core-rules-2.0-part2.xml

<core-rules revision="1.6.1">
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:4" id="sid2003897" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/whstart\.js)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB Adobe RoboHelp XSS Attempt whstart.js</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:5" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:&lt;?(java|vb)?script&gt;?.*&lt;.+\/script&gt;?)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Adobe RoboHelp XSS Attempt whstart.js</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003897) ET WEB Adobe RoboHelp XSS Attempt whstart.js</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:9" id="sid2003898" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/whcsh_home\.htm)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:10" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:&lt;?(java|vb)?script&gt;?.*&lt;.+\/script&gt;?)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003898) ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:14" id="sid2003899" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/wf_startpage\.js)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:15" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:&lt;?(java|vb)?script&gt;?.*&lt;.+\/script&gt;?)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003899) ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:19" id="sid2003900" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/wf_startqs\.htm)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:20" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:&lt;?(java|vb)?script&gt;?.*&lt;.+\/script&gt;?)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003900) ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:24" id="sid2003901" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/WindowManager\.dll)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:25" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:&lt;?(java|vb)?script&gt;?.*&lt;.+\/script&gt;?)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003901) ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:29" id="sid2001945" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/apage\.cgi)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>6</rev>
      <msg>ET WEB WebAPP Apage.CGI Remote Command Execution Attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache.cgi</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:30" id="" phase="">
      <selector>ARGS:f</selector>
      <operator>(?i:(\.\|.+\|))</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB WebAPP Apage.CGI Remote Command Execution Attempt</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001945) ET WEB WebAPP Apage.CGI Remote Command Execution Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:34" id="sid2001669" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains GET http\://</operator>
    <actions>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>6</rev>
      <msg>ET WEB Proxy GET Request</msg>
      <tag>bad-unknown</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Proxy GET Request</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2001669) ET WEB Proxy GET Request</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:38" id="sid2001670" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains HEAD http\://</operator>
    <actions>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB Proxy HEAD Request</msg>
      <tag>bad-unknown</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Proxy HEAD Request</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2001670) ET WEB Proxy HEAD Request</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:42" id="sid2001674" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains POST http\://</operator>
    <actions>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>6</rev>
      <msg>ET WEB Proxy POST Request</msg>
      <tag>bad-unknown</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Proxy POST Request</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2001674) ET WEB Proxy POST Request</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:46" id="sid2001675" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains CONNECT </operator>
    <actions>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>6</rev>
      <msg>ET WEB Proxy CONNECT Request</msg>
      <tag>bad-unknown</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Proxy CONNECT Request</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2001675) ET WEB Proxy CONNECT Request</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:50" id="sid2003156" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB Crewbox Proxy Scan</msg>
      <tag>attempted-recon</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:51" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains crewbox.by.ru/crew/</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Crewbox Proxy Scan</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003156) ET WEB Crewbox Proxy Scan</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:55" id="sid2002900" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/awstats\.pl)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB CGI AWstats Migrate Command Attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Awstats</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:56" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:migrate\s*=\s*\|)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB CGI AWstats Migrate Command Attempt</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002900) ET WEB CGI AWstats Migrate Command Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:60" id="sid2002711" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains /includer.cgi?|7c|</operator>
    <actions>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>5</rev>
      <msg>ET WEB includer.cgi Remote Command Execution Attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_CGI</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB includer.cgi Remote Command Execution Attempt</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2002711) ET WEB includer.cgi Remote Command Execution Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:64" id="sid2002129" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains GET </operator>
    <actions>
      <chain/>
      <pass/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB Cacti Input Validation Attack</msg>
      <tag>web-application-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:65" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:(config_settings|top_graph_header)\.php\?.*=(http|https)\:\/)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Cacti Input Validation Attack</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002129) ET WEB Cacti Input Validation Attack</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:69" id="sid2002313" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/graph_image\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>6</rev>
      <msg>ET WEB Cacti graph_image.php Remote Command Execution Attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:70" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:(graph_start=%0a.+%0a))</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Cacti graph_image.php Remote Command Execution Attempt</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002313) ET WEB Cacti graph_image.php Remote Command Execution Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:74" id="sid2003334" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/cmd\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:75" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains UNION</operator>
      <actions/>
    </rule>
    <comment> (sid 2003334) ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:76" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains SELECT</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:80" id="sid2007889" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:graph_view\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:81" id="" phase="">
      <selector>ARGS:graph_list</selector>
      <operator>(?i:.+UNION\s+SELECT)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2007889) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:85" id="sid2007890" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:graph_view\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:86" id="" phase="">
      <selector>ARGS:graph_list</selector>
      <operator>(?i:.+INSERT.+INTO)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2007890) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:90" id="sid2007891" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:graph_view\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:91" id="" phase="">
      <selector>ARGS:graph_list</selector>
      <operator>(?i:.+DELETE.+FROM)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2007891) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:95" id="sid2007892" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:graph_view\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:96" id="" phase="">
      <selector>ARGS:graph_list</selector>
      <operator>(?i:.+UPDATE.+SET)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2007892) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:100" id="sid2007893" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:tree\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:101" id="" phase="">
      <selector>ARGS:leaf_id</selector>
      <operator>(?i:.+SELECT.+FROM)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2007893) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:105" id="sid2007894" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:tree\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:106" id="" phase="">
      <selector>ARGS:leaf_id</selector>
      <operator>(?i:.+UNION\s+SELECT)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2007894) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:110" id="sid2007895" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:tree\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:111" id="" phase="">
      <selector>ARGS:leaf_id</selector>
      <operator>(?i:.+INSERT.+INTO)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2007895) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:115" id="sid2007896" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:tree\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:116" id="" phase="">
      <selector>ARGS:leaf_id</selector>
      <operator>(?i:.+DELETE.+FROM)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2007896) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:120" id="sid2007897" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:tree\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:121" id="" phase="">
      <selector>ARGS:leaf_id</selector>
      <operator>(?i:.+UPDATE.+SET)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2007897) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:125" id="sid2004556" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/CCMAdmin\/serverlist\.asp)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cisco</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:126" id="" phase="">
      <selector>ARGS:pattern</selector>
      <operator>(?i:.*&lt;?(java|vb)?script&gt;?.*&lt;.+\/script&gt;?)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2004556) ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:130" id="sid2002376" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains OpenForm</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB IBM Lotus Domino BaseTarget XSS attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Domino_XSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:131" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:BaseTarget=.*?\x22)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB IBM Lotus Domino BaseTarget XSS attempt</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002376) ET WEB IBM Lotus Domino BaseTarget XSS attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:135" id="sid2002377" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains OpenFrameSet</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>6</rev>
      <msg>ET WEB IBM Lotus Domino Src XSS attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Domino_XSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:136" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:src=.*\x22&gt;&lt;\/FRAMESET&gt;.*&lt;script&gt;.*&lt;\/script&gt;)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB IBM Lotus Domino Src XSS attempt</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002377) ET WEB IBM Lotus Domino Src XSS attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:140" id="sid2009361" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/cmd\.exe)</operator>
    <actions>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB cmd.exe In URI - Possible Command Execution Attempt</msg>
      <tag>attempted-recon</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB cmd.exe In URI - Possible Command Execution Attempt</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2009361) ET WEB cmd.exe In URI - Possible Command Execution Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:144" id="sid2009362" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains /system32/</operator>
