
==========================================================
 DO NOT USE THESE RULES DIRECTLY!

 USING THESE RULES DIRECTLY WILL RESULT IN A LARGE
 NUMBER OF FALSE POSITIVES (PROBLEMS). PLEASE USE
 THEM ONLY AS GUIDELINES AND FOR EDUCATION.
----------------------------------------------------------

 To create an up-to-date set of rules, follow
 these steps:

 # wget http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
 # tar zxvf snortrules-snapshot-CURRENT.tar.gz
 # cat README.first > snortmodsec-rules.txt
 # ./snort2modsec.pl rules/* >> snortmodsec-rules.txt

==========================================================
# ATTACK-RESPONSES directory listing
SecFilter "Volume Serial Number"

# ATTACK-RESPONSES command completed
SecFilter "Command completed"

# ATTACK-RESPONSES command error
SecFilter "Bad command or filename"

# ATTACK-RESPONSES Invalid URL
SecFilter "Invalid URL"

# ATTACK-RESPONSES index of /cgi-bin/ response
SecFilter "Index of /cgi-bin/"

# ATTACK-RESPONSES 403 Forbidden
SecFilter "HTTP/1\.1 403"

# ATTACK-RESPONSES id check returned userid
SecFilter " gid="

# ATTACK-RESPONSES oracle one hour install
SecFilter "Oracle Applications One-Hour Install"

# ATTACK-RESPONSES successful kadmind buffer overflow attempt
SecFilter "*GOBBLE*"

# ATTACK-RESPONSES successful kadmind buffer overflow attempt
SecFilter "*GOBBLE*"

# ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE
SecFilter "*GOBBLE*"

# ATTACK-RESPONSES successful gobbles ssh exploit uname
SecFilter "uname"

# ATTACK-RESPONSES rexec username too long response
SecFilter "username too long"

# ATTACK-RESPONSES Microsoft cmd.exe banner
SecFilter "Microsoft Corp\."

# BACKDOOR subseven DEFCON8 2.1 access
SecFilter "PWD"

# BACKDOOR netbus active
SecFilter "NetBus"

# BACKDOOR netbus active
SecFilter "NetBus"

# BACKDOOR DeepThroat 3.1 Connection attempt
SecFilter "00"

# BACKDOOR DeepThroat 3.1 Server Response
SecFilter "Ahhhh My Mouth Is Open"

# BACKDOOR DeepThroat 3.1 Connection attempt [3150]
SecFilter "00"

# BACKDOOR DeepThroat 3.1 Server Response [3150]
SecFilter "Ahhhh My Mouth Is Open"

# BACKDOOR DeepThroat 3.1 Connection attempt [4120]
SecFilter "00"

# BACKDOOR DeepThroat 3.1 Server Response [4120]
SecFilter "Ahhhh My Mouth Is Open"

# BACKDOOR Doly 2.0 access
SecFilter "Wtzup Use"

# BACKDOOR Doly 1.5 server response
SecFilter "Connected\."

# BACKDOOR ACKcmdC trojan scan
SecFilter ""

# BACKDOOR QAZ Worm Client Login access
SecFilter "qazwsx\.hsq"

# BACKDOOR Infector.1.x
SecFilter "WHATISIT"

# BACKDOOR Infector 1.6 Server to Client
SecFilter "WHATISIT"

# BACKDOOR Infector 1.6 Client to Server Connection Request
SecFilter "FC "

# BACKDOOR HackAttack 1.20 Connect
SecFilter "host"

# BACKDOOR GirlFriendaccess
SecFilter "Girl"

