wip avec résolution de conflits

containers/conf/angie/naxsi_rules/blocking/10000000_scanner.rules

@@ -0,0 +1,96 @@
+#######################################
+## Scanners ids: 10000000            ##
+#######################################
+
+# http://pastebin.com/NP64hTQr
+# http://blog.initiative-s.de/2013/09/kompromitierte-wordpress-blogs-werden-fuer-ddos-attacken-genutzt/
+# If using wp then turn off this rule
+MainRule id:10000000 "s:$UWA:8" "str:wordpress/" "mz:$HEADERS_VAR:User-Agent" "msg:Wordpress in user-agent";
+
+# https://github.com/robertdavidgraham/masscan
+MainRule id:10000001 "s:$UWA:8" "str:masscan" "mz:$HEADERS_VAR:User-Agent" "msg:masscan in user-agent";
+
+# block acunetix scan
+MainRule id:10000002 "s:$UWA:8" "str:99999999999999999999999" "mz:$HEADERS_VAR:Content-length" "msg:acunetix scan nginx buffer size";
+MainRule id:10000003 "s:$UWA:8" "str:acunetix" "mz:URL|BODY|$HEADERS_VAR:Accept|$HEADERS_VAR:User-Agent" "msg:acunetix scan website";
+MainRule id:10000004 "s:$UWA:8" "str:acunetix/wvs" "mz:$HEADERS_VAR:Accept" "msg:acunetix scan website";
+
+MainRule id:10000005 "s:$UWA:8" "str:havij" "mz:$HEADERS_VAR:User-Agent" "msg:Havij in user-agent";
+MainRule id:10000006 "s:$UWA:8" "str:webmole" "mz:$HEADERS_VAR:User-Agent" "msg:webmole in user-agent";
+MainRule id:10000007 "s:$UWA:8" "str:nlpproject.info" "mz:$HEADERS_VAR:User-Agent" "msg:nlpproject.info in user-agent";
+MainRule id:10000008 "s:$UWA:8" "str:cloudmapping" "mz:$HEADERS_VAR:User-Agent" "msg:cloudmapping in user-agent";
+MainRule id:10000009 "s:$UWA:8" "str:sucuri" "mz:$HEADERS_VAR:User-Agent" "msg:Sucuri in user-agent";
+MainRule id:10000010 "s:$UWA:8" "str:brutus/" "mz:$HEADERS_VAR:User-Agent" "msg:Brutus in user-agent";
+MainRule id:10000011 "s:$UWA:4" "str:apachebench" "mz:$HEADERS_VAR:User-Agent" "msg:apachebench in user-agent";
+MainRule id:10000012 "s:$UWA:8" "str:/netsparker" "mz:URL" "msg:netsparker in user-agent";
+MainRule id:10000013 "s:$UWA:8" "str:mysqloit" "mz:$HEADERS_VAR:User-Agent" "msg:Mysqloit in user-agent";
+MainRule id:10000014 "s:$UWA:8" "str:network-services-auditor" "mz:$HEADERS_VAR:User-Agent" "msg:network-services-auditor in user-agent";
+MainRule id:10000015 "s:$UWA:8" "str:dav.pm" "mz:$HEADERS_VAR:User-Agent" "msg:dav.pm in user-agent";
+MainRule id:10000016 "s:$UWA:8" "str:w3af" "mz:$HEADERS_VAR:User-Agent" "msg:w3af in user-agent";
+MainRule id:10000017 "s:$UWA:8" "str:http_get_vars" "mz:$HEADERS_VAR:User-Agent" "msg:PHP-Injetion on UA";
+MainRule id:10000018 "s:$UWA:8" "str:whisker" "mz:$HEADERS_VAR:User-Agent" "msg:whisker in user-agent";
+MainRule id:10000019 "s:$UWA:8" "str:whatweb" "mz:$HEADERS_VAR:User-Agent" "msg:whatweb in user-agent";
+MainRule id:10000020 "s:$UWA:8" "str:dirbuster" "mz:$HEADERS_VAR:User-Agent" "msg:DirBuster in user-agent";
+
+# https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/
+# https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d#diff-a35f2ee9e1d2d3983a3270ee10ec70bf86349c53febdeabdf104f88cb2167961R370
+# prevent php supply chain attack
+MainRule id:10000021 "s:$UWA:8" "str:zerodium" "mz:$HEADERS_VAR:User-Agent" "msg:zerodium in user-agent";
+
+# prevent log4j attack
+# info https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
+# payload check https://github.com/johto89/Some-collections-for-Security-Researcher/blob/master/log4j-all-in-one.md
+MainRule id:10000022 "s:$UWA:8" "str:${" "mz:$HEADERS_VAR:User-Agent" "msg:log4j attack detection";
+
+# Python libraries like python-requests, python-urllib, etc..
+MainRule id:10000023 "s:$UWA:8" "str:python" "mz:$HEADERS_VAR:User-Agent" "msg:python in user-agent";
+
+# Meterpreter
+MainRule id:10000024 "s:$UWA:8" "str:meterpreter" "mz:$HEADERS_VAR:User-Agent" "msg:meterpreter in user-agent";
+
+# https://github.com/zmap/zgrab2
+MainRule id:10000025 "s:$UWA:8" "str:zgrab" "mz:$HEADERS_VAR:User-Agent" "msg:zgrab in user-agent";
+
+# Known tools like nmap,curl,wget
+MainRule id:10000026 "s:$UWA:8" "str:nmap" "mz:$HEADERS_VAR:User-Agent" "msg:nmap in user-agent";
+MainRule id:10000027 "s:$UWA:8" "str:curl" "mz:$HEADERS_VAR:User-Agent" "msg:curl in user-agent";
+MainRule id:10000028 "s:$UWA:8" "str:wget" "mz:$HEADERS_VAR:User-Agent" "msg:wget in user-agent";
+MainRule id:10000029 "s:$UWA:8" "str:sqlmap" "mz:$HEADERS_VAR:User-Agent" "msg:slqmap in user-agent";
+
+# Scan from Expense with this User-Agent:
+# Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers presences on the Internet.
+# If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com
+MainRule id:10000030 "s:$UWA:8" "str:paloaltonetworks.com" "mz:$HEADERS_VAR:User-Agent" "msg:paloaltonetworks in user-agent";
+MainRule id:10000031 "s:$UWA:8" "str:palo alto network" "mz:$HEADERS_VAR:User-Agent" "msg:palo alto network in user-agent";
+MainRule id:10000032 "s:$UWA:8" "str:Expense" "mz:$HEADERS_VAR:User-Agent" "msg:Expense in user-agent";
+
+# Scan from NetSystemsResearch with this User-Agent:
+# NetSystemsResearch studies the availability of various services across the internet. Our website is netsystemsresearch.com
+MainRule id:10000033 "s:$UWA:8" "str:NetSystemsResearch" "mz:$HEADERS_VAR:User-Agent" "msg:NetSystemsResearch in user-agent";
+
+# Golang default User-Agent
+MainRule id:10000034 "s:$UWA:8" "str:Go-http" "mz:$HEADERS_VAR:User-Agent" "msg:Golang in user-agent";
+
+# Perl default User-Agent
+MainRule id:10000035 "s:$UWA:8" "str:libwww-perl" "mz:$HEADERS_VAR:User-Agent" "msg:libwww-perl in user-agent";
+
+# l9tcpid in User-Agent
+MainRule id:10000036 "s:$UWA:8" "str:l9tcpid" "mz:$HEADERS_VAR:User-Agent" "msg:l9tcpid in user-agent";
+
+# l9explore in User-Agent
+MainRule id:10000037 "s:$UWA:8" "str:l9explore" "mz:$HEADERS_VAR:User-Agent" "msg:l9explore in user-agent";
+
+# WPScan in User-Agent
+MainRule id:10000038 "s:$UWA:8" "str:wpscan" "mz:$HEADERS_VAR:User-Agent" "msg:WPScan in user-agent";
+
+# WinHttpReq in User-Agent
+MainRule id:10000039 "s:$UWA:8" "str:WinHttpReq" "mz:$HEADERS_VAR:User-Agent" "msg:WinHttpReq in user-agent";
+
+# EgyScan security scanner uses AliElTop in some of the attacks
+MainRule id:10000040 "s:$UWA:8" "str:AliElTop" "mz:ANY" "msg:EgyScan security scanner";
+
+# Guzzle PHP HTTP client
+MainRule id:10000041 "s:$UWA:8" "str:GuzzleHttp" "mz:$HEADERS_VAR:User-Agent" "msg:GuzzleHttp in user-agent";
+
+# Java client
+MainRule id:10000042 "s:$UWA:8" "str:AsyncHttpClient" "mz:$HEADERS_VAR:User-Agent" "msg:AsyncHttpClient in user-agent";

