKIES:/__utm/|REQUEST_HEADERS:Cookie|ARGS_NAMES|ARGS|XML:/* "@pm type length set-cookie location" "id:77211080,chain,msg:'IM360 WAF: HTTP Response Splitting Attack||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||RSV:8.02||T:APACHE||',phase:2,capture,pass,t:none,severity:2,tag:'service_im360'" SecRule REQUEST_HEADERS:Content-Type "!@rx application/json" "t:none,chain" SecRule REQUEST_FILENAME "!@pm /wp-comments-post.php /wp-admin/admin-ajax.php fckeditor/editor/filemanager/connectors/asp/connector.asp /dav.php/calendars/shared/" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:Cookie|ARGS_NAMES|ARGS|!ARGS:/^description/|!ARGS:/^text$/|!ARGS:/^message$/|!ARGS:/^replymessage$/|!ARGS:/^notes$/|!ARGS:/^adminnotes$/|!ARGS:/^query$/|XML:/* "@rx [\r\n]\W*?(?:content-(type|length)|set-cookie|location):" "t:none,t:lowercase" SecRule &REQUEST_COOKIES:/^WHMCS/|&REQUEST_COOKIES:phpMyAdmin "!@eq 0" "id:77211500,msg:'IM360 WAF: Ignore WHMCS and phpMyAdmin from base SQLi Attack Detection||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,pass,nolog,skipAfter:'IGNORE_CRS_SQLi',severity:5,tag:'service_im360'" SecRule REQUEST_URI|ARGS|REQUEST_HEADERS:Cookie|ARGS_NAMES|XML:/*|!REQUEST_COOKIES:/__utm/ "@pm benchmark( sleep(" "id:77211630,chain,phase:5,pass,severity:5,nolog,auditlog,t:none,t:lowercase,msg:'IM360 WAF: Detects blind sqli tests using sleep() or benchmark()||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "!@pm /graphql" "chain,t:none" SecRule MATCHED_VAR "@rx [^-\w](?:benchmark|sleep)\s*\(." "t:none,t:urlDecode" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:_xfRequestUri|!ARGS:/body/|!ARGS:/content/|!ARGS:commentText|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query|!ARGS:keyword|!ARGS:/acf_fields/ "@pm case like having if" "chain,id:77211700,msg:'IM360 WAF: Detects conditional SQL injection attempts||RSV:8.02||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',phase:2,capture,pass,nolog,auditlog,t:none,t:urlDecodeUni,severity:5,tag:'service_im360'" SecRule MATCHED_VAR "@rx (?i:[ ()]case ?\(|\) ?like ?\(|\bhaving([^-<,\w][^\w])\s?[^\s]+ ?[^\w ]|\bif ?\([\d\w] ?[=<>~])" "t:none,t:htmlEntityDecode" SecRule REQUEST_HEADERS:Cookie|!REQUEST_COOKIES:/__utm/|ARGS_NAMES|ARGS|XML:/* "@pm alter waitfor goto" "id:77211710,chain,phase:5,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Detects MySQL charset switch and MSSQL DoS attempts||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "!@pm /graphql" "chain,t:none" SecRule REQUEST_HEADERS:Cookie|!REQUEST_COOKIES:/__utm/|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\x22'\x60](?:;*? ?waitfor (?:delay|time) [\x22'\x60]|;.{0,999}?: ?goto)|\balter\s*?\w+.{0,999}?\bcha(?:racte)?r set \w+))" "t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:Cookie|!REQUEST_COOKIES:/__utm/|ARGS_NAMES|ARGS|XML:/* "@pm select waitfor shutdown" "id:77211750,chain,phase:5,pass,nolog,auditlog,t:none,severity:5,msg:'IM360 WAF: Detects Postgres pg_sleep injection waitfor delay attacks and database shutdown attempts||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "!@pm /graphql" "chain,t:none" SecRule REQUEST_HEADERS:Cookie|!REQUEST_COOKIES:/__utm/|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:select\s*?pg_sleep)|(?:waitfor\s*?delay\s?[\x22'\x60]+\s?\d)|(?:;\s*?shutdown\s*?