# BACKDOOR NetSphere access
SecFilter "NetSphere"

# BACKDOOR GateCrasher
SecFilter "GateCrasher"

# BACKDOOR DonaldDick 1.53 Traffic
SecFilter "pINg"

# BACKDOOR NetSphere 1.31.337 access
SecFilter "NetSphere"

# BACKDOOR BackConstruction 2.1 Client FTP Open Request
SecFilter "FTPON"

# BACKDOOR BackConstruction 2.1 Server FTP Open Reply
SecFilter "FTP Port open"

# BACKDOOR NetMetro File List
SecFilter "--"

# BACKDOOR Matrix 2.0 Client connect
SecFilter "activate"

# BACKDOOR Matrix 2.0 Server access
SecFilter "logged in"

# BACKDOOR SIGNATURE - Q ICMP
SecFilter ""

# BACKDOOR Q access
SecFilter ""

# BACKDOOR CDK
SecFilter "ypi0ca"

# BACKDOOR PhaseZero Server Active on Network
SecFilter "phAse"

# BACKDOOR w00w00 attempt
SecFilter "w00w00"

# BACKDOOR attempt
SecFilter "backdoor"

# BACKDOOR MISC r00t attempt
SecFilter "r00t"

# BACKDOOR MISC rewt attempt
SecFilter "rewt"

# BACKDOOR MISC Linux rootkit attempt
SecFilter "wh00t!"

# BACKDOOR MISC Linux rootkit attempt lrkr0x
SecFilter "lrkr0x"

# BACKDOOR MISC Linux rootkit attempt
SecFilter "d13hh\["

# BACKDOOR MISC Linux rootkit satori attempt
SecFilter "satori"

# BACKDOOR MISC sm4ck attempt
SecFilter "hax0r"

# BACKDOOR MISC Solaris 2.5 attempt
SecFilter "friday"

# BACKDOOR HidePak backdoor attempt
SecFilter "StoogR"

# BACKDOOR HideSource backdoor attempt
SecFilter "wank"

# BACKDOOR hack-a-tack attempt
SecFilter "A"

# BACKDOOR fragroute trojan connection attempt
SecFilter ""

# BACKDOOR win-trin00 connection attempt
SecFilter "png \[\]\.\.Ks l44"

# BACKDOOR TCPDUMP/PCAP trojan traffic
SecFilter ""

# BACKDOOR typot trojan traffic
SecFilter ""

# BAD-TRAFFIC tcp port 0 traffic
SecFilter ""

# BAD-TRAFFIC udp port 0 traffic
SecFilter ""

# BAD-TRAFFIC data in TCP SYN packet
SecFilter ""

# BAD-TRAFFIC loopback traffic
SecFilter ""

# BAD-TRAFFIC same SRC/DST
SecFilter ""

# BAD-TRAFFIC ip reserved bit set
SecFilter ""

# BAD-TRAFFIC 0 ttl
SecFilter ""

# BAD-TRAFFIC Unassigned/Reserved IP protocol
SecFilter ""

# BAD-TRAFFIC syn to multicast address
SecFilter ""

# BAD-TRAFFIC IP Proto 53 SWIPE
SecFilter ""

# BAD-TRAFFIC IP Proto 55 IP Mobility
SecFilter ""

# BAD-TRAFFIC IP Proto 77 Sun ND
SecFilter ""

# BAD-TRAFFIC IP Proto 103 PIM
SecFilter ""

# CHAT ICQ forced user addition
SecFilter "\[ICQ User\]"

# CHAT MSN message
SecFilter "text/plain"

# CHAT MSN file transfer request
SecFilter "File Transfer"

# CHAT MSN file transfer accept
SecFilter "ACCEPT"

# CHAT MSN file transfer reject
SecFilter "REJECT"

# CHAT MSN user search
SecFilter "CAL "

# CHAT MSN login attempt
SecFilter " TWN "

# CHAT IRC nick change
SecFilter "NICK "

# CHAT IRC message
SecFilter "PRIVMSG "

# CHAT IRC dns request
SecFilter "USERHOST "

# CHAT IRC dns response
SecFilter "=\+"

# CHAT Yahoo IM message
SecFilter "YMSG"

