/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache
# ------------------------------------------------------ # Imunify360 ModSecurity Rules # Copyright (C) 2026 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # ------------------------------------------------------ # Imunify360 ModSecurity Base Ruleset SecRule &TX:rbl_whitelist_check "@eq 0" "id:77350447,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: Rate limit exceeded for XMLRPC DoS||Count:%{SESSION.xmlrpc_block_limit}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule TX:remote_addr "!@rx ^1(?:0|27|69\.254|72\.(?:1[6-9]|2[0-9]|3[0-1])|92\.168)\.|(?:^::1$)|(?:^[fF][cCdD])" "chain,t:none" SecRule REQUEST_URI "@contains xmlrpc.php" "chain,t:none,initcol:session=%{REQUEST_HEADERS.Host}.%{REMOTE_ADDR}" SecRule SESSION:xmlrpc_block "@eq 1" "t:none" SecRule &TX:rbl_whitelist_check "@eq 0" "id:77350448,chain,phase:2,block,nolog,auditlog,severity:2,msg:'IM360 WAF: Rate limit exceeded for XMLRPC DoS||Count:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule TX:remote_addr "!@rx ^1(?:0|27|69\.254|72\.(?:1[6-9]|2[0-9]|3[0-1])|92\.168)\.|(?:^::1$)|(?:^[fF][cCdD])" "chain,t:none" SecRule REQUEST_URI "@contains xmlrpc.php" "chain,t:none,initcol:session=%{REQUEST_HEADERS.Host}.%{REMOTE_ADDR}" SecRule SESSION:xmlrpc_block_limit "@gt 90" "t:none,setvar:session.xmlrpc_block_limit=0,setvar:session.xmlrpc_block=1,expirevar:session.xmlrpc_block=90" SecRule &TX:rbl_whitelist_check "@eq 0" "id:77350449,chain,phase:2,pass,nolog,severity:5,t:none,tag:'service_im360'" SecRule TX:remote_addr "!@rx ^1(?:0|27|69\.254|72\.(?:1[6-9]|2[0-9]|3[0-1])|92\.168)\.|(?:^::1$)|(?:^[fF][cCdD])" "chain,t:none" SecRule REQUEST_URI "@contains xmlrpc.php" "t:none,initcol:session=%{REQUEST_HEADERS.Host}.%{REMOTE_ADDR},setvar:session.timeout=600,setvar:session.xmlrpc_block_limit=+1,expirevar:session.xmlrpc_block_limit=20" SecRule REQUEST_METHOD "@rx PUT|POST" "id:77816162,chain,phase:2,pass,nolog,auditlog,t:none,severity:6,skipAfter:MarkerMagentoBlock,msg:'IM360 WAF: Rate limit exceeded for YMagento block||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /V1/cmsBlock/\d" "chain,t:none,initcol:IP='%{tx.remote_addr}'" SecRule IP:req_num_exp "@eq 1" "t:none,setvar:ip.req_num_exp=0" SecRule REQUEST_METHOD "@rx PUT|POST" "id:77816163,chain,phase:2,pass,nolog,t:none,severity:5,skipAfter:MarkerMagentoBlock,msg:'IM360 WAF: Rate limit exceeded for Magento block||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /V1/cmsBlock/\d" "chain,t:none,initcol:IP='%{tx.remote_addr}'" SecRule IP:req_num "@gt 50" "t:none,setvar:ip.req_num=0,setvar:ip.req_num_exp=1,expirevar:ip.req_num_exp=2,setvar:ip.timeout=15" SecRule REQUEST_METHOD "@rx PUT|POST" "id:77816164,chain,phase:2,pass,nolog,t:none,severity:5,skipAfter:MarkerMagentoBlock,msg:'IM360 WAF: Rate limit counter for Magento block||Count:%{MATCHED_VAR}||Range:%{REQUEST_HEADERS.Range}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@rx /V1/cmsBlock/\d" "chain,t:none,initcol:IP='%{tx.remote_addr}'" SecRule IP:req_num "@gt 0" "t:none,setvar:IP.req_num=+1" SecRule REQUEST_METHOD "@rx PUT|POST" "id:77816165,chain,phase:2,pass,nolog,t:none,severity:5,msg:'IM360 