(?:;|--|#|\/\*|{)))" "t:none,t:urlDecodeUni" SecRule REQUEST_HEADERS:User-Agent "!@rx Shopify-Captain-Hook|Mollie HTTP client/1.0" "id:77211760,chain,pass,nolog,auditlog,phase:2,t:none,severity:5,msg:'IM360 WAF: Basic MongoDB injection attempts||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS|REQUEST_HEADERS:Cookie|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!ARGS:data|!ARGS:wp_all_import_code|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query "@pm [$where] [$or] [$and] [$exists]" "chain,t:none,t:urlDecode" SecRule MATCHED_VAR "(?i)\[\$(?:where|or|and|exists)\]" "t:none" SecRule REQUEST_HEADERS:User-Agent "!@rx Shopify-Captain-Hook|Mollie HTTP client/1.0" "id:77211790,chain,msg:'IM360 WAF: Detects MySQL and PostgreSQL stored procedure/function injections||RSV:8.02||T:APACHE||',phase:2,capture,pass,nolog,auditlog,t:none,severity:2,tag:'service_im360'" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query "@pm procedure declare create exec" "chain,t:none,t:lowercase" SecRule MATCHED_VAR "(?i)(?:procedure\s+analyse\s*\(|;\s*(?:declare|open)\s+[\w-]+|create\s+(?:function|procedure)\s*\w+\s*\(\s*\)\s*-|declare\W+[#@]\s*\w+|exec\s*\(\s*@)" "t:none,t:urlDecode" SecRule REQUEST_HEADERS:User-Agent "!@rx Shopify-Captain-Hook|Mollie HTTP client/1.0" "id:77211820,chain,msg:'IM360 WAF: Detects MySQL UDF injection and other data/structure manipulation attempts||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,capture,pass,nolog,auditlog,t:none,severity:5,tag:'service_im360'" SecRule ARGS|ARGS_NAMES|XML:/*|!ARGS:/^gt/|!ARGS:/body/|!ARGS:/content/|!ARGS:commentText|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!ARGS:sql_query|!ARGS:/categor/|!ARGS:cate|!ARGS:html|!ARGS:Parameters|!ARGS:scp "@pm ;alter ;delete ;insert ;rename ;select ;truncate ;update )select (select" "chain,t:none,t:lowercase" SecRule MATCHED_VAR "!@rx ^/?(?:canvas fp:|(?:/[\w-]+/){0,10})?(?:data:)?image/\w{3,4};base64" "chain,t:none" SecRule MATCHED_VAR "(?i)(?:create\s+function\s+\w+\s+returns|[;)]{1,3}\s*(?:alter|delete|desc|insert|load|rename|select)\s*[\s([\x27])" "t:none,t:urlDecode" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:db|!REQUEST_COOKIES:/__utm/ "@pm msysaccessobjects msysaces msysobjects msysqueries msysrelationships msysaccessstorage msysaccessxml msysmodules msysmodules2 msdb master..sysdatabases mysql.db sys.database_name sysaux schema( schema_name sqlite_temp_master database( db_name( information_schema pg_catalog pg_toast northwind tempdb" "chain,id:77218530,msg:'IM360 WAF: SQL Injection Attack: Common DB Names Detected||RSV:8.02||T:APACHE||',phase:2,capture,pass,nolog,auditlog,t:none,t:urlDecode,severity:2,tag:'service_im360'" SecRule MATCHED_VAR "@rx (?i:\b(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)\b|s(?:ys(?:\.database_name|aux)\b|chema(?:\W*\(|_name\b)|qlite(_temp)?_master\b)|d(?:atabas|b_nam)e\W*\(|information_schema\b|pg_(catalog|toast)\b|northwind\b|tempdb\b))" "t:none,t:urlDecode" SecMarker IGNORE_CRS_SQLi SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Cookie|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:commentText|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query|!ARGS:keyword "@pm and or" "id:77218570,chain,msg:'IM360 WAF: SQLi vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,tag:'service_im360'" SecRule MATCHED_VAR "@rx ['\x22\x60](?:AND|OR)\d+?