# CHAT Yahoo IM webcam request
SecFilter "<R"

# DDOS TFN Probe
SecFilter "1234"

# DDOS tfn2k icmp possible communication
SecFilter "AAAAAAAAAA"

# DDOS Trin00 Daemon to Master PONG message detected
SecFilter "PONG"

# DDOS TFN client command BE
SecFilter ""

# DDOS shaft client to handler
SecFilter ""

# DDOS Trin00 Daemon to Master message detected
SecFilter "l44"

# DDOS Trin00 Daemon to Master *HELLO* message detected
SecFilter "*HELLO*"

# DDOS Trin00 Attacker to Master default startup password
SecFilter "betaalmostdone"

# DDOS Trin00 Attacker to Master default password
SecFilter "gOrave"

# DDOS Trin00 Attacker to Master default mdie password
SecFilter "killme"

# DDOS Trin00 Master to Daemon default password attempt
SecFilter "l44adsl"

# DDOS TFN server response
SecFilter "shell bound to port"

# DDOS shaft handler to agent
SecFilter "alive tijgu"

# DDOS shaft agent to handler
SecFilter "alive"

# DDOS shaft synflood
SecFilter ""

# DDOS mstream agent to handler
SecFilter "newserver"

# DDOS mstream handler to agent
SecFilter "stream/"

# DDOS mstream handler ping to agent
SecFilter "ping"

# DDOS mstream agent pong to handler
SecFilter "pong"

# DDOS mstream client to handler
SecFilter ">"

# DDOS mstream handler to client
SecFilter ">"

# DDOS mstream client to handler
SecFilter ""

# DDOS mstream handler to client
SecFilter ">"

# DDOS - TFN client command LE
SecFilter ""

# DDOS Stacheldraht server spoof
SecFilter ""

# DDOS Stacheldraht gag server response
SecFilter "sicken"

# DDOS Stacheldraht server response
SecFilter "ficken"

# DDOS Stacheldraht client spoofworks
SecFilter "spoofworks"

# DDOS Stacheldraht client check gag
SecFilter "gesundheit!"

# DDOS Stacheldraht client check skillz
SecFilter "skillz"

# DDOS Stacheldraht handler->agent niggahbitch
SecFilter "niggahbitch"

# DDOS Stacheldraht agent->handler skillz
SecFilter "skillz"

# DDOS Stacheldraht handler->agent ficken
SecFilter "ficken"

# FINGER probe 0 attempt
SecFilter "0"

# MISC Invalid PCAnywhere Login
SecFilter "Invalid login"

# MISC ramen worm incoming
SecFilter "GET "

# INFO Outbound GNUTella client request
SecFilter "GNUTELLA OK"

# P2P Inbound GNUTella client request
SecFilter "GNUTELLA CONNECT"

# WEB-MISC O'Reilly args.bat access
SecFilterSelective THE_REQUEST "/cgi-dos/args\.bat"

# WEB-CGI edit.pl access
SecFilterSelective THE_REQUEST "/edit\.pl"

# EXPERIMENTAL WEB-IIS .htr request
SecFilterSelective THE_REQUEST "\.htr" log,pass

# WEB-MISC prefix-get //
SecFilterSelective THE_REQUEST "get //"

# EXPERIMENTAL WEB-IIS .NET trace.axd access
SecFilterSelective THE_REQUEST "/traace\.axd"

# WEB-MISC iPlanet ../../ DOS attempt
SecFilterSelective THE_REQUEST "/\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./\.\./" chain
SecFilter "GET "