WAF: Rate limit counter for Magento block||Count:%{MATCHED_VAR}||Range:%{REQUEST_HEADERS.Range}||RSV:8.02||T:APACHE||',t:none,tag:'service_im360'" SecRule REQUEST_URI "@rx /V1/cmsBlock/\d" "chain,t:none,initcol:IP='%{tx.remote_addr}'" SecRule &IP:req_num "@eq 0" "t:none,setvar:IP.req_num=1,expirevar:IP.req_num=20,setvar:IP.timeout=30" SecMarker MarkerMagentoBlock SecRule &TX:rbl_whitelist_check "@eq 0" "id:77064216,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,skipAfter:MarkerMagentoCatalogSearch,msg:'IM360 WAF: Rate limit exceeded for Magento catalog search||Count:%{ip.catsearch_limit}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "@streq GET" "chain,t:none" SecRule REQUEST_URI "@contains /catalogsearch/result" "chain,t:none,initcol:ip=%{tx.remote_addr}" SecRule ip:catsearch_block "@eq 1" "t:none" SecRule &TX:rbl_whitelist_check "@eq 0" "id:77064217,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,skipAfter:MarkerMagentoCatalogSearch,msg:'IM360 WAF: Rate limit exceeded for Magento catalog search||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "@streq GET" "chain,t:none" SecRule REQUEST_URI "@contains /catalogsearch/result" "chain,t:none,initcol:ip=%{tx.remote_addr}" SecRule ip:catsearch_limit "@gt 30" "t:none,setvar:ip.catsearch_limit=0,setvar:ip.catsearch_block=1,expirevar:ip.catsearch_block=120,setvar:ip.timeout=180" SecRule REQUEST_METHOD "@streq GET" "id:77064218,chain,phase:2,pass,nolog,severity:5,t:none,skipAfter:MarkerMagentoCatalogSearch,msg:'IM360 WAF: Catalog search rate counter||Count:%{ip.catsearch_limit}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@contains /catalogsearch/result" "chain,t:none,initcol:ip=%{tx.remote_addr}" SecRule ip:catsearch_limit "@gt 0" "t:none,setvar:ip.catsearch_limit=+1" SecRule REQUEST_METHOD "@streq GET" "id:77064219,chain,phase:2,pass,nolog,severity:5,t:none,msg:'IM360 WAF: Catalog search rate counter||Count:%{ip.catsearch_limit}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "@contains /catalogsearch/result" "t:none,initcol:ip=%{tx.remote_addr},setvar:ip.catsearch_limit=1,expirevar:ip.catsearch_limit=60,setvar:ip.timeout=180" SecMarker MarkerMagentoCatalogSearch SecRule REQUEST_FILENAME "@pm sitemap browserconfig.xml robots.txt ai.txt humans.txt favicon.ico ads.txt manifest.json crossdomain.xml manifest.webmanifest opensearchdescription.xml pgp-key.txt security.txt" "id:77617105,phase:2,skipAfter:MarkerCrawlersBots,pass,nolog,t:none,severity:5,tag:'service_im360',tag:'noshow'" SecRule REQUEST_FILENAME "!@pm sitemap browserconfig.xml robots.txt ai.txt humans.txt favicon.ico ads.txt manifest.json browserconfig.xml crossdomain.xml manifest.webmanifest opensearchdescription.xml pgp-key.txt security.txt" "id:77350418,chain,phase:2,block,nolog,auditlog,severity:2,t:none,t:lowercase,msg:'IM360 WAF: Rate limit exceeded for Facebook Crawler Bot||Count:%{SESSION.fb_limit}||Range:%{REQUEST_HEADERS.Range}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:User-Agent "@pm facebookexternalhit" "chain,t:none,initcol:session=%{REQUEST_HEADERS.Host}.facebookexternalhit" SecRule SESSION:fb_bot_block "@eq 1" "t:none" SecRule REQUEST_HEADERS:User-Agent "@pm facebookexternalhit" "id:77350419,chain,phase:2,block,nolog,auditlog,severity:2,initcol:session=%{REQUEST_HEADERS.Host}.facebookexternalhit,msg:'IM360 WAF: Rate limit exceeded for Facebook Crawler Bot||Count:%{MATCHED_VAR}||Range:%{REQUEST_HEADERS.Range}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "!@pm sitemap browserconfig.xml robots.txt ai.txt humans.txt favicon.ico ads.txt manifest.json browserconfig.xml crossdomain.xml manifest.webmanifest opensearchdescription.xml pgp-key.txt security.txt" "chain,t:none,t:lowercase" SecRule SESSION:fb_limit "@ge 22" "t:none,setvar:session.fb_limit=0,setvar:session.fb_bot_block=1,expirevar:session.fb_bot_block=40,setvar:session.timeout=60" SecRule REQUEST_HEADERS:User-Agent "@pm facebookexternalhit" "id:77350439,chain,phase:2,pass,skip:1,nolog,severity:5,t:none,tag:'service_im360'" SecRule REQUEST_FILENAME "!@pm sitemap browserconfig.xml robots.txt ai.txt humans.txt favicon.ico ads.txt manifest.json browserconfig.xml crossdomain.xml manifest.webmanifest opensearchdescription.xml pgp-key.txt security.txt" "t:none,t:lowercase,initcol:session=%{REQUEST_HEADERS.Host}.facebookexternalhit,setvar:session.fb_limit=+1,expirevar:session.fb_limit=10,setvar:session.timeout=60" SecRule REQUEST_HEADERS:User-Agent "@pm facebookexternalhit" "chain,id:77350460,phase:2,pass,nolog,severity:5,t:none,tag:'service_im360'" SecRule REQUEST_FILENAME "!@pm sitemap browserconfig.xml robots.txt ai.txt humans.txt favicon.ico ads.txt manifest.json browserconfig.xml crossdomain.xml manifest.webmanifest opensearchdescription.xml pgp-key.txt security.txt" "t:none,t:lowercase,initcol:session=%{REQUEST_HEADERS.Host}.facebookexternalhit,setvar:session.fb_limit=+1,expirevar:session.fb_limit=10,setvar:session.timeout=60" SecRule REQUEST_FILENAME "!@pm sitemap browserconfig.xml robots.txt ai.txt humans.txt favicon.ico ads.txt manifest.json browserconfig.xml crossdomain.xml manifest.webmanifest opensearchdescription.xml pgp-key.txt security.txt" "id:77490879,chain,phase:2,block,nolog,auditlog,severity:5,t:none,t:lowercase,msg:'IM360 WAF: Rate limit exceeded for Meta-ExternalAgent Bot||Count:%{SESSION.meta_limit}||Range:%{REQUEST_HEADERS.Range}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:User-Agent "@rx (?i)meta-externalagent" "chain,t:none,initcol:session=%{REQUEST_HEADERS.Host}.Meta-ExternalAgent" SecRule SESSION:meta_bot_block "@eq 1" "t:none" SecRule REQUEST_HEADERS:User-Agent "@rx (?i)meta-externalagent" "id:77490880,chain,phase:2,block,nolog,auditlog,severity:5,initcol:session=%{REQUEST_HEADERS.Host}.Meta-ExternalAgent,msg:'IM360 WAF: Rate limit exceeded for Meta-ExternalAgent Bot||Count:%{MATCHED_VAR}||Range:%{REQUEST_HEADERS.Range}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "!@pm sitemap browserconfig.xml robots.txt ai.txt humans.txt favicon.ico ads.txt manifest.json browserconfig.xml crossdomain.xml manifest.webmanifest opensearchdescription.xml pgp-key.txt security.txt" "chain,t:none,t:lowercase" SecRule SESSION:meta_limit "@gt 20" "t:none,setvar:session.meta_limit=0,setvar:session.meta_bot_block=1,expirevar:session.meta_bot_block=80,setvar:session.timeout=120" SecRule REQUEST_HEADERS:User-Agent "@rx (?i)meta-externalagent" "id:77490881,chain,phase:2,pass,skip:1,nolog,severity:5,t:none,tag:'service_im360'" SecRule &REQUEST_HEADERS:Range "@eq 0" "chain,t:none" SecRule REQUEST_FILENAME "!