containers/conf/angie/naxsi_rules/blocking/20000000_web_security.rules

@@ -0,0 +1,172 @@
+#######################################
+## Webserver Security ids: 20000000  ##
+#######################################
+
+# webserver critical files
+MainRule id:20000000 "s:$UWA:8" "str:.conf" "mz:URL" "msg:file access to .conf";
+MainRule id:20000001 "s:$UWA:8" "str:.ini" "mz:URL" "msg:file access to .ini";
+MainRule id:20000002 "s:$UWA:8" "str:.sql" "mz:URL" "msg:file access to .sql";
+MainRule id:20000003 "s:$UWA:8" "rx:\.txt$" "mz:URL" "msg:file access to .txt";
+MainRule id:20000004 "s:$UWA:8" "str:/sftp-config.json" "mz:URL|BODY" "msg:file access to sftp-config.json";
+MainRule id:20000005 "s:$UWA:8" "str:/.bzr" "mz:URL" "msg:bazaar version control folder access";
+MainRule id:20000006 "s:$UWA:8" "str:/.git" "mz:URL" "msg:git version control folder access";
+MainRule id:20000007 "s:$UWA:8" "str:/.hg" "mz:URL" "msg:mercurial version control folder access";
+MainRule id:20000008 "s:$UWA:8" "str:/.svn" "mz:URL" "msg:svn version control folder access";
+MainRule id:20000009 "s:$UWA:8" "str:/bzr/" "mz:URL" "msg:bazaar version control folder access";
+MainRule id:20000010 "s:$UWA:8" "str:/git/" "mz:URL" "msg:git version control folder access";
+MainRule id:20000011 "s:$UWA:8" "str:/hg/" "mz:URL" "msg:mercurial version control folder access";
+MainRule id:20000012 "s:$UWA:8" "str:/svn/" "mz:URL" "msg:svn version control folder access";
+MainRule id:20000013 "s:$UWA:8" "str:.htpasswd" "mz:ARGS|BODY|URL|FILE_EXT" "msg:file access to .htpasswd";
+MainRule id:20000014 "s:$UWA:8" "str:.htaccess" "mz:ARGS|BODY|URL|FILE_EXT" "msg:file access to .htaccess";
+MainRule id:20000015 "s:$UWA:8" "str:.ds_store" "mz:URL" "msg:file access to .ds_store";
+MainRule id:20000016 "s:$UWA:8" "str:changelog" "mz:URL" "msg:file access to changelog";
+MainRule id:20000017 "s:$UWA:8" "rx:^/core.\d+$" "mz:URL" "msg:file access to core dumps";
+MainRule id:20000018 "s:$UWA:8" "rx:\.module$" "mz:URL" "msg:file access to .module (drupal)";
+MainRule id:20000019 "s:$UWA:8" "str:web.config" "mz:URL" "msg:file access to web.config (drupal)";
+MainRule id:20000020 "s:$UWA:8" "rx:release[-_]notes\." "mz:URL" "msg:file access to release notes";
+MainRule id:20000021 "s:$UWA:8" "rx:~$" "mz:URL" "msg:file access to cache files";
+MainRule id:20000022 "s:$UWA:8" "str:web-inf" "mz:URL|BODY|ARGS" "msg:folder access to WEB-INF";
+
+# Exposed Services
+MainRule id:20000023 "s:$UWA:8" "str:/cgi-bin/luci" "mz:URL" "msg:Exposed OpenWRT";
+MainRule id:20000024 "s:$UWA:8" "rx:^/cgi-bin/.+\.cgi$" "mz:URL" "msg:Exposed cgi-bin";
+MainRule id:20000025 "s:$UWA:8" "str:/jenkins" "mz:URL" "msg:Exposed Jenkins";
+MainRule id:20000026 "s:$UWA:8" "str:/console/login/LoginForm.jsp" "mz:URL" "msg:Exposed Oracle WebLogic Server Administration Console";
+MainRule id:20000027 "s:$UWA:8" "str:/nuxeo/login.jsp" "mz:URL" "msg:Exposed Nuxeo Enterprise Platform";
+MainRule id:20000028 "s:$UWA:8" "str:/zabbix/index.php" "mz:URL" "msg:Exposed Zabbix";
+
+# Known hacking tools like burp suite, etc..
+MainRule id:20000029 "s:$UWA:8" "str:burpcollaborator.net" "mz:ARGS|BODY|HEADERS" "msg:burp collaborator";
+MainRule id:20000030 "s:$UWA:8" "str:/netsparker" "mz:URL" "msg:Netsparker";
+
+# Malicious strings in request
+MainRule id:20000031 "s:$UWA:8" "str:\n\r" "mz:URL" "msg:HTTP - Smuggling-Attempt (NewLine in URI)";
+MainRule id:20000032 "s:$UWA:6" "rx:^[a-zA-Z\d-]+\.[a-zA-Z]+$" "mz:$HEADERS_VAR:Host" "msg:HOST-Header Injection";
+MainRule id:20000033 "s:$UWA:8" "str:/bin/sh" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/bin/sh in URI";
+MainRule id:20000034 "s:$UWA:8" "str:/etc/passwd" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/etc/passwd in URI";
+MainRule id:20000035 "s:$UWA:8" "str:/etc/shadow" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/etc/shadow in URI";
+MainRule id:20000036 "s:$UWA:8" "str:/etc/hosts" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/etc/hosts in URI";
+MainRule id:20000037 "s:$UWA:8" "str:/Windows/system.ini" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/Windows/system.ini in URI";
+MainRule id:20000038 "s:$UWA:8" "rx:<!DOCTYPE(\s+)(%*\s*)([{}:.a-zA-Z0-9_-]*)(\s+)SYSTEM" "mz:BODY" "msg: possible XML/XXE-Exploitation atempt (Doctype)";
+MainRule id:20000039 "s:$UWA:8" "str:http://http://" "mz:HEADERS" "msg:Abnormal double http:// in HTTP header";
+MainRule id:20000040 "s:$UWA:8" "str:https://http://" "mz:HEADERS" "msg:Abnormal double http:// in HTTP header";
+MainRule id:20000041 "s:$UWA:8" "str:http://https://" "mz:HEADERS" "msg:Abnormal double http:// in HTTP header";
+MainRule id:20000042 "s:$UWA:8" "str:https://https://" "mz:HEADERS" "msg:Abnormal double http:// in HTTP header";
+
+# ThinkPHP Remote Code Execution CVE-2018-20062
+MainRule id:20000043 "s:$UWA:8" "str:index/\think\app/invokefunction" "mz:URL" "msg:CVE-2018-20062";
+
+# AWS related files
+MainRule id:20000044 "s:$UWA:8" "str:/.aws/" "mz:URL" "msg:AWS Credential Stealer";
+
+# dot folders and files
+MainRule id:20000045 "s:$UWA:8" "rx:/\.[^.]" "mz:URL" "msg:Access to dot folder or file";
+
+# Exposed Microsoft Exchange
+MainRule id:20000046 "s:$UWA:8" "str:autodiscover/autodiscover.json" "mz:URL" "msg:Exposed Microsoft Exchange";
+MainRule id:20000047 "s:$UWA:8" "str:autodiscover/autodiscover.xml" "mz:URL" "msg:Exposed Microsoft Exchange";
+MainRule id:20000048 "s:$UWA:8" "str:/auth.owa" "mz:URL" "msg:Exposed Microsoft Exchange";
+
+# Ignition 2.5.1 Remote Code Execution CVE-2021-3129
+MainRule id:20000049 "s:$UWA:8" "str:/_ignition/execute-solution" "mz:URL" "msg:CVE-2021-3129";
+
+# CVE-2018-13379 path traversal vulnerability in Fortinet's FortiGate SSL VPN
+# https://x.x.x.x/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