(?:\*\d+?){0,4}=\d+?(?:AND|OR)\d+=\d+" "t:none,t:urlDecode" SecRule ARGS "@rx [\x27\x22\x60]\s*(?:and|or)\s+\d+=\d+" "id:77316746,pass,nolog,auditlog,phase:2,severity:5,t:none,t:lowercase,t:htmlEntityDecode,msg:'IM360 WAF: Generic SQLi attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecMarker big_request_body SecMarker END_GENERIC_CONF SecRule SCRIPT_FILENAME "!@endsWith /index.php" "id:33344,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: Standalone malware access attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||SC:%{SCRIPT_FILENAME}||',tag:'service_im360'" SecRule SCRIPT_FILENAME "!@endsWith /" "chain,t:none" SecRule SCRIPT_FILENAME "@pmFromFile malware_standalone.list" "t:none,capture,t:sha1,t:hexEncode,t:lowercase" SecRule !REQUEST_COOKIES:/__utm/|REQUEST_HEADERS:Cookie|ARGS_NAMES|ARGS|!ARGS:_xfRequestUri|!ARGS:/body/|!ARGS:/content/|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:/query/|!ARGS:keyword|!ARGS:/acf_fields/|!ARGS:/title/|!ARGS:full_story|!ARGS:actions|!ARGS:wpTextbox1|!ARGS:detalii|!ARGS:originals|!ARGS:/data/|!ARGS:/url/|!ARGS:experience|!ARGS:/input_/|!ARGS:/textarea/|!ARGS:/wpforms\[fields\]/|!ARGS:/comment/|!ARGS:form|!ARGS:/page_sections/|!ARGS:snippet|!ARGS:modules "@pm union select from" "id:77350223,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:lowercase,msg:'IM360 WAF: Common SQLi||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule MATCHED_VAR "@rx (?i)union\s+select\s+from" "t:none,t:urlDecode" SecRule REQUEST_URI "!@rx \/php[Mm]y[Aa]dmin\/" "chain,id:77350224,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecodeUni,msg:'IM360 WAF: Common DB Name in Request||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule !REQUEST_COOKIES:/__utm/|REQUEST_HEADERS:Cookie|ARGS_NAMES|ARGS|!ARGS:_xfRequestUri|!ARGS:/body/|!ARGS:/content/|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:/post/|!ARGS:/history/|!ARGS:/notes/|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:/query/|!ARGS:keyword|!ARGS:/acf_fields/|!ARGS:/^acf/|!ARGS:/title/|!ARGS:full_story|!ARGS:actions|!ARGS:wpTextbox1|!ARGS:detalii|!ARGS:originals|!ARGS:/data/|!ARGS:/url/|!ARGS:experience|!ARGS:/input_/|!ARGS:/textarea/|!ARGS:/wpforms\[fields\]/|!ARGS:/comment/|!ARGS:form|!ARGS:/page_sections/|!ARGS:snippet|!ARGS:/^field_id_\d+$/|!ARGS:modules|!ARGS:imgBase64|!ARGS:foto|!ARGS:file|!ARGS:/^img/ "@rx (?i:\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)|db)|aster\.\.sysdatabases|ysql\.db)|pg_(?:catalog|toast)|information_schema|tempdb)\b|s(?:(?:ys(?:\.database_name|aux)|qlite(?:_temp)?_master)\b|chema(?:_name\b|\W{0,999}\())|db_name\W{0,999}\())" "t:none" SecRule ARGS "@pm <?php $_ function" "chain,id:77854328,phase:2,block,nolog,auditlog,severity:2,t:none,t:urlDecode,msg:'IM360 WAF: Block dangerous PHP input||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule MATCHED_VAR "@rx <\?php|\$_|function\s[^\(]{1,40}\([^\)]{0,90}\)" "t:none,chain" SecRule MATCHED_VAR "@pmFromFile php_data" "t:none,t:normalizePath,chain" SecRule MATCHED_VAR "create_super_customer_account" "t:none,t:normalizePath" SecRule ARGS "@pm <?php $_ function" "chain,id:77350517,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecode,msg:'IM360 WAF: Track PHP input||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule MATCHED_VAR "@rx <\?php|\$_|function\s[^\(]{1,40}\([^\)]{0,90}\)" "chain,t:none" SecRule MATCHED_VAR "@pmFromFile php_data" "t:none,t:normalizePath" SecRule REQUEST_METHOD "@streq GET" "id:77980115,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: LetsEncrypt ACME Challenge Request||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@rx ^\/\.well-known\/acme-challenge\/[A-Za-z0-9_-]{43}$" "t:none" SecRule ARGS:order "@detectSQLi" "id:77350560,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:urlDecodeUni,t:utf8toUnicode,msg:'IM360 WAF: Possible SQL injection attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:order "^\w{0,999}[\x27\x22].{10,70}" "chain,t:utf8toUnicode" SecRule ARGS:order "[^a-zA-Z-_\.\d]{1,100}.{2,50}" "t:utf8toUnicode" SecRule ARGS:order "@detectSQLi" "id:77350561,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,t:urlDecodeUni,t:utf8toUnicode,msg:'IM360 WAF: Possible SQL injection attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule ARGS:order "[\x27\x22\x5c\x2b\x3d].{10}|select|union|--|extractvalue|print\(|chr\(|sleep\(|randomblob|INFORMATION_SCHEMA|\/\*.{0,999}?\*\/" "chain,t:lowercase,t:utf8toUnicode" SecRule ARGS:order "[^a-zA-Z-_\.\d]+.{2,70}" "t:utf8toUnicode" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.0/8,::1" "id:77045402,chain,phase:1,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Direct access to sensitive file or dotfile||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" "chain,t:none" SecRule REQUEST_URI "@rx (?i)(?:^|/)(?:\.env(?:_config|\.local|\.bak|\.old|\.save|\.production|\.staging)?|\.git/(?:HEAD|config|objects|refs|index)|\.svn/(?:entries|wc\.db)|\.hg/store|(?:\.ht(?:passwd|access|group))~)(?:\?.*)?$" "t:none,t:urlDecodeUni,t:normalizePath,setvar:'tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77045402'" SecRule ARGS|REQUEST_HEADERS|REMOTE_HOST "@pmFromFile cloudav_list" "id:77125607,phase:2,pass,nolog,auditlog,severity:5,t:none,t:urlDecode,msg:'IM360 WAF: Suspicious domain in input||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'"
.
Edit
..
Edit
000_i360_init.conf
Edit
001_i360_pass.conf
Edit
002_i360_basic.conf
Edit
003_i360_wp_logic.conf
Edit
004_i360_vectors.conf
Edit
005_i360_bruteforce.conf
Edit
006_i360_malware.conf
Edit
007_i360_custom.conf
Edit
008_i360_wordpress.conf
Edit
009_i360_joomla.conf
Edit
010_i360_drupal.conf
Edit
011_i360_otherapps.conf
Edit
012_i360_spam.conf
Edit
013_i360_generic.conf
Edit
014_i360_infectors.conf
Edit
015_i360_filescan.conf
Edit
016_i360_monitor.conf
Edit
017_i360_weak_pass.conf
Edit
018_Disable_WP_Redirect.conf
Edit
IM360-LICENSE.txt
Edit
RELEASE
Edit
VERSION
Edit
bl_agents
Edit
bl_chains
Edit
bl_db_list
Edit
bl_db_list_ext
Edit
bl_ips
Edit
bl_os_files
Edit
bl_path_files
Edit
bl_scanners
Edit
bl_uri
Edit
bl_web_files
Edit
bl_wpboost_uri
Edit
bl_xss_input
Edit
changelog.json
Edit
changelog.txt
Edit
cloudav_list
Edit
crawlers-google-iplist.data
Edit
crawlers-iplist.data
Edit
crawlers-ualist.data
Edit
danme_top100
Edit
detectlua.lua
Edit
inspectfile.lua
Edit
ip-record.db
Edit
java_data
Edit
malware_found.list
Edit
malware_found_b64.list
Edit
malware_standalone.list
Edit
malware_standalone_b64.list
Edit
path_traversal
Edit
php_data
Edit
rbl_whitelist
Edit
rce_uri
Edit
risky-actions.list
Edit
trap.lua
Edit
trap_cookie.lua
Edit
userdata_dirb_URLs.data
Edit