    <actions>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt</msg>
      <tag>attempted-recon</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2009362) ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:148" id="sid2009363" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:chmod.([r|w|x|1-7]))</operator>
    <actions>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB Suspicious Chmod Usage in URI</msg>
      <tag>attempted-admin</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Suspicious Chmod Usage in URI</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2009363) ET WEB Suspicious Chmod Usage in URI</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:152" id="sid2008171" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/OpenView5\.exe)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB HP OpenView Network Node Manager CGI Directory Traversal</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_HP_Openview</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:153" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains GET </operator>
      <actions/>
    </rule>
    <comment> (sid 2008171) ET WEB HP OpenView Network Node Manager CGI Directory Traversal</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:154" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains /OvCgi/</operator>
    <actions/>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:155" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains Action=../../</operator>
    <actions/>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:156" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains  HTTP/1</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB HP OpenView Network Node Manager CGI Directory Traversal</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:160" id="sid2002897" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains /horde</operator>
    <actions>
      <chain/>
      <pass/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>5</rev>
      <msg>ET WEB Horde README access probe</msg>
      <tag>web-application-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Horde</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:161" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:\/horde((2|3|-3\.(0\.[1-9]|1\.0)))?\/{1,2}README)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Horde README access probe</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002897) ET WEB Horde README access probe</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:165" id="sid2001365" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains |3A 3A|$DATA</operator>
    <actions>
      <pass/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>8</rev>
      <msg>ET WEB-MISC Alternate Data Stream source view attempt</msg>
      <tag>web-application-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_ADS_Source_Code_Exposure</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB-MISC Alternate Data Stream source view attempt</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2001365) ET WEB-MISC Alternate Data Stream source view attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:169" id="sid2001342" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\.aspx)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>21</rev>
      <msg>ET WEB IIS ASP.net Auth Bypass / Canonicalization</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_Canonicalization_Bypass</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:170" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>@contains GET</operator>
      <actions/>
    </rule>
    <comment> (sid 2001342) ET WEB IIS ASP.net Auth Bypass / Canonicalization</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:171" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:\\x5C)</operator>
    <actions/>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:172" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains aspx</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB IIS ASP.net Auth Bypass / Canonicalization</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:176" id="sid2001343" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\.aspx)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>19</rev>
      <msg>ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_Canonicalization_Bypass</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:177" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>@contains GET</operator>
      <actions/>
    </rule>
    <comment> (sid 2001343) ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:178" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:\\x5C)</operator>
    <actions/>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:179" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains aspx</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:183" id="sid2009510" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains .jsp\:\:$DATA</operator>
    <actions>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt</msg>
      <tag>attempted-recon</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Java</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2009510) ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:187" id="sid2001546" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains LINK </operator>
    <actions>
      <pass/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB-MISC LINK Method</msg>
      <tag>web-application-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_LINK_Method</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB-MISC LINK Method</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2001546) ET WEB-MISC LINK Method</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:191" id="sid2002777" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/index\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB Light Weight Calendar \date\ Arbitrary Remote Code Execution</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Light_Weight_Calendar</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:192" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:date=\d{8}\)\;.+)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Light Weight Calendar \date\ Arbitrary Remote Code Execution</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002777) ET WEB Light Weight Calendar &apos;date&apos; Arbitrary Remote Code Execution</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:196" id="sid2001075" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains &lt;IMG</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>5</rev>
      <msg>ET WEB-MISC cross site scripting attempt IMG onerror or onload</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:197" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:\bonerror\b[\s]*=)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting attempt IMG onerror or onload</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001075) ET WEB-MISC cross site scripting attempt IMG onerror or onload</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:201" id="sid2001077" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains application/x-javascript</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:202" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:TYPE\s*=\s*[&apos;\x22]application\/x-javascript)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001077) ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:206" id="sid2001078" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains text/jscript</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:207" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:TYPE\s*=\s*[&apos;\x22]text\/jscript)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001078) ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:211" id="sid2001079" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains text/vbscript</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>8</rev>
      <msg>ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:212" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:TYPE\s*=\s*[&apos;\x22]text\/vbscript)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001079) ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:216" id="sid2001080" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains application/x-vbscript</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>8</rev>
      <msg>ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:217" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:TYPE\s*=\s*[&apos;\x22]application\/x-vbscript)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001080) ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:221" id="sid2001081" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains text/ecmascript</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:222" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:TYPE\s*=\s*[&apos;\x22]text\/ecmascript)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001081) ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:226" id="sid2001082" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains expression</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:227" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:STYLE[\s]*=[\s]*[^&gt;]expression[\s]*\()</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001082) ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:231" id="sid2001083" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains expression</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:232" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:[\s]*expression[\s]*\([^}]}[\s]*&lt;\/STYLE&gt;)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001083) ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2</comment>
  </rule>
<!--
	following disabled as the crash some browsers :-((
	25-dec-10

  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:236" id="sid2001084" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains &lt;XML</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>5</rev>
      <msg>ET WEB-MISC cross site scripting attempt using XML</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:237" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>@contains &lt;![CDATA[&lt;]]&gt;SCRIPT</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting attempt using XML</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001084) ET WEB-MISC cross site scripting attempt using XML</comment>
  </rule>
-->
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:241" id="sid2001085" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains innerhtml</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB-MISC cross site scripting attempt executing hidden Javascript 1</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:242" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\))</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting attempt executing hidden Javascript 1</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001085) ET WEB-MISC cross site scripting attempt executing hidden Javascript 1</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:246" id="sid2001086" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains window.execscript</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB-MISC cross site scripting attempt executing hidden Javascript 2</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:247" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:window.execScript[\s]*\()</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting attempt executing hidden Javascript 2</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001086) ET WEB-MISC cross site scripting attempt executing hidden Javascript 2</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:251" id="sid2001087" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains javascript</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>6</rev>
      <msg>ET WEB-MISC cross site scripting attempt to execute Javascript code</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:252" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[&apos;\x22]*javascript[\:])</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting attempt to execute Javascript code</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001087) ET WEB-MISC cross site scripting attempt to execute Javascript code</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:256" id="sid2001088" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains vbscript</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>6</rev>
      <msg>ET WEB-MISC cross site scripting attempt to execute VBScript code</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:257" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[&apos;\x22]*vbscript[\:])</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting attempt to execute VBScript code</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001088) ET WEB-MISC cross site scripting attempt to execute VBScript code</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:261" id="sid2001089" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains shell</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>6</rev>