+MainRule id:20000050 "s:$UWA:8" "str:/sslvpn_websession" "mz:ARGS|BODY|HEADERS" "msg:CVE-2018-13379";
+
+# Exposed Apache Tomcat Administration Panel
+MainRule id:20000051 "s:$UWA:8" "str:/manager/html" "mz:URL" "msg:Exposed Apache Tomcat Administration Panel";
+
+# Block NMAP enumeration
+MainRule id:20000052 "s:$UWA:8" "str:/HNAP1" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000053 "s:$UWA:8" "rx:/default\.(asp|aspx|cfm|cgi|jsa|jsp|php|pl)$" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000054 "s:$UWA:8" "rx:/start\.(asp|aspx|cfm|cgi|jsa|jsp|php|pl)$" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000055 "s:$UWA:8" "rx:/localstart\.(asp|aspx|cfm|cgi|jsa|jsp|php|pl)$" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000056 "s:$UWA:8" "rx:/admin\.(asp|aspx|cfm|cgi|jsa|jsp|php|pl)$" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000057 "s:$UWA:8" "str:/nmaplowercheck" "mz:URL" "msg:NMAP enumeration attempt";
+
+# Siemens PLC scan
+MainRule id:20000058 "s:$UWA:8" "str:/__Additional" "mz:URL" "msg:Siemens PLC scan";
+MainRule id:20000059 "s:$UWA:8" "str:/docs/cplugError.html/" "mz:URL" "msg:Siemens PLC scan";
+MainRule id:20000060 "s:$UWA:8" "str:/Portal/Portal.mwsl" "mz:URL" "msg:Siemens PLC scan";
+
+# Block Citrix XenApp
+MainRule id:20000061 "s:$UWA:8" "str:/scripts/wpnbr.dll" "mz:URL" "msg:Citrix XenApp";
+
+# Block jenkins authentication bypass CVE-2018-1000861
+MainRule id:20000062 "s:$UWA:8" "str:/securityRealm/user/admin/search/index" "mz:URL" "msg:CVE-2018-1000861";
+
+# Block jenkins RCE CVE-2019-1003029, CVE-2019-1003030
+MainRule id:20000063 "s:$UWA:8" "str:/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript/" "mz:URL" "msg:CVE-2019-1003029, CVE-2019-1003030";
+
+# Log4J bypass
+MainRule id:20000064 "s:$UWA:8" "str:${env:NaN:-" "mz:URL|ARGS|BODY|HEADERS" "msg:Attempted Log4J Bypass";
+
+# Windows system paths
+MainRule id:20000065 "s:$UWA:8" "str:\Windows\system.ini" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:\Windows\system.ini in URI";
+MainRule id:20000066 "s:$UWA:8" "str:/Windows/win.ini" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/Windows/win.ini in URI";
+MainRule id:20000067 "s:$UWA:8" "str:\Windows\win.ini" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:\Windows\win.ini in URI";
+
+# Exposed Apache Host Manager App
+MainRule id:20000068 "s:$UWA:8" "str:/manager/text/list" "mz:URL" "msg:Exposed Apache Host Manager App";
+
+# Spring Cloud Gateway Code Injection Vulnerability
+MainRule id:20000069 "s:$UWA:8" "str:/actuator/gateway/routes" "mz:URL" "msg:CVE-2022-22947";
+
+# Block Spring4Shell
+MainRule id:20000070 "s:$UWA:8" "str:class.module.classLoader.resources." "mz:RAW_BODY" "msg:CVE-2022-22965";
+MainRule id:20000071 "s:$UWA:8" "rx:<%|%>" "mz:HEADERS" "msg:CVE-2022-22965";
+
+# Block Microsoft Exchange Server Remote Code Execution
+MainRule id:20000072 "s:$UWA:8" "str:/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application" "mz:URL" "msg:CVE-2021-28481";
+
+# Prevents IndoXploit/IDX Shell dump access
+# A website that has been infected will have a world-browsable folder called `idx_config`
+# which contains text versions of the configuration file of every CMS installation the shell
+# is able to find (impacts WordPress, Joomla and Magento).
+MainRule id:20000073 "s:$UWA:8" "str:/idx_config" "mz:URL" "msg:Prevent IndoXploit/IDX Shell dump access";
+
+# Prevents old grafana to return all folders
+# https://github.com/grafana/grafana/pull/44175
+MainRule id:20000074 "s:$UWA:8" "rx:^0$" "mz:$URL:/api/search|$ARGS_VAR:folderIds" "msg:Access all grafana folders";
+
+# Block access to yaml files
+MainRule id:20000075 "s:$UWA:8" "str:.yml" "mz:URL" "msg:file access to .yml";
+MainRule id:20000076 "s:$UWA:8" "str:.yaml" "mz:URL" "msg:file access to .yaml";
+
+# Block access to HashiCorp Consul/Vault template files
+MainRule id:20000077 "s:$UWA:8" "rx:\.ctmpl$" "mz:URL" "msg:file access to .ctmpl";
+MainRule id:20000078 "s:$UWA:8" "rx:\.hcl$" "mz:URL" "msg:file access to .hcl";
+
+# Block access to known files used for fingerprinting
+MainRule id:20000079 "s:$UWA:8" "rx:\.md$" "mz:URL" "msg:file access to .md";
+MainRule id:20000080 "s:$UWA:8" "rx:read[-_]?me" "mz:URL" "msg:file access to readme";
+MainRule id:20000081 "s:$UWA:8" "rx:\.toml$" "mz:URL" "msg:file access to .toml";
+
+# AWS related files
+MainRule id:20000082 "s:$UWA:8" "str:dockerrun.aws.json" "mz:URL" "msg:Exposed AWS Elastic Beanstalk configuration";
+
+# Block access to temporary backup files like .bak,.bak.php, etc...
+MainRule id:20000083 "s:$UWA:8" "str:.bak" "mz:URL" "msg:file access to temporary backup files";
+
+# Path traversal in nuxt/framework when in dev mode
+# https://huntr.dev/bounties/4849af83-450c-435e-bc0b-71705f5be440/
+MainRule id:20000084 "s:$UWA:8" "str:_nuxt/@" "mz:URL" "msg:path traversal in nuxt framework";
+
+# AWS NodeJS related files
+MainRule id:20000085 "s:$UWA:8" "str:awsconfig" "mz:URL" "msg:Exposed AWS config files";
+MainRule id:20000086 "s:$UWA:8" "str:aws-config" "mz:URL" "msg:Exposed AWS config files";
+MainRule id:20000087 "s:$UWA:8" "str:awscred" "mz:URL" "msg:Exposed AWS config files";
+MainRule id:20000088 "s:$UWA:8" "str:aws-cred" "mz:URL" "msg:Exposed AWS config files";
+
+# Text editors temp and config files
+MainRule id:20000089 "s:$UWA:8" "str:.old" "mz:URL" "msg:Exposed temp copy";
+MainRule id:20000090 "s:$UWA:8" "str:.save" "mz:URL" "msg:Exposed temp copy";
+MainRule id:20000091 "s:$UWA:8" "str:.DS_Store" "mz:URL" "msg:Exposed temp copy";
+MainRule id:20000092 "s:$UWA:8" "str:vscode" "mz:URL" "msg:Exposed vscode directory";
+
+# Exposed .env
+MainRule id:20000093 "s:$UWA:8" "str:/.env" "mz:URL" "msg:access to .env file or dir";
+
+# androxgh0st exploit
+MainRule id:20000094 "s:$UWA:8" "str:androxgh0st" "mz:ANY" "msg:androxgh0st exploit";