@pm sitemap browserconfig.xml robots.txt ai.txt humans.txt favicon.ico ads.txt manifest.json browserconfig.xml crossdomain.xml manifest.webmanifest opensearchdescription.xml pgp-key.txt security.txt" "t:none,t:lowercase,initcol:session=%{REQUEST_HEADERS.Host}.Meta-ExternalAgent,setvar:session.meta_limit=+1,setvar:session.timeout=60" SecRule REQUEST_HEADERS:User-Agent "@rx (?i)meta-externalagent" "chain,id:77490882,phase:2,pass,nolog,severity:5,t:none,tag:'service_im360'" SecRule REQUEST_FILENAME "!@pm sitemap browserconfig.xml robots.txt ai.txt humans.txt favicon.ico ads.txt manifest.json browserconfig.xml crossdomain.xml manifest.webmanifest opensearchdescription.xml pgp-key.txt security.txt" "chain,t:none,t:lowercase" SecRule &REQUEST_HEADERS:Range "@eq 0" "t:none,initcol:session=%{REQUEST_HEADERS.Host}.Meta-ExternalAgent,setvar:session.meta_limit=+1,expirevar:session.meta_limit=10,setvar:session.timeout=60" SecRule REQUEST_HEADERS:User-Agent "@rx Scrapy" "id:77617106,chain,phase:2,block,nolog,auditlog,t:none,severity:5,skipAfter:MarkerCrawlersBotsScrapy,initcol:session='%{REQUEST_HEADERS.Host}.Scrapy',msg:'IM360 WAF: Rate limit exceeded for Scrapy Crawler Bot||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule SESSION:scrapy_bot_block "@eq 1" "t:none" SecRule REQUEST_HEADERS:User-Agent "@rx Scrapy" "id:77617107,chain,phase:2,block,nolog,auditlog,t:none,severity:5,skipAfter:MarkerCrawlersBotsScrapy,initcol:session='%{REQUEST_HEADERS.Host}.Scrapy',msg:'IM360 WAF: Rate limit exceeded for Scrapy Crawler Bot||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule SESSION:scrapy_limit "@gt 99" "t:none,setvar:session.scrapy_bot_block=1,expirevar:session.scrapy_bot_block=120,setvar:session.timeout=360" SecRule REQUEST_HEADERS:User-Agent "@rx Scrapy" "id:77617108,chain,phase:2,pass,nolog,t:none,severity:5,skipAfter:MarkerCrawlersBotsScrapy,initcol:session='%{REQUEST_HEADERS.Host}.Scrapy',msg:'IM360 WAF: Rate limit counter for Scrapy Crawler Bot||Count:%{MATCHED_VAR}||Range:%{REQUEST_HEADERS.Range}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule SESSION:scrapy_limit "@gt 0" "t:none,setvar:session.scrapy_limit=+1" SecRule REQUEST_HEADERS:User-Agent "@rx Scrapy" "id:77617109,chain,phase:2,pass,nolog,t:none,severity:5,skipAfter:MarkerCrawlersBotsScrapy,initcol:session='%{REQUEST_HEADERS.Host}.Scrapy',msg:'IM360 WAF: Rate limit counter for Scrapy Crawler Bot||Count:%{MATCHED_VAR}||Range:%{REQUEST_HEADERS.Range}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule &SESSION:scrapy_limit "@eq 0" "t:none,setvar:session.scrapy_limit=1,expirevar:session.scrapy_limit=60,setvar:session.timeout=330" SecMarker MarkerCrawlersBotsScrapy SecRule REQUEST_HEADERS:User-Agent "@rx YandexBot" "id:77194839,chain,phase:2,block,nolog,auditlog,status:429,t:none,severity:5,skipAfter:MarkerCrawlersBotsYandex,initcol:session='%{REQUEST_HEADERS.Host}.YandexBot',msg:'IM360 WAF: Rate limit exceeded for YandexBot Bot||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule SESSION:yandbot_bot_block "@eq 1" "t:none" SecRule REQUEST_HEADERS:User-Agent "@rx YandexBot" "id:77194840,chain,phase:2,block,status:429,nolog,auditlog,t:none,severity:5,skipAfter:MarkerCrawlersBotsYandex,initcol:session='%{REQUEST_HEADERS.Host}.YandexBot',msg:'IM360 WAF: Rate limit exceeded for YandexBot Bot||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule SESSION:yandbot_limit "@gt 99" "t:none,setvar:session.yandbot_bot_block=1,expirevar:session.yandbot_bot_block=120,setvar:session.timeout=360" SecRule REQUEST_HEADERS:User-Agent "@rx YandexBot" "id:77194841,chain,phase:2,pass,nolog,t:none,severity:5,skipAfter:MarkerCrawlersBotsYandex,initcol:session='%{REQUEST_HEADERS.Host}.YandexBot',msg:'IM360 WAF: Rate limit counter for YandexBot Bot||Count:%{MATCHED_VAR}||Range:%{REQUEST_HEADERS.Range}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule SESSION:yandbot_limit "@gt 0" "t:none,setvar:session.yandbot_limit=+1" SecRule REQUEST_HEADERS:User-Agent "@rx YandexBot" "id:77194842,chain,phase:2,pass,nolog,t:none,severity:5,initcol:session='%{REQUEST_HEADERS.Host}.YandexBot',msg:'IM360 WAF: Rate limit counter for YandexBot Bot||Count:%{MATCHED_VAR}||Range:%{REQUEST_HEADERS.Range}||RSV:8.02||T:APACHE||',t:none,tag:'service_im360'" SecRule &SESSION:yandbot_limit "@eq 0" "t:none,setvar:session.yandbot_limit=1,expirevar:session.yandbot_limit=60,setvar:session.timeout=330" SecMarker MarkerCrawlersBotsYandex SecMarker MarkerCrawlersBots SecRule TX:remote_addr "!@ipMatch 127.0.0.1,::1" "pass,nolog,id:33364,phase:2,t:none,skipAfter:WP_LBF_MARKER,severity:5,tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "id:33365,chain,pass,skipAfter:WP_LBF_MARKER,nolog,auditlog,phase:2,severity:5,msg:'IM360 WAF: Local WP brute force attempts limit exceed flag||RSV:8.02||T:APACHE||global_collection:%{global.key}||login_attempts:%{global.login_attempts}||WPU:%{ARGS.log}||REMOTE_ADDR:%{tx.remote_addr}||',tag:'service_im360',tag:'noshow'" SecRule ARGS:log "!@rx ^$" "chain,t:none" SecRule ARGS:pwd "!@rx ^$" "chain,t:none" SecRule RESPONSE_HEADERS:Set-cookie "@contains wordpress_" "chain,t:none" SecRule &RESPONSE_HEADERS:Location "@eq 0" "chain,t:none,initcol:global=wp_local_brute_force_collection" SecRule GLOBAL:local_brute_block "@eq 1" "t:none" SecRule REQUEST_METHOD "^POST$" "t:none,chain,id:33366,msg:'IM360 WAF: Local WP failed login attempt||%{REQUEST_HEADERS.Host}||MTD:%{tx.0}||WPU:%{ARGS.log}||',pass,nolog,phase:3,severity:5,tag:'service_im360',tag:'noshow'" SecRule TX:remote_addr "@ipMatch 127.0.0.1,::1" "t:none,chain" SecRule ARGS:pwd "!@rx ^$" "t:none,chain" SecRule ARGS:log "!@rx ^$" "chain,t:none" SecRule RESPONSE_HEADERS:Set-cookie "@contains wordpress_" "chain,t:none" SecRule &RESPONSE_HEADERS:Location "@eq 0" "t:none,initcol:global=wp_local_brute_force_collection,setvar:global.login_attempts=+1,expirevar:global.login_attempts=360" SecRule REQUEST_METHOD "@rx ^POST$" "id:33367,chain,phase:2,pass,nolog,auditlog,severity:5,chain,t:none,msg:'IM360 WAF: Local WP brute force limit exceed||global_collection:%{global.key}||login_attempts:%{global.login_attempts}||WPU:%{ARGS.log}||REMOTE_ADDR:%{tx.remote_addr}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule TX:remote_addr "@ipMatch 127.0.0.1,::1" "chain,t:none" SecRule ARGS:pwd "!