      <msg>ET WEB-MISC cross site scripting attempt to access SHELL:</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:262" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[&apos;\x22]*shell[\:])</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting attempt to access SHELL:</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001089) ET WEB-MISC cross site scripting attempt to access SHELL\:</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:266" id="sid2001090" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains =</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB-MISC cross site scripting stealth attempt to execute Javascript code</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:267" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[&apos;\x22]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting stealth attempt to execute Javascript code</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001090) ET WEB-MISC cross site scripting stealth attempt to execute Javascript code</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:271" id="sid2001091" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains =</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB-MISC cross site scripting stealth attempt to execute VBScript code</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:272" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[&apos;\x22]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB-MISC cross site scripting stealth attempt to execute VBScript code</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001091) ET WEB-MISC cross site scripting stealth attempt to execute VBScript code</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:276" id="sid2001092" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[&apos;\x22]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:])</operator>
    <actions>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>8</rev>
      <msg>ET WEB-MISC cross site scripting stealth attempt to access SHELL:</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB-MISC cross site scripting stealth attempt to access SHELL:</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2001092) ET WEB-MISC cross site scripting stealth attempt to access SHELL\:</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:280" id="sid2002361" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/nquser\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB Netquery Remote Command Execution Attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Netquery</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:281" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:(host=\|.+))</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Netquery Remote Command Execution Attempt</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002361) ET WEB Netquery Remote Command Execution Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:285" id="sid2007936" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:webmail\.exe)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Netwin</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:286" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>@contains GET</operator>
      <actions/>
    </rule>
    <comment> (sid 2007936) ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:287" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:[%n%s]{2,})</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:291" id="sid2002997" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB PHP Remote File Inclusion (monster list http)</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:292" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains http</operator>
      <actions/>
    </rule>
    <comment> (sid 2002997) ET WEB PHP Remote File Inclusion (monster list http)</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:293" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*https?)</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB PHP Remote File Inclusion (monster list http)</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:297" id="sid2003098" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB PHP Remote File Inclusion (monster list ftp)</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:298" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains ftp\:</operator>
      <actions/>
    </rule>
    <comment> (sid 2003098) ET WEB PHP Remote File Inclusion (monster list ftp)</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:299" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*ftp)</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB PHP Remote File Inclusion (monster list ftp)</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:303" id="sid2003935" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB PHP Remote File Inclusion (monster list php)</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:304" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*php)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB PHP Remote File Inclusion (monster list php)</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003935) ET WEB PHP Remote File Inclusion (monster list php)</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:308" id="sid2002730" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/help_text_vars\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>6</rev>
      <msg>ET WEB PHPGedView Remote Script Code Execution attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHPGedView</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:309" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:PGV_BASE_DIRECTORY=(f|ht)tp\:\/)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB PHPGedView Remote Script Code Execution attempt</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002730) ET WEB PHPGedView Remote Script Code Execution attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:313" id="sid2002314" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/prod\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>5</rev>
      <msg>ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHPOutsourcing</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:314" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:(argv[1]=\|.+))</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002314) ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:318" id="sid2001344" phase="2">
    <selector>ARGS_NAMES</selector>
    <operator>(?i:edp_relative_path)</operator>
    <actions>
      <pass/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB PHP EasyDynamicPages exploit</msg>
      <tag>web-application-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_EasyDynamicPages_Exploit</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB PHP EasyDynamicPages exploit</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2001344) ET WEB PHP EasyDynamicPages exploit</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:322" id="sid2009336" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/cfexec\.cfm)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB Possible Web Backdoor cfexec.cfm access</msg>
      <tag>trojan-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:323" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains GET </operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Possible Web Backdoor cfexec.cfm access</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2009336) ET WEB Possible Web Backdoor cfexec.cfm access</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:327" id="sid2009337" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/cmdasp\.asp)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB Possible Web Backdoor cmdasp.asp access</msg>
      <tag>trojan-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:328" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains GET </operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Possible Web Backdoor cmdasp.asp access</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2009337) ET WEB Possible Web Backdoor cmdasp.asp access</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:332" id="sid2009338" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/cmdasp\.aspx)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB Possible Web Backdoor cmdasp.aspx access</msg>
      <tag>trojan-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:333" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains GET </operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Possible Web Backdoor cmdasp.aspx access</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2009338) ET WEB Possible Web Backdoor cmdasp.aspx access</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:337" id="sid2009339" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/simple\-backdoor\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB Possible Web Backdoor simple-backdoor.php access</msg>
      <tag>trojan-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:338" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains GET </operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Possible Web Backdoor simple-backdoor.php access</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2009339) ET WEB Possible Web Backdoor simple-backdoor.php access</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:342" id="sid2009340" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/php\-backdoor\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB Possible Web Backdoor php-backdoor.php access</msg>
      <tag>trojan-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:343" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains GET </operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Possible Web Backdoor php-backdoor.php access</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2009340) ET WEB Possible Web Backdoor php-backdoor.php access</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:347" id="sid2009341" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/jsp\-reverse\.jsp)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB Possible Web Backdoor jsp-reverse.jsp access</msg>
      <tag>trojan-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:348" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains GET </operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Possible Web Backdoor jsp-reverse.jsp access</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2009341) ET WEB Possible Web Backdoor jsp-reverse.jsp access</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:352" id="sid2009342" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/perlcmd\.cgi)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB Possible Web Backdoor perlcmd.cgi access</msg>
      <tag>trojan-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:353" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains GET </operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Possible Web Backdoor perlcmd.cgi access</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2009342) ET WEB Possible Web Backdoor perlcmd.cgi access</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:357" id="sid2009343" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/cmdjsp\.jsp)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB Possible Web Backdoor cmdjsp.jsp access</msg>
      <tag>trojan-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:358" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains GET </operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Possible Web Backdoor cmdjsp.jsp access</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2009343) ET WEB Possible Web Backdoor cmdjsp.jsp access</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:362" id="sid2009344" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/cmd\-asp\-5\.1\.asp)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB Possible Web Backdoor cmd-asp-5.1.asp access</msg>
      <tag>trojan-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:363" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains GET </operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Possible Web Backdoor cmd-asp-5.1.asp access</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2009344) ET WEB Possible Web Backdoor cmd-asp-5.1.asp access</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:367" id="sid2002972" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains filename=</operator>
    <actions>
      <chain/>
      <pass/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB PHP ZeroBoard .htaccess upload</msg>
      <tag>web-application-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_ZeroBoard</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:368" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:^\s*\.htaccess)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB PHP ZeroBoard .htaccess upload</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002972) ET WEB PHP ZeroBoard .htaccess upload</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:372" id="sid2001738" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:forumdisplay\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>9</rev>
      <msg>ET WEB PHP vBulletin Remote Command Execution Attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_vBulletin</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:373" id="" phase="">
      <selector>ARGS:comma</selector>
      <operator>(?i:(\.system\(.+\)\.))</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB PHP vBulletin Remote Command Execution Attempt</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2001738) ET WEB PHP vBulletin Remote Command Execution Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:377" id="sid2002388" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/misc\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>5</rev>