# ATTACK RESPONSES directory listing
SecFilter "Directory of"

# ORACLE execute_system attempt
SecFilter "EXECUTE_SYSTEM"

# X11 outbound client connection detected
SecFilter ""

# WEB-CGI swc attempt
SecFilterSelective THE_REQUEST "/swc"

# WEB-FRONTPAGE rad overflow attempt
SecFilterSelective THE_REQUEST "/fp30reg\.dll"

# WEB-FRONTPAGE rad overflow attempt
SecFilterSelective THE_REQUEST "/fp4areg\.dll"

# IMAP EXPLOIT partial body overflow attempt
SecFilter " x PARTIAL 1 BODY\["

# NNTP Cassandra Overflow
SecFilter "AUTHINFO USER"

# WEB-CGI w3-msql solaris x86  access
SecFilterSelective THE_REQUEST "/bin/shA-cA/usr/openwin"

# EXPLOIT bootp x86 bsd overfow
SecFilter "echo netrjs stre"

# BACKDOOR netbus active
SecFilter "NetBus"

# BACKDOOR DeepThroat 3.1 Server Active on Network
SecFilter ""

# BACKDOOR DeepThroat 3.1 Keylogger on Server ON
SecFilter "KeyLogger Is Enabled On port"

# BACKDOOR DeepThroat 3.1 Show Picture Client Request
SecFilter "22"

# BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request
SecFilter "32"

# BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request
SecFilter "33"

# BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request
SecFilter "34"

# BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request
SecFilter "110"

# BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request
SecFilter "35"

# BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request
SecFilter "70"

# BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request
SecFilter "71"

# BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request
SecFilter "31"

# BACKDOOR DeepThroat 3.1 Resolution Change Client Request
SecFilter "125"

# BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request
SecFilter "04"

# BACKDOOR DeepThroat 3.1 Keylogger on Server OFF
SecFilter "KeyLogger Shut Down"

# BACKDOOR DeepThroat 3.1 FTP Server Port Client Request
SecFilter "21"

# BACKDOOR DeepThroat 3.1 Process List Client request
SecFilter "64"

# BACKDOOR DeepThroat 3.1 Close Port Scan Client Request
SecFilter "121"

# BACKDOOR DeepThroat 3.1 Registry Add Client Request
SecFilter "89"

# BACKDOOR DeepThroat 3.1 System Info Client Request
SecFilter "13"

# BACKDOOR DeepThroat 3.1 FTP Status Client Request
SecFilter "09"

# BACKDOOR DeepThroat 3.1 E-Mail Info From Server
SecFilter "Retreaving"

# BACKDOOR DeepThroat 3.1 E-Mail Info Client Request
SecFilter "12"

# BACKDOOR DeepThroat 3.1 Server Status From Server
SecFilter "Host"

# BACKDOOR DeepThroat 3.1 Server Status Client Request
SecFilter "10"

# BACKDOOR DeepThroat 3.1 Drive Info From Server
SecFilter "C - "

# BACKDOOR DeepThroat 3.1 System Info From Server
SecFilter "Comp Name"

# BACKDOOR DeepThroat 3.1 Drive Info Client Request
SecFilter "130"

# BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server
SecFilter "FTP Server changed to"

# BACKDOOR DeepThroat 3.1 Cached Passwords Client Request
SecFilter "16"

# BACKDOOR DeepThroat 3.1 RAS Passwords Client Request
SecFilter "17"

# BACKDOOR DeepThroat 3.1 Server Password Change Client Request
SecFilter "91"

# BACKDOOR DeepThroat 3.1 Server Password Remove Client Request
SecFilter "92"

# BACKDOOR DeepThroat 3.1 Rehash Client Request
SecFilter "911"

# BACKDOOR DeepThroat 3.1 Server Rehash Client Request
SecFilter "shutd0wnM0therF***eR"

# BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request
SecFilter "88"

# BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request
SecFilter "40"

# BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request
SecFilter "20"

# BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network
SecFilter ""

# BACKDOOR DeepThroat 3.1 Wrong Password
SecFilter "Wrong Password"

# BACKDOOR DeepThroat 3.1 Visible Window List Client Request
SecFilter "37"