containers/conf/angie/naxsi_rules/blocking/30000000_wordpress.rules

@@ -0,0 +1,16 @@
+#######################################
+## Wordpress ids: 30000000           ##
+#######################################
+
+MainRule id:30000000 "s:$UWA:8" "str:system.multicall" "mz:$URL:/xmlrpc.php|BODY" "msg:Wordpress XMLRPC possible Password Brute Force";
+MainRule id:30000001 "s:$UWA:8" "str:system.listmethods" "mz:$URL:/xmlrpc.php|BODY" "msg:WordPress XMLRPC Enumeration system.listMethods";
+MainRule id:30000002 "s:$UWA:8" "str:system.getcapabilities" "mz:$URL:/xmlrpc.php|BODY" "msg:WordPress XMLRPC Enumeration system.getCapabilities";
+MainRule id:30000003 "s:$UWA:8" "str:/w3tc/dbcache" "mz:URL" "msg:WordPress TotalCache-DBCache-Access";
+MainRule id:30000004 "s:$UWA:8" "str:/uploadify/uploadify.php" "mz:URL" "msg:WordPress Uploadify-Access";
+MainRule id:30000005 "s:$UWA:8" "str:/wp-content/plugins/mm-forms-community/upload/temp/" "mz:URL" "msg:Access To mm-forms-community upload dir";
+MainRule id:30000006 "s:$UWA:8" "str:wp-config.php" "mz:BODY|ARGS|URL" "msg:WordPress access to wp-config.php";
+
+# block malicious access ALFA_DATA|alfacgiapi|cgialfa path
+MainRule id:30000007 "s:$UWA:8" "str:ALFA_DATA" "mz:URL" "msg:WordPress malicious access to ALFA_DATA path";
+MainRule id:30000008 "s:$UWA:8" "str:alfacgiapi" "mz:URL" "msg:WordPress malicious access to alfacgiapi path";
+MainRule id:30000009 "s:$UWA:8" "str:cgialfa" "mz:URL" "msg:WordPress malicious access to cgialfa path";

containers/conf/angie/naxsi_rules/blocking/40000000_php_security.rules

@@ -0,0 +1,66 @@
+#######################################
+## PHP Security ids: 40000000        ##
+#######################################
+
+# Php Functions
+MainRule id:40000000 "s:$UWA:8" "str:gzinflate(" "mz:URL|BODY|ARGS" "msg:gzinflate in URI";
+MainRule id:40000001 "s:$UWA:8" "str:system(" "mz:URL|BODY|ARGS" "msg:php system called";
+MainRule id:40000002 "s:$UWA:8" "str:base64_decode(" "mz:URL|BODY|ARGS" "msg:php base64_decode called";
+MainRule id:40000003 "s:$UWA:8" "str:@eval" "mz:URL|BODY|ARGS" "msg:php eval called";
+MainRule id:40000004 "s:$UWA:8" "rx:eval\((\s+)?\$_" "mz:URL|BODY|ARGS" "msg:php eval called";
+
+# PhpMyAdmin
+MainRule id:40000005 "s:$UWA:8" "str:/db-admin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000006 "s:$UWA:8" "str:/dbadmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000007 "s:$UWA:8" "str:/myadmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000008 "s:$UWA:8" "str:/mysqldumper " "mz:URL" "msg:MysqlDumper";
+MainRule id:40000009 "s:$UWA:8" "str:/mysqlmanager" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000010 "s:$UWA:8" "str:/p/m/a/" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000011 "s:$UWA:8" "str:/php-my-admin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000012 "s:$UWA:8" "str:/php-myadmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000013 "s:$UWA:8" "str:/phpmanager" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000014 "s:$UWA:8" "str:/phpmy" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000015 "s:$UWA:8" "str:/phpmy-admin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000016 "s:$UWA:8" "str:/phpmyadmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000017 "s:$UWA:8" "str:/phppgadmin " "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000018 "s:$UWA:8" "str:/pma" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000019 "s:$UWA:8" "str:/sql-admin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000020 "s:$UWA:8" "str:/sqladmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000021 "s:$UWA:8" "str:/sqlweb" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000022 "s:$UWA:8" "str:/sysadmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000023 "s:$UWA:8" "str:/webadmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000024 "s:$UWA:8" "str:/webdb" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000025 "s:$UWA:8" "str:/websql" "mz:URL" "msg:SQL Admin Interface";
+
+# Block PHPUnit eval-stdin.php CVE-2017-9841
+MainRule id:40000026 "s:$UWA:8" "str:eval-stdin.php" "mz:URL" "msg:CVE-2017-9841";
+
+# Block PHP easter egg which normally can be disabled via expose_php = off
+MainRule id:40000027 "s:$UWA:8" "rx:PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" "mz:URL|BODY|ARGS" "msg:PHP easter egg credits";
+
+# Block PHP Xdebug
+MainRule id:40000028 "s:$UWA:8" "str:XDEBUG_SESSION" "mz:ANY" "msg:Block PHP Xdebug";
+
+# Block PHPinfo access
+MainRule id:40000029 "s:$UWA:8" "str:phpinfo" "mz:URL|BODY|ARGS" "msg:PHPinfo access";
+
+# Block known php installer exploit
+MainRule id:40000030 "s:$UWA:8" "str:install.php" "mz:URL" "msg:Access to php install";
+
+# Block more sql admin interface
+MainRule id:40000031 "s:$UWA:8" "str:/mysql-admin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000032 "s:$UWA:8" "str:/mysqladmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000033 "s:$UWA:8" "str:/sqlmanager" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000034 "s:$UWA:8" "str:/mysql/" "mz:URL" "msg:SQL Admin Interface";
+
+# Block access to Lavarel telescope since it allows to read logs and SQL queries
+MainRule id:40000035 "s:$UWA:8" "str:/telescope/" "mz:URL" "msg:Access to Lavarel telescope";
+
+# Block access to adminer/phpMinAdmin sql admin interface
+MainRule id:40000036 "s:$UWA:8" "str:adminer" "mz:URL" "msg:SQL Admin Interface";
+
+# Block access to Symfony Web Framework dev mode.
+MainRule id:40000037 "s:$UWA:8" "str:app_dev" "mz:URL" "msg:Symfony Web Framework dev mode";
+
+# phpstorm in request
+MainRule id:40000038 "s:$UWA:8" "str:phpstorm" "mz:URL|ARGS|HEADERS" "msg:phpstorm in request";