@rx ^$" "chain,t:none" SecRule ARGS:log "!@rx ^$" "chain,t:none,initcol:global=wp_local_brute_force_collection,setvar:global.local_brute_block=1,expirevar:global.local_brute_block=60" SecRule GLOBAL:login_attempts "@gt 360" "t:none" SecMarker WP_LBF_MARKER SecRule REQUEST_METHOD "^POST$" "id:33374,chain,phase:3,pass,nolog,severity:5,t:none,msg:'IM360 WAF: XMLRPC response body access||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "t:none,ctl:responseBodyAccess=On" SecRule REQUEST_URI "@contains xmlrpc.php" "id:77350458,chain,phase:2,block,nolog,auditlog,severity:2,initcol:session=%{REQUEST_HEADERS.Host}.%{REMOTE_ADDR},msg:'IM360 WAF: Rate limit exceeded for XMLRPC DoS (fault code)||Count:%{SESSION.xmlrpc_faultcode_limit}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule SESSION:xmlrpc_faultcode_block "@eq 1" "t:none" SecRule REQUEST_URI "@contains xmlrpc.php" "id:77350459,chain,phase:2,block,nolog,auditlog,severity:2,initcol:session=%{REQUEST_HEADERS.Host}.%{REMOTE_ADDR},msg:'IM360 WAF: Rate limit exceeded for XMLRPC DoS (fault code)||Count:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule SESSION:xmlrpc_faultcode_limit "@gt 40" "t:none,setvar:session.xmlrpc_faultcode_limit=0,setvar:session.xmlrpc_faultcode_block=1,expirevar:session.xmlrpc_faultcode_block=240" SecRule REQUEST_METHOD "^POST$" "id:33375,chain,phase:5,pass,skip:1,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: XMLRPC fault response||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "chain,t:none" SecRule RESPONSE_BODY "@contains <name>faultCode</name>" "chain,t:none" SecRule RESPONSE_BODY "@rx <name>faultCode<\/name>\s+<value><int>40\d?<\/int>" "initcol:session=%{REQUEST_HEADERS.Host}.%{REMOTE_ADDR},setvar:session.timeout=300,setvar:session.xmlrpc_faultcode_limit=+1,expirevar:session.xmlrpc_faultcode_limit=30" SecRule REQUEST_METHOD "^POST$" "id:33376,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: XMLRPC fault response||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "chain,t:none" SecRule RESPONSE_BODY "@contains <name>faultCode" "t:none,setvar:tx.req_body_size_insp=1" SecRule TX:req_body_size_insp "@eq 1" "id:77333760,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: XMLRPC fault response body size collection||MV:%{MATCHED_VAR}||Response_Content-Length:%{RESPONSE_HEADERS.Content-Length}||Request_Content-Length:%{REQUEST_HEADERS.Content-Length}||Response_body_length:%{RESPONSE_BODY_LENGTH}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule UNIQUE_ID "@endsWith fffff" "t:none,capture,t:md5,t:hexEncode" SecRule REQUEST_METHOD "^GET" "id:77350348,chain,phase:3,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Successful WordPress auto-login||Log:%{ARGS.log}||Time:%{TIME}||User:%{SCRIPT_USERNAME}||WPU:%{TX.wp_user}||wp_cookie:%{tx.wp_cookie}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule RESPONSE_STATUS "@streq 302" "chain,t:none" SecRule REQUEST_BASENAME "@rx \.php$" "chain,t:none" SecRule RESPONSE_HEADERS:Set-Cookie "@rx wordpress_logged_in_[^=]+=[^;]+(\w{6});" "t:none,capture,chain,setvar:tx.wp_cookie=%{tx.1},initcol:ip=%{tx.remote_addr},setvar:ip.wp_logged_in=1,expirevar:ip.wp_logged_in=600,setvar:ip.wp_auto_install=1,expirevar:ip.wp_auto_install=5" SecRule REQUEST_URI "!