      <msg>ET WEB vBulletin misc.php Template Name Arbitrary Code Execution</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_vBulletin</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:378" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains &amp;template=.*{${</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB vBulletin misc.php Template Name Arbitrary Code Execution</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002388) ET WEB vBulletin misc.php Template Name Arbitrary Code Execution</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:382" id="sid2002837" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/pmwiki\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB PmWiki Globals Variables Overwrite Attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PMWiki</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:383" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>@contains GLOBALS[FarmD]=</operator>
      <actions/>
    </rule>
    <comment> (sid 2002837) ET WEB PmWiki Globals Variables Overwrite Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:384" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:GLOBALS\x5bFarmD\x5d\x3d)</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB PmWiki Globals Variables Overwrite Attempt</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:388" id="sid2008687" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/passwiki\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB PassWiki site_id Parameter Local File Inclusion</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PassWiki</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:389" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains GET </operator>
      <actions/>
    </rule>
    <comment> (sid 2008687) ET WEB PassWiki site_id Parameter Local File Inclusion</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:390" phase="2">
    <selector>ARGS:site_id</selector>
    <operator>(?i:(\.\.\/){1,})</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB PassWiki site_id Parameter Local File Inclusion</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:394" id="sid2007871" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains GET </operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB Philips VOIP841 Web Server Directory Traversal</msg>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Philips_VOIP</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:395" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains /etc/passwd</operator>
      <actions/>
    </rule>
    <comment> (sid 2007871) ET WEB Philips VOIP841 Web Server Directory Traversal</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:396" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:(\.\.\/){1,})</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Philips VOIP841 Web Server Directory Traversal</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:400" id="sid2002331" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/piranha\/secure\/control\.php3)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB Piranha default passwd attempt</msg>
      <tag>attempted-recon</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Piranha</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:401" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>@contains Authorization\: Basic cGlyYW5oYTp</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Piranha default passwd attempt</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002331) ET WEB Piranha default passwd attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:405" id="sid2008622" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains GET </operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB Pritlog index.php filename File Disclosure</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Pritlog</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:406" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains /index.php?option=viewEntry</operator>
      <actions/>
    </rule>
    <comment> (sid 2008622) ET WEB Pritlog index.php filename File Disclosure</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:407" phase="2">
    <selector>ARGS:&amp;filename</selector>
    <operator>(?i:(\.\.\/){1,})</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Pritlog index.php filename File Disclosure</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:411" id="sid2009152" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB PHP Generic Remote File Include Attempt (HTTPS)</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:412" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains =https\:/</operator>
      <actions/>
    </rule>
    <comment> (sid 2009152) ET WEB PHP Generic Remote File Include Attempt (HTTPS)</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:413" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:\x2Ephp\x3F.{0,300}\x3Dhttps\x3A\x2F[^\x3F\x26]+\x3F)</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB PHP Generic Remote File Include Attempt (HTTPS)</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:417" id="sid2009153" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB PHP Generic Remote File Include Attempt (FTP)</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:418" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains =ftp\:/</operator>
      <actions/>
    </rule>
    <comment> (sid 2009153) ET WEB PHP Generic Remote File Include Attempt (FTP)</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:419" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F)</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB PHP Generic Remote File Include Attempt (FTP)</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:423" id="sid2009155" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>5</rev>
      <msg>ET WEB PHP Generic Remote File Include Attempt (FTPS)</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:424" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains =ftps\:/</operator>
      <actions/>
    </rule>
    <comment> (sid 2009155) ET WEB PHP Generic Remote File Include Attempt (FTPS)</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:425" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F)</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB PHP Generic Remote File Include Attempt (FTPS)</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:429" id="sid2002660" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\?Redirect)</operator>
    <actions>
      <chain/>
      <pass/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>5</rev>
      <msg>ET WEB RSA Web Auth Exploit Attempt - Long URL</msg>
      <tag>web-application-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RSA</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:430" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:url=.{8000})</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB RSA Web Auth Exploit Attempt - Long URL</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002660) ET WEB RSA Web Auth Exploit Attempt - Long URL</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:434" id="sid2006443" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains DELETE </operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>6</rev>
      <msg>ET WEB Possible SQL Injection Attempt DELETE FROM</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:435" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains  FROM </operator>
      <actions/>
    </rule>
    <comment> (sid 2006443) ET WEB Possible SQL Injection Attempt DELETE FROM</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:436" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:DELETE.+FROM)</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Possible SQL Injection Attempt DELETE FROM</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:440" id="sid2006444" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains INSERT </operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>6</rev>
      <msg>ET WEB Possible SQL Injection Attempt INSERT INTO</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:441" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains  INTO </operator>
      <actions/>
    </rule>
    <comment> (sid 2006444) ET WEB Possible SQL Injection Attempt INSERT INTO</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:442" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:INSERT.+INTO)</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Possible SQL Injection Attempt INSERT INTO</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:446" id="sid2006445" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains SELECT </operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>6</rev>
      <msg>ET WEB Possible SQL Injection Attempt SELECT FROM</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:447" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains  FROM </operator>
      <actions/>
    </rule>
    <comment> (sid 2006445) ET WEB Possible SQL Injection Attempt SELECT FROM</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:448" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:SELECT.+FROM)</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Possible SQL Injection Attempt SELECT FROM</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:452" id="sid2006446" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains UNION </operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>6</rev>
      <msg>ET WEB Possible SQL Injection Attempt UNION SELECT</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:453" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains  SELECT </operator>
      <actions/>
    </rule>
    <comment> (sid 2006446) ET WEB Possible SQL Injection Attempt UNION SELECT</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:454" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:UNION\s+SELECT)</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Possible SQL Injection Attempt UNION SELECT</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:458" id="sid2006447" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains UPDATE </operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB Possible SQL Injection Attempt UPDATE SET</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:459" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains  SET </operator>
      <actions/>
    </rule>
    <comment> (sid 2006447) ET WEB Possible SQL Injection Attempt UPDATE SET</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:460" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:[&amp;\?].*UPDATE.+SET)</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB Possible SQL Injection Attempt UPDATE SET</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:464" id="sid2003903" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/default\.aspx)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>5</rev>
      <msg>ET WEB Microsoft SharePoint XSS Attempt default.aspx</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Sharepoint</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:465" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:&lt;?(java|vb)?script&gt;?.*&lt;.+\/script&gt;?)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Microsoft SharePoint XSS Attempt default.aspx</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003903) ET WEB Microsoft SharePoint XSS Attempt default.aspx</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:469" id="sid2003904" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/contact\/contact\/index\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>5</rev>
      <msg>ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Sharepoint</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:470" id="" phase="">
      <selector>ARGS:form[mail]</selector>
      <operator>(?i:&lt;?(java|vb)?script&gt;?.*&lt;.+\/script&gt;?)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003904) ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:474" id="sid2003705" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/site_conf\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:475" id="" phase="">
      <selector>ARGS_NAMES</selector>
      <operator>(?i:ordnertiefe)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003705) ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:479" id="sid2003706" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/class\.csv\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:480" id="" phase="">
      <selector>ARGS_NAMES</selector>
      <operator>(?i:tt_docroot)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003706) ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:484" id="sid2003707" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/produkte_nach_serie\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:485" id="" phase="">
      <selector>ARGS_NAMES</selector>
      <operator>(?i:tt_docroot)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003707) ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:489" id="sid2003708" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/functionen\/ref_kd_rubrik\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:490" id="" phase="">
      <selector>ARGS_NAMES</selector>