containers/conf/angie/naxsi_rules/blocking/blocking/10000000_scanner.rules

@@ -0,0 +1,96 @@
+#######################################
+## Scanners ids: 10000000            ##
+#######################################
+
+# http://pastebin.com/NP64hTQr
+# http://blog.initiative-s.de/2013/09/kompromitierte-wordpress-blogs-werden-fuer-ddos-attacken-genutzt/
+# If using wp then turn off this rule
+MainRule id:10000000 "s:$UWA:8" "str:wordpress/" "mz:$HEADERS_VAR:User-Agent" "msg:Wordpress in user-agent";
+
+# https://github.com/robertdavidgraham/masscan
+MainRule id:10000001 "s:$UWA:8" "str:masscan" "mz:$HEADERS_VAR:User-Agent" "msg:masscan in user-agent";
+
+# block acunetix scan
+MainRule id:10000002 "s:$UWA:8" "str:99999999999999999999999" "mz:$HEADERS_VAR:Content-length" "msg:acunetix scan nginx buffer size";
+MainRule id:10000003 "s:$UWA:8" "str:acunetix" "mz:URL|BODY|$HEADERS_VAR:Accept|$HEADERS_VAR:User-Agent" "msg:acunetix scan website";
+MainRule id:10000004 "s:$UWA:8" "str:acunetix/wvs" "mz:$HEADERS_VAR:Accept" "msg:acunetix scan website";
+
+MainRule id:10000005 "s:$UWA:8" "str:havij" "mz:$HEADERS_VAR:User-Agent" "msg:Havij in user-agent";
+MainRule id:10000006 "s:$UWA:8" "str:webmole" "mz:$HEADERS_VAR:User-Agent" "msg:webmole in user-agent";
+MainRule id:10000007 "s:$UWA:8" "str:nlpproject.info" "mz:$HEADERS_VAR:User-Agent" "msg:nlpproject.info in user-agent";
+MainRule id:10000008 "s:$UWA:8" "str:cloudmapping" "mz:$HEADERS_VAR:User-Agent" "msg:cloudmapping in user-agent";
+MainRule id:10000009 "s:$UWA:8" "str:sucuri" "mz:$HEADERS_VAR:User-Agent" "msg:Sucuri in user-agent";
+MainRule id:10000010 "s:$UWA:8" "str:brutus/" "mz:$HEADERS_VAR:User-Agent" "msg:Brutus in user-agent";
+MainRule id:10000011 "s:$UWA:4" "str:apachebench" "mz:$HEADERS_VAR:User-Agent" "msg:apachebench in user-agent";
+MainRule id:10000012 "s:$UWA:8" "str:/netsparker" "mz:URL" "msg:netsparker in user-agent";
+MainRule id:10000013 "s:$UWA:8" "str:mysqloit" "mz:$HEADERS_VAR:User-Agent" "msg:Mysqloit in user-agent";
+MainRule id:10000014 "s:$UWA:8" "str:network-services-auditor" "mz:$HEADERS_VAR:User-Agent" "msg:network-services-auditor in user-agent";
+MainRule id:10000015 "s:$UWA:8" "str:dav.pm" "mz:$HEADERS_VAR:User-Agent" "msg:dav.pm in user-agent";
+MainRule id:10000016 "s:$UWA:8" "str:w3af" "mz:$HEADERS_VAR:User-Agent" "msg:w3af in user-agent";
+MainRule id:10000017 "s:$UWA:8" "str:http_get_vars" "mz:$HEADERS_VAR:User-Agent" "msg:PHP-Injetion on UA";
+MainRule id:10000018 "s:$UWA:8" "str:whisker" "mz:$HEADERS_VAR:User-Agent" "msg:whisker in user-agent";
+MainRule id:10000019 "s:$UWA:8" "str:whatweb" "mz:$HEADERS_VAR:User-Agent" "msg:whatweb in user-agent";
+MainRule id:10000020 "s:$UWA:8" "str:dirbuster" "mz:$HEADERS_VAR:User-Agent" "msg:DirBuster in user-agent";
+
+# https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/
+# https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d#diff-a35f2ee9e1d2d3983a3270ee10ec70bf86349c53febdeabdf104f88cb2167961R370
+# prevent php supply chain attack
+MainRule id:10000021 "s:$UWA:8" "str:zerodium" "mz:$HEADERS_VAR:User-Agent" "msg:zerodium in user-agent";
+
+# prevent log4j attack
+# info https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
+# payload check https://github.com/johto89/Some-collections-for-Security-Researcher/blob/master/log4j-all-in-one.md
+MainRule id:10000022 "s:$UWA:8" "str:${" "mz:$HEADERS_VAR:User-Agent" "msg:log4j attack detection";
+
+# Python libraries like python-requests, python-urllib, etc..
+MainRule id:10000023 "s:$UWA:8" "str:python" "mz:$HEADERS_VAR:User-Agent" "msg:python in user-agent";
+
+# Meterpreter
+MainRule id:10000024 "s:$UWA:8" "str:meterpreter" "mz:$HEADERS_VAR:User-Agent" "msg:meterpreter in user-agent";
+
+# https://github.com/zmap/zgrab2
+MainRule id:10000025 "s:$UWA:8" "str:zgrab" "mz:$HEADERS_VAR:User-Agent" "msg:zgrab in user-agent";
+
+# Known tools like nmap,curl,wget
+MainRule id:10000026 "s:$UWA:8" "str:nmap" "mz:$HEADERS_VAR:User-Agent" "msg:nmap in user-agent";
+MainRule id:10000027 "s:$UWA:8" "str:curl" "mz:$HEADERS_VAR:User-Agent" "msg:curl in user-agent";
+MainRule id:10000028 "s:$UWA:8" "str:wget" "mz:$HEADERS_VAR:User-Agent" "msg:wget in user-agent";
+MainRule id:10000029 "s:$UWA:8" "str:sqlmap" "mz:$HEADERS_VAR:User-Agent" "msg:slqmap in user-agent";
+
+# Scan from Expense with this User-Agent:
+# Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers presences on the Internet.
+# If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com
+MainRule id:10000030 "s:$UWA:8" "str:paloaltonetworks.com" "mz:$HEADERS_VAR:User-Agent" "msg:paloaltonetworks in user-agent";
+MainRule id:10000031 "s:$UWA:8" "str:palo alto network" "mz:$HEADERS_VAR:User-Agent" "msg:palo alto network in user-agent";
+MainRule id:10000032 "s:$UWA:8" "str:Expense" "mz:$HEADERS_VAR:User-Agent" "msg:Expense in user-agent";
+
+# Scan from NetSystemsResearch with this User-Agent:
+# NetSystemsResearch studies the availability of various services across the internet. Our website is netsystemsresearch.com
+MainRule id:10000033 "s:$UWA:8" "str:NetSystemsResearch" "mz:$HEADERS_VAR:User-Agent" "msg:NetSystemsResearch in user-agent";
+
+# Golang default User-Agent
+MainRule id:10000034 "s:$UWA:8" "str:Go-http" "mz:$HEADERS_VAR:User-Agent" "msg:Golang in user-agent";
+
+# Perl default User-Agent
+MainRule id:10000035 "s:$UWA:8" "str:libwww-perl" "mz:$HEADERS_VAR:User-Agent" "msg:libwww-perl in user-agent";
+
+# l9tcpid in User-Agent
+MainRule id:10000036 "s:$UWA:8" "str:l9tcpid" "mz:$HEADERS_VAR:User-Agent" "msg:l9tcpid in user-agent";
+
+# l9explore in User-Agent
+MainRule id:10000037 "s:$UWA:8" "str:l9explore" "mz:$HEADERS_VAR:User-Agent" "msg:l9explore in user-agent";
+
+# WPScan in User-Agent
+MainRule id:10000038 "s:$UWA:8" "str:wpscan" "mz:$HEADERS_VAR:User-Agent" "msg:WPScan in user-agent";
+
+# WinHttpReq in User-Agent
+MainRule id:10000039 "s:$UWA:8" "str:WinHttpReq" "mz:$HEADERS_VAR:User-Agent" "msg:WinHttpReq in user-agent";
+
+# EgyScan security scanner uses AliElTop in some of the attacks
+MainRule id:10000040 "s:$UWA:8" "str:AliElTop" "mz:ANY" "msg:EgyScan security scanner";
+
+# Guzzle PHP HTTP client
+MainRule id:10000041 "s:$UWA:8" "str:GuzzleHttp" "mz:$HEADERS_VAR:User-Agent" "msg:GuzzleHttp in user-agent";
+
+# Java client
+MainRule id:10000042 "s:$UWA:8" "str:AsyncHttpClient" "mz:$HEADERS_VAR:User-Agent" "msg:AsyncHttpClient in user-agent";