@rx ^/(index\.php|wp-login\.php|wp-load\.php|wp-signup\.php|wp-admin/|sapp-wp-signon\.php|deleteme\.sso.{0,999}\.php|deleteme\..{0,999}\.php|wp-da-sso-|sso\.php|saml2/idp|wpgateway-web\.php|o2-qc-|.{10}\.php|wp-content/plugins/skure-connect/includes/skure-sso-connect-request\.php|wp-includes/customize/)" "chain,t:none" SecRule &TX:trapped "@eq 0" "chain,t:none" SecRuleScript trap.lua "chain,t:none" SecRule &ARGS "@ge 0" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77350462,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Authenticated Privilege Escalation in FundEngine - Donation and Crowdfunding Platform <= 1.7.0 (CVE-2024-6698)||MV:%{MATCHED_VAR}||WPU:%{tx.wp_user}||Logged:%{IP.wp_logged_in}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_URI "@pm profile-form/billing-submit/" "chain,t:urlDecode" SecRule ARGS:/wp_capabilities/ "(.{1,999})" "t:none,t:urlDecode" SecRule REQUEST_METHOD "@rx ^(?:GET|POST)$" "id:77591756,chain,phase:5,pass,nolog,auditlog,severity:6,t:none,msg:'IM360 WAF: Known GTM ID in Referer||SC:%{SCRIPT_FILENAME}||User:%{SCRIPT_USERNAME}||Host.referer:%{REQUEST_HEADERS.Host}.%{REQUEST_HEADERS.Referer}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:Referer "@contains googletagmanager.com" "chain,t:none" SecRule REQUEST_HEADERS:Referer|ARGS_POST|ARGS_GET "@rx (?i)\bGTM-(K5PQ9PGV|WXN4NCG|N7PP3X2|TC8JJS2|NH2LCRH|MT3XMX7|W8FXL6X5|KQF4P5L|M9Q3LR7|M6DS7C8|55SBK75|572RKHP|KC9DJLG|5VS39VW|WTSJ3SC|NK8JRQF|WNRSNMZ|NZGWCTH|TNBP8LK|N6S5V8D|558TV3D|PPF8WQW|WSDRKND|W4KZD63|NLH4QC4|5PJ4D68|TKFWZ45|NZT4GS8|5NTCJ5P|PC7D7TZ|5P8RSN3|TQFNC65|MQFR2NV|WHM7KJG|MCX8BFT|WP5Z2MD|KLKXFG9|K2NR34K|WJ6S9J6|K5ZPXSP|NSTTR9L|W837TXD|T78G58G|N9TF36T|NKC68MF|KF5DC95|5TMJ5CH|5MC682V|M4JQ37X|MC7J23V|P6X6FSH|P6WDDJ5|PC93T7S|M92CV3G|MF8QMZG|PSGMGKC|TMD8H65|MR3SLDV|MGHDWT8|KX36TXD|NL6NQGJ|KS9CDS2|T73M628|5R8G3N7|NFHZMDF|MJ933VN|KLVWG5S|WDRSKFH|MX7L8F2M|MF6ZFZZ|W52PB9H|NT8PNPZ|NKV5GMT8|W4LHV3C|WP95KK9|TVKQ79ZS|M6D53FL|T9MR3B6|TQ59HZG|M2T34WN|T28MV23|KRDG8TM|K4LTVK2|PB7B4WJX|NSQDRQH|PBZFWT|WJGC2CJ|TSF3R9C|KZLWKSD|NJHPNPW|N43V97LQ|5NVFF84|NTV2JTB4|56TPTJ8|PCNFTPH|PHD259R|P3GPBLF|KWPFGXJ|T8LQ3MN|5MNHBG3|KTGCVGT|52JS5K3|NBG6F2WS|KCZFT63|5GJW66B|KXD5V8S|M48MTZQ|MZB2G2C|PL4KZSM|WDBKWDTN|TGC43ZZ|KFC63RX|WKB3MZQ|5265DQT|T5J72ZB|TC6B644|KX5RSMB|MZR48MH|T2D8LKK|PDS7KRZ|N3B4VT9D|5772KFL|MKCV9JR|TRDLM7Q|WFZKNRQ|MT6784R|MRC9H4D|M8DFKLC|59TGWQ7|53M24QWG|T6TJHBR|N8T88JX|WWWNW2KJ|TNWTCWR|KXKF262|WVGX7LX|M9ND4W|T6Q2FKB|KFD8FJ6|WNV8QFR|P9Z2C2TT|KGMSGSH|WQM66DN|5SF293J|56RM8M2|KJWT839)\b" "t:none,capture" SecRule REQUEST_URI "@rx \x2fwp-content\x2f(?:plugins|themes)\x2f[^\x2f]{1,128}\x2freadme\.txt$" "id:77816166,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,t:lowercase,t:urlDecodeUni,msg:'IM360 WAF: WP plugin/theme readme.txt enumeration 404 counter||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'utility'" SecRule RESPONSE_STATUS "@streq 404" "t:none,initcol:ip=%{tx.remote_addr},setvar:ip.enum_readme_404=+1,expirevar:ip.enum_readme_404=300" SecRule &TX:rbl_whitelist_check "@eq 0" "id:77816167,chain,phase:2,block,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WP plugin/theme readme.txt enumeration detected (3+ failed probes in 300s)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'utility'" SecRule REQUEST_METHOD "@streq GET" "chain,t:none" SecRule REQUEST_URI "@rx \x2fwp-content\x2f(?:plugins|themes)\x2f[^\x2f]{1,128}\x2freadme\.txt$" "chain,t:none,t:lowercase,t:urlDecodeUni,initcol:ip=%{tx.remote_addr}" SecRule ip:enum_readme_404 "@ge 3" "t:none" SecRule REQUEST_URI "@rx \x2fwp-content\x2fthemes\x2f[^\x2f]{1,128}\x2fstyle\.css$" "id:77816168,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,t:lowercase,t:urlDecodeUni,msg:'IM360 WAF: WP theme style.css enumeration 404 counter||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'utility'" SecRule RESPONSE_STATUS "@streq 404" "t:none,initcol:ip=%{tx.remote_addr},setvar:ip.enum_stylecss_404=+1,expirevar:ip.enum_stylecss_404=300" SecRule &TX:rbl_whitelist_check "@eq 0" "id:77816169,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WP theme style.css enumeration detected (3+ failed probes in 300s)||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',tag:'utility'" SecRule REQUEST_METHOD "@streq GET" "chain,t:none" SecRule REQUEST_URI "@rx \x2fwp-content\x2fthemes\x2f[^\x2f]{1,128}\x2fstyle\.css$" "chain,t:none,t:lowercase,t:urlDecodeUni,initcol:ip=%{tx.remote_addr}" SecRule ip:enum_stylecss_404 "@ge 3" "t:none" SecRule TX:trapped "@eq 1" "id:33329,phase:5,t:none,pass,nolog,auditlog,msg:'IM360 WAF: IPRec %{TX.trapinfo}||RSV:8.02||T:APACHE||',severity:7,tag:'service_im360',tag:'noshow',setvar:tx.trapped=0" SecRule ARGS:i360test "@streq 88ff0adf94a190b9d1311c8b50fe2891c85af732" "id:33312,msg:'IM360 WAF: Testing the IM360 ModSecurity ruleset||User:%{PATH_INFO}||RSV:8.02||T:APACHE||',phase:2,block,nolog,auditlog,status:406,t:none,t:lowercase,severity:2,tag:'service_im360'"
.
Edit
..
Edit
000_i360_init.conf
Edit
001_i360_pass.conf
Edit
002_i360_basic.conf
Edit
003_i360_wp_logic.conf
Edit
004_i360_vectors.conf
Edit
005_i360_bruteforce.conf
Edit
006_i360_malware.conf
Edit
007_i360_custom.conf
Edit
008_i360_wordpress.conf
Edit
009_i360_joomla.conf
Edit
010_i360_drupal.conf
Edit
011_i360_otherapps.conf
Edit
012_i360_spam.conf
Edit
013_i360_generic.conf
Edit
014_i360_infectors.conf
Edit
015_i360_filescan.conf
Edit
016_i360_monitor.conf
Edit
017_i360_weak_pass.conf
Edit
018_Disable_WP_Redirect.conf
Edit
IM360-LICENSE.txt
Edit
RELEASE
Edit
VERSION
Edit
bl_agents
Edit
bl_chains
Edit
bl_db_list
Edit
bl_db_list_ext
Edit
bl_ips
Edit
bl_os_files
Edit
bl_path_files
Edit
bl_scanners
Edit
bl_uri
Edit
bl_web_files
Edit
bl_wpboost_uri
Edit
bl_xss_input
Edit
changelog.json
Edit
changelog.txt
Edit
cloudav_list
Edit
crawlers-google-iplist.data
Edit
crawlers-iplist.data
Edit
crawlers-ualist.data
Edit
danme_top100
Edit
detectlua.lua
Edit
inspectfile.lua
Edit
ip-record.db
Edit
java_data
Edit
malware_found.list
Edit
malware_found_b64.list
Edit
malware_standalone.list
Edit
malware_standalone_b64.list
Edit
path_traversal
Edit
php_data
Edit
rbl_whitelist
Edit
rce_uri
Edit
risky-actions.list
Edit
trap.lua
Edit
trap_cookie.lua
Edit
userdata_dirb_URLs.data
Edit