# BACKDOOR DeepThroat access
SecFilter "--Ahhhhhhhhhh"

# BACKDOOR DeepThroat 3.1 Monitor on/off Client Request
SecFilter "07"

# BACKDOOR DeepThroat 3.1 Delete File Client Request
SecFilter "41"

# BACKDOOR DeepThroat 3.1 Kill Window Client Request
SecFilter "38"

# BACKDOOR DeepThroat 3.1 Disable Window Client Request
SecFilter "23"

# BACKDOOR DeepThroat 3.1 Enable Window Client Request
SecFilter "24"

# BACKDOOR DeepThroat 3.1 Change Window Title Client Request
SecFilter "60"

# BACKDOOR DeepThroat 3.1 Hide Window Client Request
SecFilter "26"

# BACKDOOR DeepThroat 3.1 Show Window Client Request
SecFilter "25"

# BACKDOOR DeepThroat 3.1 Send Text to Window Client Request
SecFilter "63"

# BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request
SecFilter "30"

# BACKDOOR DeepThroat 3.1 Create Directory Client Request
SecFilter "39"

# BACKDOOR DeepThroat 3.1 All Window List Client Request
SecFilter "370"

# BACKDOOR DeepThroat 3.1 Play Sound Client Request
SecFilter "36"

# BACKDOOR DeepThroat 3.1 Run Program Normal Client Request
SecFilter "14"

# BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request
SecFilter "15"

# BACKDOOR DeepThroat 3.1 Get NET File Client Request
SecFilter "100"

# BACKDOOR DeepThroat 3.1 Find File Client Request
SecFilter "117"

# BACKDOOR DeepThroat 3.1 Find File Client Request
SecFilter "118"

# BACKDOOR DeepThroat 3.1 HUP Modem Client Request
SecFilter "199"

# BACKDOOR DeepThroat 3.1 CD ROM Open Client Request
SecFilter "02"

# BACKDOOR DeepThroat 3.1 CD ROM Close Client Request
SecFilter "03"

# BACKDOOR DeepThroat 3.1 Keylogger Active on Network
SecFilter "KeyLogger Is Enabled On port"

# FTP EXPLOIT overflow
SecFilter "XXXXX/"

# FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic
SecFilter " %p"

# FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check
SecFilter "f%\.f%\.f%\.f%\.f%\."

# FTP EXPLOIT wu-ftpd 2.6.0
SecFilter "\.\.11venglin@"

# FTP EXPLOIT MKD overflow
SecFilter "MKD AAAAAA"

# ICMP Traceroute ipopts
SecFilter ""

# RPC portmap request yppasswdd
SecFilter ""

# RPC portmap request yppasswdd
SecFilter ""

# RPC portmap listing
SecFilter ""

# RPC portmap listing
SecFilter ""

# BAD TRAFFIC Non-Standard IP protocol
SecFilter ""

# WEB-CGI webstore directory traversal
SecFilterSelective THE_REQUEST "/web_store\.cgi\?page=\.\./\.\."

# DOS Land attack
SecFilter ""

# WEB-MISC Cisco Web DOS attempt
SecFilter " /%%"

# Virus - SnowWhite Trojan Incoming
SecFilter "Suddlently"

# Virus - Possible NAVIDAD Worm
SecFilter "NAVIDAD\.EXE"

# Virus - Possible MyRomeo Worm
SecFilter "myromeo\.exe"

# Virus - Possible MyRomeo Worm
SecFilter "myjuliet\.chm"

# Virus - Possible MyRomeo Worm
SecFilter "ble bla"

# Virus - Possible MyRomeo Worm
SecFilter "I Love You"

# Virus - Possible MyRomeo Worm
SecFilter "Sorry\.\.\. Hey you !"

# Virus - Possible MyRomeo Worm
SecFilter "my picture from shake-beer"

# Virus - Possible QAZ Worm
SecFilter "qazwsx\.hsq"

# Virus - Possible QAZ Worm Calling Home
SecFilter "nongmin_cn"

# Virus - Possible Matrix worm
SecFilter "Software provide by \[MATRiX\]"

# Virus - Possible MyRomeo Worm
SecFilter "Matrix has you\.\.\."

# Virus - Successful eurocalculator execution
SecFilter "funguscrack@hotmail\.com"

# Virus - Possible eurocalculator.exe file
SecFilter "eurocalculator\.exe"

# Virus - Possible Pikachu Pokemon Virus
SecFilter "Pikachu Pokemon"

# Virus - Possible NAIL Worm
SecFilter "Market share tipoff"

# Virus - Possible NAIL Worm
SecFilter "New Developments"

# Virus - Possible NAIL Worm
SecFilter "Good Times"

# Virus - Possible Freelink Worm
SecFilter "LINKS\.VBS"

# Virus - Possible Bubbleboy Worm
SecFilter "BubbleBoy is back!"

# Virus - Possible Worm -  txt.vbs file
SecFilter "\.txt\.vbs"

# Virus - Possible Worm - xls.vbs file
SecFilter "\.xls\.vbs"