      <operator>(?i:tt_docroot)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003708) ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:494" id="sid2003709" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/hg_referenz_jobgalerie\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:495" id="" phase="">
      <selector>ARGS_NAMES</selector>
      <operator>(?i:tt_docroot)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003709) ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:499" id="sid2003710" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/surfer_anmeldung_NWL\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:500" id="" phase="">
      <selector>ARGS_NAMES</selector>
      <operator>(?i:tt_docroot)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003710) ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:504" id="sid2003711" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/produkte_nach_serie_alle\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:505" id="" phase="">
      <selector>ARGS_NAMES</selector>
      <operator>(?i:tt_docroot)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003711) ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:509" id="sid2003712" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/surfer_aendern\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:510" id="" phase="">
      <selector>ARGS_NAMES</selector>
      <operator>(?i:tt_docroot)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003712) ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:514" id="sid2003715" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/ref_kd_rubrik\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:515" id="" phase="">
      <selector>ARGS_NAMES</selector>
      <operator>(?i:tt_docroot)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003715) ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:519" id="sid2003713" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/module\/referenz\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:520" id="" phase="">
      <selector>ARGS_NAMES</selector>
      <operator>(?i:tt_docroot)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003713) ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:524" id="sid2003714" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/standard\/1\/lay\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:525" id="" phase="">
      <selector>ARGS_NAMES</selector>
      <operator>(?i:tt_docroot)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003714) ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:529" id="sid2003867" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/standard\/3\/lay\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:530" id="" phase="">
      <selector>ARGS_NAMES</selector>
      <operator>(?i:tt_docroot)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2003867) ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:534" id="sid2002662" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:%INCLUDE\s*{.*rev=\x22\d+\|.+\x22.*}\s*%)</operator>
    <actions>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>5</rev>
      <msg>ET WEB TWiki INCLUDE remote command execution attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Twiki</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB TWiki INCLUDE remote command execution attempt</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2002662) ET WEB TWiki INCLUDE remote command execution attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:538" id="sid2003085" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>(?i:&amp;TYPEOF\:.+system\s*\()</operator>
    <actions>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Twiki</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2003085) ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:542" id="sid2003099" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains |00|</operator>
    <actions>
      <pass/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB-MISC Poison Null Byte</msg>
      <tag>web-application-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_URI</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB-MISC Poison Null Byte</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2003099) ET WEB-MISC Poison Null Byte</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:546" id="sid2002494" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/index\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>5</rev>
      <msg>ET WEB Versatile Bulletin Board SQL Injection Attack</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_VersatileBB</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:547" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:select=.+UNION\s+SELECT)</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB Versatile Bulletin Board SQL Injection Attack</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002494) ET WEB Versatile Bulletin Board SQL Injection Attack</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:551" id="sid2002100" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/wps_shop\.cgi)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB WPS wps_shop.cgi Remote Command Execution Attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WPS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:552" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:(art=\|.+\|))</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB WPS wps_shop.cgi Remote Command Execution Attempt</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002100) ET WEB WPS wps_shop.cgi Remote Command Execution Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:556" id="sid2002844" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains SEARCH </operator>
    <actions>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB WebDAV search overflow</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Webdav</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB WebDAV search overflow</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2002844) ET WEB WebDAV search overflow</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:560" id="sid2004574" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/include\/sessionRegister\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB WikyBlog XSS Attempt sessionRegister.php</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WikyBlog</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:561" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains | 3C |</operator>
      <actions/>
    </rule>
    <comment> (sid 2004574) ET WEB WikyBlog XSS Attempt sessionRegister.php</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:562" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains SCRIPT</operator>
    <actions/>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:563" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains | 3E |</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB WikyBlog XSS Attempt sessionRegister.php</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:567" id="sid2007872" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains GET </operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB WinIPDS Directory Traversal Vulnerabilities GET</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WinIPDS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:568" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:(\.\.[\\/]){1,}.+\.(com|exe|bat|dll|cab|ini))</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB WinIPDS Directory Traversal Vulnerabilities GET</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2007872) ET WEB WinIPDS Directory Traversal Vulnerabilities GET</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:572" id="sid2007873" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains POST </operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB WinIPDS Directory Traversal Vulnerabilities POST</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WinIPDS</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:573" id="" phase="">
      <selector>QUERY_STRING|REQUEST_BODY</selector>
      <operator>(?i:(\.\.[\\/]){1,}.+\.(com|exe|bat|dll|cab|ini))</operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB WinIPDS Directory Traversal Vulnerabilities POST</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2007873) ET WEB WinIPDS Directory Traversal Vulnerabilities POST</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:577" id="sid2008553" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/wp\-login\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>2</rev>
      <msg>ET WEB WordPress Random Password Generation Insufficient Entropy Attack</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Wordpress</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:578" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains POST </operator>
      <actions/>
    </rule>
    <comment> (sid 2008553) ET WEB WordPress Random Password Generation Insufficient Entropy Attack</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:579" phase="2">
    <selector>ARGS:action</selector>
    <operator>(?i:\w+(%20){60,})</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB WordPress Random Password Generation Insufficient Entropy Attack</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:583" id="sid2002408" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/grab_globals\.lib\.php)</operator>
    <actions>
      <chain/>
      <pass/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>7</rev>
      <msg>ET WEB phpMyAdmin Suspicious Activity</msg>
      <tag>web-application-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_phpMyAdmin</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:584" id="" phase="">
      <selector>REQUEST_URI_RAW</selector>
      <operator>@contains POST </operator>
      <actions>
        <ctl>auditLogParts=+E</ctl>
        <setvar>tx.msg=ET WEB phpMyAdmin Suspicious Activity</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> (sid 2002408) ET WEB phpMyAdmin Suspicious Activity</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:588" id="sid2002409" phase="2">
    <selector>QUERY_STRING|REQUEST_BODY</selector>
    <operator>@contains [redirect]</operator>
    <actions>
      <pass/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>5</rev>
      <msg>ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)</msg>
      <tag>web-application-activity</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_phpMyAdmin</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2002409) ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:592" id="sid2002667" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains GET /sumthin HTTP/1.</operator>
    <actions>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>3</rev>
      <msg>ET WEB sumthin scan</msg>
      <tag>attempted-recon</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_sumthin</tag>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB sumthin scan</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> (sid 2002667) ET WEB sumthin scan</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:596" id="sid2003167" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>(?i:\/tiki\-featured_link\.php)</operator>
    <actions>
      <chain/>
      <block/>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>normalisePathWin</t>
      <capture/>
      <nolog/>
      <auditlog/>
      <logdata>%{TX.0}</logdata>
      <rev>4</rev>
      <msg>ET WEB tikiwiki featured link XSS attempt</msg>
      <tag>web-application-attack</tag>
      <tag>url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_tikiwiki</tag>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:597" id="" phase="">
      <selector>ARGS_NAMES</selector>
      <operator>(?i:type)</operator>
      <actions/>
    </rule>
    <comment> (sid 2003167) ET WEB tikiwiki featured link XSS attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_46_et_web_rules.conf:598" phase="2">
    <selector>REQUEST_URI_RAW</selector>
    <operator>@contains /iframe&gt;</operator>
    <actions>
      <ctl>auditLogParts=+E</ctl>
      <setvar>tx.msg=ET WEB tikiwiki featured link XSS attempt</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_47_common_exceptions.conf:15" phase="2">
    <selector>REQUEST_LINE</selector>
    <operator>^GET /$</operator>
    <actions>
      <chain/>
      <t>none</t>
      <pass/>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_47_common_exceptions.conf:16" id="" phase="">
      <selector>REMOTE_ADDR</selector>
      <operator>^(127\.0\.0\.|\:\:)1$</operator>
      <actions>
        <chain/>
      </actions>
      <rule location="$CORE_RULES/modsecurity_crs_47_common_exceptions.conf:17" id="" phase="">
        <selector>TX:&apos;/PROTOCOL_VIOLATION\\\/MISSING_HEADER/&apos;</selector>
        <operator>.*</operator>
        <actions>
          <chain/>
          <setvar>tx.missing_header=+1</setvar>
        </actions>
        <rule location="$CORE_RULES/modsecurity_crs_47_common_exceptions.conf:18" id="" phase="">
          <selector>TX:&apos;/MISSING_HEADER_/&apos;</selector>
          <operator>TX\:(.*)</operator>
          <actions>
            <capture/>
            <t>none</t>
          </actions>
        </rule>
      </rule>
    </rule>
    <comment> This file is used as an exception mechanism to remove common false positives
 that may be encountered.