containers/conf/angie/naxsi_rules/blocking/blocking/20000000_web_security.rules

@@ -0,0 +1,172 @@
+#######################################
+## Webserver Security ids: 20000000  ##
+#######################################
+
+# webserver critical files
+MainRule id:20000000 "s:$UWA:8" "str:.conf" "mz:URL" "msg:file access to .conf";
+MainRule id:20000001 "s:$UWA:8" "str:.ini" "mz:URL" "msg:file access to .ini";
+MainRule id:20000002 "s:$UWA:8" "str:.sql" "mz:URL" "msg:file access to .sql";
+MainRule id:20000003 "s:$UWA:8" "rx:\.txt$" "mz:URL" "msg:file access to .txt";
+MainRule id:20000004 "s:$UWA:8" "str:/sftp-config.json" "mz:URL|BODY" "msg:file access to sftp-config.json";
+MainRule id:20000005 "s:$UWA:8" "str:/.bzr" "mz:URL" "msg:bazaar version control folder access";
+MainRule id:20000006 "s:$UWA:8" "str:/.git" "mz:URL" "msg:git version control folder access";
+MainRule id:20000007 "s:$UWA:8" "str:/.hg" "mz:URL" "msg:mercurial version control folder access";
+MainRule id:20000008 "s:$UWA:8" "str:/.svn" "mz:URL" "msg:svn version control folder access";
+MainRule id:20000009 "s:$UWA:8" "str:/bzr/" "mz:URL" "msg:bazaar version control folder access";
+MainRule id:20000010 "s:$UWA:8" "str:/git/" "mz:URL" "msg:git version control folder access";
+MainRule id:20000011 "s:$UWA:8" "str:/hg/" "mz:URL" "msg:mercurial version control folder access";
+MainRule id:20000012 "s:$UWA:8" "str:/svn/" "mz:URL" "msg:svn version control folder access";
+MainRule id:20000013 "s:$UWA:8" "str:.htpasswd" "mz:ARGS|BODY|URL|FILE_EXT" "msg:file access to .htpasswd";
+MainRule id:20000014 "s:$UWA:8" "str:.htaccess" "mz:ARGS|BODY|URL|FILE_EXT" "msg:file access to .htaccess";
+MainRule id:20000015 "s:$UWA:8" "str:.ds_store" "mz:URL" "msg:file access to .ds_store";
+MainRule id:20000016 "s:$UWA:8" "str:changelog" "mz:URL" "msg:file access to changelog";
+MainRule id:20000017 "s:$UWA:8" "rx:^/core.\d+$" "mz:URL" "msg:file access to core dumps";
+MainRule id:20000018 "s:$UWA:8" "rx:\.module$" "mz:URL" "msg:file access to .module (drupal)";
+MainRule id:20000019 "s:$UWA:8" "str:web.config" "mz:URL" "msg:file access to web.config (drupal)";
+MainRule id:20000020 "s:$UWA:8" "rx:release[-_]notes\." "mz:URL" "msg:file access to release notes";
+MainRule id:20000021 "s:$UWA:8" "rx:~$" "mz:URL" "msg:file access to cache files";
+MainRule id:20000022 "s:$UWA:8" "str:web-inf" "mz:URL|BODY|ARGS" "msg:folder access to WEB-INF";
+
+# Exposed Services
+MainRule id:20000023 "s:$UWA:8" "str:/cgi-bin/luci" "mz:URL" "msg:Exposed OpenWRT";
+MainRule id:20000024 "s:$UWA:8" "rx:^/cgi-bin/.+\.cgi$" "mz:URL" "msg:Exposed cgi-bin";
+MainRule id:20000025 "s:$UWA:8" "str:/jenkins" "mz:URL" "msg:Exposed Jenkins";
+MainRule id:20000026 "s:$UWA:8" "str:/console/login/LoginForm.jsp" "mz:URL" "msg:Exposed Oracle WebLogic Server Administration Console";
+MainRule id:20000027 "s:$UWA:8" "str:/nuxeo/login.jsp" "mz:URL" "msg:Exposed Nuxeo Enterprise Platform";
+MainRule id:20000028 "s:$UWA:8" "str:/zabbix/index.php" "mz:URL" "msg:Exposed Zabbix";
+
+# Known hacking tools like burp suite, etc..
+MainRule id:20000029 "s:$UWA:8" "str:burpcollaborator.net" "mz:ARGS|BODY|HEADERS" "msg:burp collaborator";
+MainRule id:20000030 "s:$UWA:8" "str:/netsparker" "mz:URL" "msg:Netsparker";
+
+# Malicious strings in request
+MainRule id:20000031 "s:$UWA:8" "str:\n\r" "mz:URL" "msg:HTTP - Smuggling-Attempt (NewLine in URI)";
+MainRule id:20000032 "s:$UWA:6" "rx:^[a-zA-Z\d-]+\.[a-zA-Z]+$" "mz:$HEADERS_VAR:Host" "msg:HOST-Header Injection";
+MainRule id:20000033 "s:$UWA:8" "str:/bin/sh" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/bin/sh in URI";
+MainRule id:20000034 "s:$UWA:8" "str:/etc/passwd" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/etc/passwd in URI";
+MainRule id:20000035 "s:$UWA:8" "str:/etc/shadow" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/etc/shadow in URI";
+MainRule id:20000036 "s:$UWA:8" "str:/etc/hosts" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/etc/hosts in URI";
+MainRule id:20000037 "s:$UWA:8" "str:/Windows/system.ini" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/Windows/system.ini in URI";
+MainRule id:20000038 "s:$UWA:8" "rx:<!DOCTYPE(\s+)(%*\s*)([{}:.a-zA-Z0-9_-]*)(\s+)SYSTEM" "mz:BODY" "msg: possible XML/XXE-Exploitation atempt (Doctype)";
+MainRule id:20000039 "s:$UWA:8" "str:http://http://" "mz:HEADERS" "msg:Abnormal double http:// in HTTP header";
+MainRule id:20000040 "s:$UWA:8" "str:https://http://" "mz:HEADERS" "msg:Abnormal double http:// in HTTP header";
+MainRule id:20000041 "s:$UWA:8" "str:http://https://" "mz:HEADERS" "msg:Abnormal double http:// in HTTP header";
+MainRule id:20000042 "s:$UWA:8" "str:https://https://" "mz:HEADERS" "msg:Abnormal double http:// in HTTP header";
+
+# ThinkPHP Remote Code Execution CVE-2018-20062
+MainRule id:20000043 "s:$UWA:8" "str:index/\think\app/invokefunction" "mz:URL" "msg:CVE-2018-20062";
+
+# AWS related files
+MainRule id:20000044 "s:$UWA:8" "str:/.aws/" "mz:URL" "msg:AWS Credential Stealer";
+
+# dot folders and files
+MainRule id:20000045 "s:$UWA:8" "rx:/\.[^.]" "mz:URL" "msg:Access to dot folder or file";
+
+# Exposed Microsoft Exchange
+MainRule id:20000046 "s:$UWA:8" "str:autodiscover/autodiscover.json" "mz:URL" "msg:Exposed Microsoft Exchange";
+MainRule id:20000047 "s:$UWA:8" "str:autodiscover/autodiscover.xml" "mz:URL" "msg:Exposed Microsoft Exchange";
+MainRule id:20000048 "s:$UWA:8" "str:/auth.owa" "mz:URL" "msg:Exposed Microsoft Exchange";
+
+# Ignition 2.5.1 Remote Code Execution CVE-2021-3129
+MainRule id:20000049 "s:$UWA:8" "str:/_ignition/execute-solution" "mz:URL" "msg:CVE-2021-3129";
+
+# CVE-2018-13379 path traversal vulnerability in Fortinet's FortiGate SSL VPN
+# https://x.x.x.x/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