 Exception for Apache SSL pinger</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_47_common_exceptions.conf:23" phase="2">
    <selector>REQUEST_LINE</selector>
    <operator>^(GET /|OPTIONS \*) HTTP/1.0$</operator>
    <actions>
      <chain/>
      <t>none</t>
      <pass/>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_47_common_exceptions.conf:24" id="" phase="">
      <selector>REMOTE_ADDR</selector>
      <operator>^(127\.0\.0\.|\:\:)1$</operator>
      <actions>
        <chain/>
      </actions>
      <rule location="$CORE_RULES/modsecurity_crs_47_common_exceptions.conf:25" id="" phase="">
        <selector>REQUEST_HEADERS:User-Agent</selector>
        <operator>^Apache.*\(internal dummy connection\)$</operator>
        <actions>
          <t>none</t>
        </actions>
      </rule>
    </rule>
    <comment> Exception for Apache internal dummy connection</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_47_common_exceptions.conf:26" phase="2">
    <selector>TX:&apos;/PROTOCOL_VIOLATION\\\/MISSING_HEADER/&apos;</selector>
    <operator>.*</operator>
    <actions>
      <chain/>
      <setvar>tx.missing_header=+1</setvar>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_47_common_exceptions.conf:27" id="" phase="">
      <selector>TX:&apos;/MISSING_HEADER_/&apos;</selector>
      <operator>TX\:(.*)</operator>
      <actions>
        <capture/>
        <t>none</t>
      </actions>
    </rule>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_49_enforcement.conf:24" phase="2">
    <selector>TX:ANOMALY_SCORE</selector>
    <operator>@ge 20</operator>
    <actions>
      <t>none</t>
      <nolog/>
      <auditlog/>
      <deny/>
      <msg>Anomaly Score Exceeded (score %{TX.ANOMALY_SCORE}): %{tx.msg}</msg>
    </actions>
    <comment> Alert and Deny on High Anomaly Scores</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:18" id="970007" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>&lt;h2&gt;Site Error&lt;\/h2&gt;.{0,20}&lt;p&gt;An error was encountered while publishing this resource\.</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>Zope Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
    <comment> Zope Information Leakage</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:22" id="970008" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bThe error occurred in\b.{0,100}: line\b.{0,1000}\bColdFusion\b.*?\bStack Trace \(click to expand\)\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>Cold Fusion Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
    <comment> CF Information Leakage</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:26" id="970009" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>&lt;b&gt;Warning&lt;\/b&gt;.{0,100}?:.{0,1000}?\bon line\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>PHP Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
    <comment> PHP Information Leakage</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:30" id="970010" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\b403 Forbidden\b.*?\bInternet Security and Acceleration Server\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ISA server existence revealed</msg>
      <tag>MISCONFIGURATION</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
    <comment> ISA server existence revealed</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:34" id="970012" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>&lt;o:documentproperties&gt;</operator>
    <actions>
      <t>none</t>
      <nolog/>
      <auditlog/>
      <msg>Microsoft Office document properties leakage</msg>
      <tag>LEAKAGE/INFO</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
    <comment> Microsoft Office document properties leakage</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:38" id="970903" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\&lt;\%</operator>
    <actions>
      <chain/>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:39" id="" phase="">
      <selector>RESPONSE_BODY</selector>
      <operator>!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)</operator>
      <actions>
        <t>none</t>
        <setvar>tx.msg=%{rule.msg}</setvar>
        <setvar>tx.anomaly_score=+15</setvar>
      </actions>
    </rule>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:43" id="970016" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>&lt;cf</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>Cold Fusion source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
    <comment> CF source code leakage</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:47" id="970018" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>[a-z]:\\\\inetpub\b</operator>
    <actions>
      <t>none</t>
      <t>lowercase</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>IIS installed in default location</msg>
      <severity>3</severity>
    </actions>
    <comment> IIS default location</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:49" phase="2">
    <selector>&amp;GLOBAL:alerted_970018_iisDefLoc</selector>
    <operator>@eq 0</operator>
    <actions>
      <setvar>global.alerted_970018_iisDefLoc</setvar>
      <setvar>tx.msg=%{rule.msg}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:52" id="970901" phase="4">
    <selector>RESPONSE_STATUS</selector>
    <operator>^5\d{2}$</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>The application is not available</msg>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
    <comment> The application is not available</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:53" id="970118" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>(?:Microsoft OLE DB Provider for SQL Server(?:&lt;\/font&gt;.{1,20}?error &apos;800(?:04005|40e31)&apos;.{1,40}?Timeout expired| \(0x80040e31\)&lt;br&gt;Timeout expired&lt;br&gt;)|&lt;h1&gt;internal server error&lt;\/h1&gt;.*?&lt;h2&gt;part of the server has crashed or it has a configuration error\.&lt;\/h2&gt;|cannot connect to the server: timed out)</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>The application is not available</msg>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:57" id="970021" phase="4">
    <selector>RESPONSE_STATUS</selector>
    <operator>^500$</operator>
    <actions>
      <chain/>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>WebLogic information disclosure</msg>
      <severity>3</severity>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:58" id="" phase="">
      <selector>RESPONSE_BODY</selector>
      <operator>&lt;title&gt;JSP compile error&lt;\/title&gt;</operator>
      <actions>
        <t>none</t>
        <setvar>tx.msg=%{rule.msg}</setvar>
        <setvar>tx.anomaly_score=+15</setvar>
      </actions>
    </rule>
    <comment> Weblogic information disclosure</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:62" phase="2">
    <selector>TX:1</selector>
    <operator>!program files\x5cmicrosoft office\x5c(?:office|templates)</operator>
    <actions>
      <t>none</t>
      <t>lowercase</t>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
    <comment> File or Directory Names Leakage</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:67" phase="2">
    <selector>RESPONSE_BODY</selector>
    <operator>!@pm iframe</operator>
    <actions>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>lowercase</t>
      <pass/>
      <nolog/>
    </actions>
    <comment> IFrame Injection</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:79" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>!@pmFromFile modsecurity_50_outbound.data</operator>
    <actions>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <nolog/>
    </actions>
    <comment> Run PM check against response body data before running any RegEx Checks
 If nothing matches, then we skip the remainder of phase:4</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:83" id="971379" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bwscript\.shell\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
    <comment> ASP/JSP source code leakage</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:85" id="971300" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>&lt;jsp:</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:87" id="971360" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\.addheader\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:89" id="971373" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bserver\.execute\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:91" id="971375" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bserver\.mappath\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:93" id="971369" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bresponse\.binarywrite\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:95" id="971372" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bserver\.createobject\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:97" id="971361" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\.createtextfile\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:99" id="971378" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bwscript\.network\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:101" id="971377" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bvbscript\.encode\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:103" id="971374" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bserver\.htmlencode\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:105" id="971301" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bjavax\.servlet</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:107" id="971371" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bscripting\.filesystemobject\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:109" id="971376" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bserver\.urlencode\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:111" id="971362" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\.getfile\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:113" id="971363" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\.loadfromfile\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:115" id="971370" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bresponse\.write\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>ASP/JSP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:119" id="958976" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bproc_open\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
    <comment> PHP source code leakage</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:121" id="958972" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bgzread\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:123" id="958963" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bftp_nb_fget\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:125" id="958965" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bftp_nb_get\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:127" id="958959" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bfscanf\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:129" id="958978" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\breadfile\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:131" id="958955" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bfgetss\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:133" id="958941" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\$_post\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:135" id="958982" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bsession_start\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:137" id="958977" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\breaddir\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:139" id="958973" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bgzwrite\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:141" id="958981" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bscandir\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:143" id="958962" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bftp_get\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:145" id="958958" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bfread\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:147" id="958979" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\breadgzfile\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:149" id="958967" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bftp_put\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:151" id="958968" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bfwrite\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:153" id="958970" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bgzencode\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:155" id="958957" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bfopen\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:157" id="958942" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\$_session\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:159" id="958964" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bftp_nb_fput\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:161" id="958961" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bftp_fput\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:163" id="958969" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bgzcompress\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:165" id="958946" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bbzopen\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:167" id="958971" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bgzopen\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:169" id="958953" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bfgetc\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:171" id="958975" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bmove_uploaded_file\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:173" id="958966" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bftp_nb_put\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:175" id="958940" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\$_get\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:177" id="958954" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bfgets\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:179" id="958960" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bftp_fget\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:182" id="970902" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>&lt;\?(?!xml)</operator>
    <actions>
      <chain/>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <nolog/>
      <auditlog/>
      <msg>PHP source code leakage</msg>
      <tag>LEAKAGE/SOURCE_CODE</tag>
      <severity>3</severity>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:184" id="" phase="">
      <selector>RESPONSE_BODY</selector>
      <operator>!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)</operator>
      <actions>
        <t>none</t>
        <setvar>tx.msg=%{rule.msg}</setvar>
        <setvar>tx.anomaly_score=+15</setvar>
      </actions>
    </rule>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:187" id="971019" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bThis summary was generated by.{0,100}?webcruncher\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>404</status>
      <msg>Statistics Information Leakage</msg>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
    <comment> Statistics pages revealed</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:189" id="971011" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bThese statistics were produced by PeLAB\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>404</status>
      <msg>Statistics Information Leakage</msg>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:191" id="971020" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bThis summary was generated by.{0,100}?analog\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>404</status>
      <msg>Statistics Information Leakage</msg>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:193" id="971018" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bThis summary was generated by.{0,100}?Jware\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>404</status>
      <msg>Statistics Information Leakage</msg>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:195" id="971014" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bThis summary was generated by.{0,100}?wwwstat\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>404</status>
      <msg>Statistics Information Leakage</msg>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:197" id="971022" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bThis analysis was produced by.{0,100}?calamaris\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>404</status>
      <msg>Statistics Information Leakage</msg>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:199" id="971013" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bThis report was generated by WebLog\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>404</status>
      <msg>Statistics Information Leakage</msg>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:201" id="971024" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\b[gG]enerated by.{0,100}?[Ww]ebalizer\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>404</status>
      <msg>Statistics Information Leakage</msg>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:203" id="971010" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bThese statistics were produced by getstats\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>404</status>
      <msg>Statistics Information Leakage</msg>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:205" id="971023" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bThis analysis was produced by.{0,100}?EasyStat\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>404</status>
      <msg>Statistics Information Leakage</msg>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:207" id="971021" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bThis analysis was produced by.{0,100}?analog\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>404</status>
      <msg>Statistics Information Leakage</msg>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:212" id="971154" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bCould not find server \&apos;\w+\&apos; in sysservers\. execute sp_addlinkedserver\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
    <comment> SQL Errors leakage</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:214" id="971153" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bSyntax error converting the \w+ value .*? to a column of data type\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:216" id="971198" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bORA-\d{5}\: </operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:218" id="971092" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bUnclosed quotation mark before the character string\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:220" id="971197" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\[Microsoft\]\[ODBC </operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:222" id="971069" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\berror \&apos;800a01b8\&apos;</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:224" id="971094" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bYou have an error in your SQL syntax near \&apos;</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:226" id="971072" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bmicrosoft jet database engine error \&apos;8</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:228" id="971086" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bselect list because it is not contained in an aggregate function and there is no GROUP BY clause\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:230" id="971091" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bUnable to connect to PostgreSQL server\:</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:232" id="971068" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bPostgreSQL query failed\:</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:234" id="971158" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bsupplied argument is not a valid MS SQL\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:236" id="971157" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bsupplied argument is not a valid Oracle\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:238" id="971093" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bWarning: mysql_connect\(\)\:</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:240" id="971159" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bsupplied argument is not a valid ODBC\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:242" id="971076" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bMicrosoft OLE DB Provider for .{0,30} [eE]rror &apos;</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:244" id="971096" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bSQL Server does not exist or access denied\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:246" id="971099" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bEither BOF or EOF is True, or the current record has been deleted; the operation\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:248" id="971060" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bcannot take a \w+ data type as an argument\.</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:250" id="971087" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bselect list because it is not contained in either an aggregate function or the GROUP BY clause\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:252" id="971155" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bThe column prefix .{0,50}? does not match with a table name or alias name used in the query\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:254" id="971088" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bsupplied argument is not a valid PostgreSQL result\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:256" id="971150" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bYou have an error in your SQL syntax;</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:258" id="971156" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bsupplied argument is not a valid MySQL\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:260" id="971067" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bEither BOF or EOF is True, or the current record has been deleted. Requested\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:262" id="971152" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bincorrect syntax near (?:\&apos;|the\b|\@\@error\b)</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>SQL Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:267" id="971123" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\&lt;b\&gt;Version Information\:\&lt;\/b\&gt;(?:&amp;nbsp;|\s)Microsoft \.NET Framework Version\:</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