+MainRule id:20000050 "s:$UWA:8" "str:/sslvpn_websession" "mz:ARGS|BODY|HEADERS" "msg:CVE-2018-13379";
+
+# Exposed Apache Tomcat Administration Panel
+MainRule id:20000051 "s:$UWA:8" "str:/manager/html" "mz:URL" "msg:Exposed Apache Tomcat Administration Panel";
+
+# Block NMAP enumeration
+MainRule id:20000052 "s:$UWA:8" "str:/HNAP1" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000053 "s:$UWA:8" "rx:/default\.(asp|aspx|cfm|cgi|jsa|jsp|php|pl)$" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000054 "s:$UWA:8" "rx:/start\.(asp|aspx|cfm|cgi|jsa|jsp|php|pl)$" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000055 "s:$UWA:8" "rx:/localstart\.(asp|aspx|cfm|cgi|jsa|jsp|php|pl)$" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000056 "s:$UWA:8" "rx:/admin\.(asp|aspx|cfm|cgi|jsa|jsp|php|pl)$" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000057 "s:$UWA:8" "str:/nmaplowercheck" "mz:URL" "msg:NMAP enumeration attempt";
+
+# Siemens PLC scan
+MainRule id:20000058 "s:$UWA:8" "str:/__Additional" "mz:URL" "msg:Siemens PLC scan";
+MainRule id:20000059 "s:$UWA:8" "str:/docs/cplugError.html/" "mz:URL" "msg:Siemens PLC scan";
+MainRule id:20000060 "s:$UWA:8" "str:/Portal/Portal.mwsl" "mz:URL" "msg:Siemens PLC scan";
+
+# Block Citrix XenApp
+MainRule id:20000061 "s:$UWA:8" "str:/scripts/wpnbr.dll" "mz:URL" "msg:Citrix XenApp";
+
+# Block jenkins authentication bypass CVE-2018-1000861
+MainRule id:20000062 "s:$UWA:8" "str:/securityRealm/user/admin/search/index" "mz:URL" "msg:CVE-2018-1000861";
+
+# Block jenkins RCE CVE-2019-1003029, CVE-2019-1003030
+MainRule id:20000063 "s:$UWA:8" "str:/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript/" "mz:URL" "msg:CVE-2019-1003029, CVE-2019-1003030";
+
+# Log4J bypass
+MainRule id:20000064 "s:$UWA:8" "str:${env:NaN:-" "mz:URL|ARGS|BODY|HEADERS" "msg:Attempted Log4J Bypass";
+
+# Windows system paths
+MainRule id:20000065 "s:$UWA:8" "str:\Windows\system.ini" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:\Windows\system.ini in URI";
+MainRule id:20000066 "s:$UWA:8" "str:/Windows/win.ini" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/Windows/win.ini in URI";
+MainRule id:20000067 "s:$UWA:8" "str:\Windows\win.ini" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:\Windows\win.ini in URI";
+
+# Exposed Apache Host Manager App
+MainRule id:20000068 "s:$UWA:8" "str:/manager/text/list" "mz:URL" "msg:Exposed Apache Host Manager App";
+
+# Spring Cloud Gateway Code Injection Vulnerability
+MainRule id:20000069 "s:$UWA:8" "str:/actuator/gateway/routes" "mz:URL" "msg:CVE-2022-22947";
+
+# Block Spring4Shell
+MainRule id:20000070 "s:$UWA:8" "str:class.module.classLoader.resources." "mz:RAW_BODY" "msg:CVE-2022-22965";
+MainRule id:20000071 "s:$UWA:8" "rx:<%|%>" "mz:HEADERS" "msg:CVE-2022-22965";
+
+# Block Microsoft Exchange Server Remote Code Execution
+MainRule id:20000072 "s:$UWA:8" "str:/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application" "mz:URL" "msg:CVE-2021-28481";
+
+# Prevents IndoXploit/IDX Shell dump access
+# A website that has been infected will have a world-browsable folder called `idx_config`
+# which contains text versions of the configuration file of every CMS installation the shell
+# is able to find (impacts WordPress, Joomla and Magento).
+MainRule id:20000073 "s:$UWA:8" "str:/idx_config" "mz:URL" "msg:Prevent IndoXploit/IDX Shell dump access";
+
+# Prevents old grafana to return all folders
+# https://github.com/grafana/grafana/pull/44175
+MainRule id:20000074 "s:$UWA:8" "rx:^0$" "mz:$URL:/api/search|$ARGS_VAR:folderIds" "msg:Access all grafana folders";
+
+# Block access to yaml files
+MainRule id:20000075 "s:$UWA:8" "str:.yml" "mz:URL" "msg:file access to .yml";
+MainRule id:20000076 "s:$UWA:8" "str:.yaml" "mz:URL" "msg:file access to .yaml";
+
+# Block access to HashiCorp Consul/Vault template files
+MainRule id:20000077 "s:$UWA:8" "rx:\.ctmpl$" "mz:URL" "msg:file access to .ctmpl";
+MainRule id:20000078 "s:$UWA:8" "rx:\.hcl$" "mz:URL" "msg:file access to .hcl";
+
+# Block access to known files used for fingerprinting
+MainRule id:20000079 "s:$UWA:8" "rx:\.md$" "mz:URL" "msg:file access to .md";
+MainRule id:20000080 "s:$UWA:8" "rx:read[-_]?me" "mz:URL" "msg:file access to readme";
+MainRule id:20000081 "s:$UWA:8" "rx:\.toml$" "mz:URL" "msg:file access to .toml";
+
+# AWS related files
+MainRule id:20000082 "s:$UWA:8" "str:dockerrun.aws.json" "mz:URL" "msg:Exposed AWS Elastic Beanstalk configuration";
+
+# Block access to temporary backup files like .bak,.bak.php, etc...
+MainRule id:20000083 "s:$UWA:8" "str:.bak" "mz:URL" "msg:file access to temporary backup files";
+
+# Path traversal in nuxt/framework when in dev mode
+# https://huntr.dev/bounties/4849af83-450c-435e-bc0b-71705f5be440/
+MainRule id:20000084 "s:$UWA:8" "str:_nuxt/@" "mz:URL" "msg:path traversal in nuxt framework";
+
+# AWS NodeJS related files
+MainRule id:20000085 "s:$UWA:8" "str:awsconfig" "mz:URL" "msg:Exposed AWS config files";
+MainRule id:20000086 "s:$UWA:8" "str:aws-config" "mz:URL" "msg:Exposed AWS config files";
+MainRule id:20000087 "s:$UWA:8" "str:awscred" "mz:URL" "msg:Exposed AWS config files";
+MainRule id:20000088 "s:$UWA:8" "str:aws-cred" "mz:URL" "msg:Exposed AWS config files";
+
+# Text editors temp and config files
+MainRule id:20000089 "s:$UWA:8" "str:.old" "mz:URL" "msg:Exposed temp copy";
+MainRule id:20000090 "s:$UWA:8" "str:.save" "mz:URL" "msg:Exposed temp copy";
+MainRule id:20000091 "s:$UWA:8" "str:.DS_Store" "mz:URL" "msg:Exposed temp copy";
+MainRule id:20000092 "s:$UWA:8" "str:vscode" "mz:URL" "msg:Exposed vscode directory";
+
+# Exposed .env
+MainRule id:20000093 "s:$UWA:8" "str:/.env" "mz:URL" "msg:access to .env file or dir";
+
+# androxgh0st exploit
+MainRule id:20000094 "s:$UWA:8" "str:androxgh0st" "mz:ANY" "msg:androxgh0st exploit";