    <comment> IIS Errors leakage</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:269" id="971111" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>&gt;error \&apos;ASP\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:271" id="971116" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\berror \&apos;800</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:273" id="971124" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\&lt;b\&gt;Version Information\:\&lt;\/b\&gt;(?:&amp;nbsp;|\s)ASP\.NET Version\:</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:275" id="971122" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bA trappable error occurred in an external object\. The script cannot continue running\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:277" id="971125" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bMicrosoft VBScript runtime Error\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:279" id="971121" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bMicrosoft VBScript compilation \(0x8\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:281" id="971113" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>/[Ee]rror[Mm]essage\.aspx\?[Ee]rror\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:283" id="971126" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bMicrosoft VBScript runtime \(0x8\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:285" id="971112" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bObject required\: \&apos;</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:287" id="971115" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bADODB\.Command\b.{0,100}?\bApplication uses a value of the wrong type for the current operation\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:289" id="971127" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>/[Ee]rror[Mm]essage\.asp\?[Ee]rror\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:291" id="971114" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bADODB\.Command\b.{0,100}?\berror\&apos;</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:293" id="971119" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bMicrosoft VBScript compilation error\b</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:295" id="970904" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>\bServer Error in.{0,50}?\bApplication\b</operator>
    <actions>
      <chain/>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>500</status>
      <msg>IIS Information Leakage</msg>
      <tag>LEAKAGE/ERRORS</tag>
      <severity>3</severity>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:297" id="" phase="">
      <selector>RESPONSE_STATUS</selector>
      <operator>!^404$</operator>
      <actions>
        <t>none</t>
        <setvar>tx.msg=%{rule.msg}</setvar>
        <setvar>tx.anomaly_score=+15</setvar>
      </actions>
    </rule>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:300" id="971202" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>&gt;[To Parent Directory]&lt;/[Aa]&gt;&lt;br&gt;</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>403</status>
      <msg>Directory Listing</msg>
      <tag>LEAKAGE/INFO</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
    <comment> Directory Listing</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:302" id="971201" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>&lt;TITLE&gt;Index of.*?&lt;H1&gt;Index of</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>403</status>
      <msg>Directory Listing</msg>
      <tag>LEAKAGE/INFO</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_50_outbound.conf:304" id="971200" phase="4">
    <selector>RESPONSE_BODY</selector>
    <operator>&lt;title&gt;Index of.*?&lt;h1&gt;Index of</operator>
    <actions>
      <t>none</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>403</status>
      <msg>Directory Listing</msg>
      <tag>LEAKAGE/INFO</tag>
      <severity>3</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_60_correlation.conf:23" phase="5">
    <selector>&amp;TX:&apos;/LEAKAGE\\\/ERRORS/&apos;</selector>
    <operator>@ge 1</operator>
    <actions>
      <chain/>
      <t>none</t>
      <log/>
      <pass/>
      <severity>0</severity>
      <msg>Correlated Successful Attack Identified: Inbound Attack (%{tx.inbound_tx_msg}) + Outbound Data Leakage (%{tx.msg}) - (Transactional Anomaly Score: %{TX.ANOMALY_SCORE})</msg>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_60_correlation.conf:25" id="" phase="">
      <selector>&amp;TX:&apos;/WEB_ATTACK/&apos;</selector>
      <operator>@ge 1</operator>
      <actions>
        <t>none</t>
      </actions>
    </rule>
    <comment> Correlated Successful Attack</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_60_correlation.conf:29" phase="5">
    <selector>&amp;TX:&apos;/AVAILABILITY\\\/APP_NOT_AVAIL/&apos;</selector>
    <operator>@ge 1</operator>
    <actions>
      <chain/>
      <t>none</t>
      <log/>
      <pass/>
      <severity>1</severity>
      <msg>Correlated Attack Attempt Identified: Inbound Attack (%{tx.inbound_tx_msg}) + Outbound Application Error (%{tx.msg}) - (Transactional Anomaly Score %{TX.ANOMALY_SCORE})</msg>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_60_correlation.conf:31" id="" phase="">
      <selector>&amp;TX:&apos;/WEB_ATTACK/&apos;</selector>
      <operator>@ge 1</operator>
      <actions>
        <t>none</t>
      </actions>
    </rule>
    <comment> Correlated Attack Attempt</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_60_correlation.conf:40" phase="5">
    <selector>TX:ANOMALY_SCORE</selector>
    <operator>@ge 5</operator>
    <actions>
      <t>none</t>
      <log/>
      <noauditlog/>
      <pass/>
      <msg>Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}</msg>
    </actions>
    <comment> Alert on any anomalies</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_42_comment_spam.conf:19" phase="1">
    <selector>&amp;IP:SPAMMER</selector>
    <operator>@eq 0</operator>
    <actions>
      <chain/>
      <t>none</t>
      <block/>
      <nolog/>
      <auditlog/>
      <msg>RBL Match for SPAM Source</msg>
      <tag>AUTOMATION/MALICIOUS</tag>
      <severity>2</severity>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_42_comment_spam.conf:20" id="" phase="">
      <selector>REMOTE_ADDR</selector>
      <operator>@rbl sbl-xbl.spamhaus.org</operator>
      <actions>
        <t>none</t>
        <setvar>tx.msg=%{rule.msg}</setvar>
        <setvar>tx.automation_score=+1</setvar>
        <setvar>tx.anomaly_score=+20</setvar>
        <setvar>tx.%{rule.id}=%{matched_var_name}=%{matched_var}</setvar>
        <setvar>ip.spammer=1</setvar>
      </actions>
    </rule>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_42_comment_spam.conf:23" phase="1">
    <selector>IP:SPAMMER</selector>
    <operator>@eq 1</operator>
    <actions>
      <t>none</t>
      <block/>
      <nolog/>
      <auditlog/>
      <msg>RBL Match for SPAM Source</msg>
      <tag>AUTOMATION/MALICIOUS</tag>
      <severity>2</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.automation_score=+1</setvar>
      <setvar>tx.anomaly_score=+20</setvar>
      <setvar>tx.%{rule.id}=%{matched_var_name}=%{matched_var}</setvar>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_42_comment_spam.conf:31" id="999010" phase="2">
    <selector>ARGS|ARGS_NAMES</selector>
    <operator>\bhttp:</operator>
    <actions>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>compressWhiteSpace</t>
      <t>lowercase</t>
      <skip>1</skip>
      <pass/>
      <nolog/>
      <severity>6</severity>
    </actions>
    <comment> Prequalifier. Look for &lt;http&gt; first</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_42_comment_spam.conf:36" id="950923" phase="2">
    <selector>ARGS|ARGS_NAMES</selector>
    <operator>\[url\b</operator>
    <actions>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>compressWhiteSpace</t>
      <t>lowercase</t>
      <chain/>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>400</status>
      <msg>Comment Spam</msg>
      <severity>2</severity>
    </actions>
    <rule location="$CORE_RULES/modsecurity_crs_42_comment_spam.conf:37" id="" phase="">
      <selector>ARGS|ARGS_NAMES</selector>
      <operator>\&lt;a</operator>
      <actions>
        <t>none</t>
        <t>urlDecodeUni</t>
        <t>htmlEntityDecode</t>
        <t>compressWhiteSpace</t>
        <t>lowercase</t>
        <setvar>tx.msg=%{rule.msg}</setvar>
        <setvar>tx.automation_score=+1</setvar>
        <setvar>tx.anomaly_score=+10</setvar>
        <setvar>tx.%{rule.id}=%{matched_var_name}=%{matched_var}</setvar>
      </actions>
    </rule>
    <comment> Look for 2 ways of posting a link</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_42_comment_spam.conf:40" id="950020" phase="2">
    <selector>ARGS|ARGS_NAMES</selector>
    <operator>(http:\/.*?){4}</operator>
    <actions>
      <t>none</t>
      <t>urlDecodeUni</t>
      <t>htmlEntityDecode</t>
      <t>compressWhiteSpace</t>
      <t>lowercase</t>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>400</status>
      <msg>Comment Spam</msg>
      <severity>2</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.automation_score=+1</setvar>
      <setvar>tx.anomaly_score=+10</setvar>
      <setvar>tx.%{rule.id}=%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> Look for too many links in an argument (Prone to FPs)</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_42_tight_security.conf:21" id="950103" phase="1">
    <selector>REQUEST_URI</selector>
    <operator>(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))</operator>
    <actions>
      <t>none</t>
      <t>lowercase</t>
      <capture/>
      <ctl>auditLogParts=+E</ctl>
      <block/>
      <nolog/>
      <auditlog/>
      <status>501</status>
      <msg>Path Traversal Attack</msg>
      <severity>2</severity>
      <setvar>tx.msg=%{rule.msg}</setvar>
      <setvar>tx.anomaly_score=+15</setvar>
      <setvar>tx.%{rule.id}=%{matched_var_name}=%{matched_var}</setvar>
    </actions>
    <comment> Directory Traversal</comment>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_55_marketing.conf:14" id="910008" phase="2">
    <selector>REQUEST_HEADERS:User-Agent</selector>
    <operator>msn(?:bot|ptc)</operator>
    <actions>
      <t>none</t>
      <t>lowercase</t>
      <nolog/>
      <auditlog/>
      <msg>MSN robot activity</msg>
      <severity>6</severity>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_55_marketing.conf:17" id="910007" phase="2">
    <selector>REQUEST_HEADERS:User-Agent</selector>
    <operator>\byahoo(?:-(?:mmcrawler|blogs)|! slurp)\b</operator>
    <actions>
      <t>none</t>
      <t>lowercase</t>
      <nolog/>
      <auditlog/>
      <msg>Yahoo robot activity</msg>
      <severity>6</severity>
    </actions>
  </rule>
  <rule location="$CORE_RULES/modsecurity_crs_55_marketing.conf:20" id="910006" phase="2">
    <selector>REQUEST_HEADERS:User-Agent</selector>
    <operator>(?:(?:gsa-crawler \(enterprise; s4-e9lj2b82fjjaa; me\@mycompany\.com|adsbot-google \(\+http:\/\/www\.google\.com\/adsbot\.html)\)|\b(?:google(?:-sitemaps|bot)|mediapartners-google)\b)</operator>
    <actions>
      <t>none</t>
      <t>lowercase</t>
      <nolog/>
      <auditlog/>
      <msg>Google robot activity</msg>
      <severity>6</severity>
    </actions>
  </rule>
</core-rules>