containers/conf/angie/naxsi_rules/blocking/blocking/30000000_wordpress.rules

@@ -0,0 +1,16 @@
+#######################################
+## Wordpress ids: 30000000           ##
+#######################################
+
+MainRule id:30000000 "s:$UWA:8" "str:system.multicall" "mz:$URL:/xmlrpc.php|BODY" "msg:Wordpress XMLRPC possible Password Brute Force";
+MainRule id:30000001 "s:$UWA:8" "str:system.listmethods" "mz:$URL:/xmlrpc.php|BODY" "msg:WordPress XMLRPC Enumeration system.listMethods";
+MainRule id:30000002 "s:$UWA:8" "str:system.getcapabilities" "mz:$URL:/xmlrpc.php|BODY" "msg:WordPress XMLRPC Enumeration system.getCapabilities";
+MainRule id:30000003 "s:$UWA:8" "str:/w3tc/dbcache" "mz:URL" "msg:WordPress TotalCache-DBCache-Access";
+MainRule id:30000004 "s:$UWA:8" "str:/uploadify/uploadify.php" "mz:URL" "msg:WordPress Uploadify-Access";
+MainRule id:30000005 "s:$UWA:8" "str:/wp-content/plugins/mm-forms-community/upload/temp/" "mz:URL" "msg:Access To mm-forms-community upload dir";
+MainRule id:30000006 "s:$UWA:8" "str:wp-config.php" "mz:BODY|ARGS|URL" "msg:WordPress access to wp-config.php";
+
+# block malicious access ALFA_DATA|alfacgiapi|cgialfa path
+MainRule id:30000007 "s:$UWA:8" "str:ALFA_DATA" "mz:URL" "msg:WordPress malicious access to ALFA_DATA path";
+MainRule id:30000008 "s:$UWA:8" "str:alfacgiapi" "mz:URL" "msg:WordPress malicious access to alfacgiapi path";
+MainRule id:30000009 "s:$UWA:8" "str:cgialfa" "mz:URL" "msg:WordPress malicious access to cgialfa path";

containers/conf/angie/naxsi_rules/blocking/blocking/40000000_php_security.rules

@@ -0,0 +1,66 @@
+#######################################
+## PHP Security ids: 40000000        ##
+#######################################
+
+# Php Functions
+MainRule id:40000000 "s:$UWA:8" "str:gzinflate(" "mz:URL|BODY|ARGS" "msg:gzinflate in URI";
+MainRule id:40000001 "s:$UWA:8" "str:system(" "mz:URL|BODY|ARGS" "msg:php system called";
+MainRule id:40000002 "s:$UWA:8" "str:base64_decode(" "mz:URL|BODY|ARGS" "msg:php base64_decode called";
+MainRule id:40000003 "s:$UWA:8" "str:@eval" "mz:URL|BODY|ARGS" "msg:php eval called";
+MainRule id:40000004 "s:$UWA:8" "rx:eval\((\s+)?\$_" "mz:URL|BODY|ARGS" "msg:php eval called";
+
+# PhpMyAdmin
+MainRule id:40000005 "s:$UWA:8" "str:/db-admin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000006 "s:$UWA:8" "str:/dbadmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000007 "s:$UWA:8" "str:/myadmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000008 "s:$UWA:8" "str:/mysqldumper " "mz:URL" "msg:MysqlDumper";
+MainRule id:40000009 "s:$UWA:8" "str:/mysqlmanager" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000010 "s:$UWA:8" "str:/p/m/a/" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000011 "s:$UWA:8" "str:/php-my-admin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000012 "s:$UWA:8" "str:/php-myadmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000013 "s:$UWA:8" "str:/phpmanager" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000014 "s:$UWA:8" "str:/phpmy" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000015 "s:$UWA:8" "str:/phpmy-admin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000016 "s:$UWA:8" "str:/phpmyadmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000017 "s:$UWA:8" "str:/phppgadmin " "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000018 "s:$UWA:8" "str:/pma" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000019 "s:$UWA:8" "str:/sql-admin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000020 "s:$UWA:8" "str:/sqladmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000021 "s:$UWA:8" "str:/sqlweb" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000022 "s:$UWA:8" "str:/sysadmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000023 "s:$UWA:8" "str:/webadmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000024 "s:$UWA:8" "str:/webdb" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000025 "s:$UWA:8" "str:/websql" "mz:URL" "msg:SQL Admin Interface";
+
+# Block PHPUnit eval-stdin.php CVE-2017-9841
+MainRule id:40000026 "s:$UWA:8" "str:eval-stdin.php" "mz:URL" "msg:CVE-2017-9841";
+
+# Block PHP easter egg which normally can be disabled via expose_php = off
+MainRule id:40000027 "s:$UWA:8" "rx:PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" "mz:URL|BODY|ARGS" "msg:PHP easter egg credits";
+
+# Block PHP Xdebug
+MainRule id:40000028 "s:$UWA:8" "str:XDEBUG_SESSION" "mz:ANY" "msg:Block PHP Xdebug";
+
+# Block PHPinfo access
+MainRule id:40000029 "s:$UWA:8" "str:phpinfo" "mz:URL|BODY|ARGS" "msg:PHPinfo access";
+
+# Block known php installer exploit
+MainRule id:40000030 "s:$UWA:8" "str:install.php" "mz:URL" "msg:Access to php install";
+
+# Block more sql admin interface
+MainRule id:40000031 "s:$UWA:8" "str:/mysql-admin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000032 "s:$UWA:8" "str:/mysqladmin" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000033 "s:$UWA:8" "str:/sqlmanager" "mz:URL" "msg:SQL Admin Interface";
+MainRule id:40000034 "s:$UWA:8" "str:/mysql/" "mz:URL" "msg:SQL Admin Interface";
+
+# Block access to Lavarel telescope since it allows to read logs and SQL queries
+MainRule id:40000035 "s:$UWA:8" "str:/telescope/" "mz:URL" "msg:Access to Lavarel telescope";
+
+# Block access to adminer/phpMinAdmin sql admin interface
+MainRule id:40000036 "s:$UWA:8" "str:adminer" "mz:URL" "msg:SQL Admin Interface";
+
+# Block access to Symfony Web Framework dev mode.
+MainRule id:40000037 "s:$UWA:8" "str:app_dev" "mz:URL" "msg:Symfony Web Framework dev mode";
+
+# phpstorm in request
+MainRule id:40000038 "s:$UWA:8" "str:phpstorm" "mz:URL|ARGS|HEADERS" "msg:phpstorm in request";

containers/conf/angie/naxsi_rules/blocking/blocking/50000000_sql_injection.rules

@@ -0,0 +1,15 @@
+#######################################
+## SQL Injection ids: 50000000       ##
+#######################################
+
+# Transact-SQL General Extended Stored Procedures
+# https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/general-extended-stored-procedures-transact-sql
+MainRule id:50000000 "s:$SQL:8" "rx:xp_(cmdshell|enumgroups|grantlogin|logevent|loginconfig|logininfo|msver|revokelogin|sprintf|sqlmaint|sscanf)" "mz:BODY|HEADERS|ARGS|URL" "msg:Transact-SQL GESP";
+
+# Classic SQL injection
+MainRule id:50000001 "s:$SQL:8" "rx:(CHAR|CONCAT|CONCAT_WS)\([0-9a-fx,]+\)" "mz:BODY|HEADERS|ARGS|URL" "msg:SQL Injection";
+MainRule id:50000002 "s:$SQL:8" "rx:SLEEP(\s+)?\(" "mz:BODY|HEADERS|ARGS|URL" "msg:SQL Injection";
+MainRule id:50000003 "s:$SQL:8" "rx:\bBENCHMARK\b\([0-9,]+.+\)" "mz:BODY|HEADERS|ARGS|URL" "msg:SQL Injection";
+MainRule id:50000004 "s:$SQL:8" "rx:\b(UNION|INFORMATION_SCHEMA)\b.*(#|--|\*)" "mz:BODY|HEADERS|ARGS|URL" "msg:SQL Injection";
+MainRule id:50000005 "s:$SQL:8" "rx:(MD\d|SHA\d+)(\s+)?\(" "mz:BODY|HEADERS|ARGS|URL" "msg:SQL Injection";
+MainRule id:50000006 "s:$SQL:8" "rx:DBMS_PIPE|RECEIVE_MESSAGE|WAITFOR|DELAY" "mz:BODY|HEADERS|ARGS|URL" "msg:SQL Injection";