# Virus - Possible Worm - jpg.vbs file
SecFilter "\.jpg\.vbs"

# Virus - Possible Worm -  gif.vbs file
SecFilter "\.gif\.vbs"

# Virus - Possible Worm - doc.vbs file
SecFilter "\.doc\.vbs"

# VIRUS Klez Incoming
SecFilter "VGhpcyBwcm9"

# SMTP XEXCH50 overflow with evasion attempt
SecFilter "-0"

# WEB-IIS multiple decode attempt
SecFilterSelective THE_REQUEST "\.\."

# WEB-MISC Tomcat sourecode view
SecFilterSelective THE_REQUEST "\.js\x2570"

# WEB-MISC Tomcat sourecode view
SecFilterSelective THE_REQUEST "\.j\x2573p"

# WEB-MISC Tomcat sourecode view
SecFilterSelective THE_REQUEST "\.\x256Asp"

# WEB-CGI faxsurvey attempt full path
SecFilterSelective THE_REQUEST "/faxsurvey\?/"

# WEB-CGI faxsurvey arbitrary file read attempt
SecFilterSelective THE_REQUEST "/faxsurvey\?cat\x20"

# Virus - Possible QAZ Worm Infection
SecFilter "qazwsx\.hsq"

# WEB-MISC ?open access
SecFilterSelective THE_REQUEST "\?open" log,pass

# WEB-MISC mkilog.exe access
SecFilterSelective THE_REQUEST "/mkilog\.exe" log,pass

# SCAN nmap TCP
SecFilter ""

# SCAN nmap fingerprint attempt
SecFilter ""

# DNS EXPLOIT named 8.2->8.2.1
SecFilter "\.\./\.\./\.\./"

# DNS EXPLOIT named overflow ADM
SecFilter "thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"

# DNS EXPLOIT named overflow ADMROCKS
SecFilter "ADMROCKS"

# DOS Jolt attack
SecFilter ""

# DOS Teardrop attack
SecFilter ""

# DOS UDP echo+chargen bomb
SecFilter ""

# DOS ath
SecFilter "\+\+\+ath"

# DOS NAPTHA
SecFilter ""

# DOS Real Server template.html
SecFilter "/viewsource/template\.html\?"

# DOS Real Server template.html
SecFilter "/viewsource/template\.html\?"

# DOS Bay/Nortel Nautica Marlin
SecFilter ""

# DOS Ascend Route
SecFilter "NAMENAME"

# DOS arkiea backup
SecFilter ""

# DOS Winnuke attack
SecFilter ""

# DOS MSDTC attempt
SecFilter ""

# DOS DB2 dos attempt
SecFilter ""

# DOS BGP spoofed connection reset attempt
SecFilter ""

# EXPLOIT ssh CRC32 overflow /bin/sh
SecFilter "/bin/sh"

# EXPLOIT VQServer admin
SecFilter "GET / HTTP/1\.1"

# EXPLOIT ntpdx overflow attempt
SecFilter ""

# EXPLOIT rwhoisd format string attempt
SecFilter "-soa %p"

# EXPLOIT CDE dtspcd exploit attempt
SecFilter "1"

# EXPLOIT kadmind buffer overflow attempt
SecFilter "/shh//bi"

# EXPLOIT kadmind buffer overflow attempt
SecFilter "/shh//bi"

# EXPLOIT gobbles SSH exploit attempt
SecFilter "GOBBLES"

# EXPLOIT SSH server banner overflow
SecFilter "SSH-"

# EXPLOIT CHAT IRC Ettercap parse overflow attempt
SecFilter "IDENTIFY"

# EXPLOIT ebola PASS overflow attempt
SecFilter "PASS"

# EXPLOIT ebola USER overflow attempt
SecFilter "USER"

# EXPLOIT IGMP IGAP account overflow attempt
SecFilter ""

# EXPLOIT IGMP IGAP message overflow attempt
SecFilter ""

# EXPLOIT EIGRP prefix length overflow attempt
SecFilter ""

# EXPLOIT esignal STREAMQUOTE buffer overflow attempt
SecFilter "<STREAMQUOTE>"

# EXPLOIT esignal SNAPQUOTE buffer overflow attempt
SecFilter "<SNAPQUOTE>"

# EXPLOIT AFP FPLoginExt username buffer overflow attempt
SecFilter "cleartxt passwrd"

# EXPLOIT Oracle Web Cache GET overflow attempt
SecFilter "GET"

# EXPLOIT Oracle Web Cache HEAD overflow attempt
SecFilter "HEAD"

# EXPLOIT Oracle Web Cache PUT overflow attempt
SecFilter "PUT"

# EXPLOIT Oracle Web Cache POST overflow attempt
SecFilter "POST"

# EXPLOIT Oracle Web Cache TRACE overflow attempt
SecFilter "TRACE"

# EXPLOIT Oracle Web Cache DELETE overflow attempt
SecFilter "DELETE"

# EXPLOIT Oracle Web Cache LOCK overflow attempt
SecFilter "LOCK"

# EXPLOIT Oracle Web Cache MKCOL overflow attempt
SecFilter "MKCOL"

# EXPLOIT Oracle Web Cache COPY overflow attempt
SecFilter "COPY"

# EXPLOIT Oracle Web Cache MOVE overflow attempt
SecFilter "MOVE"

# FINGER cmd_rootsh backdoor attempt
SecFilter "cmd_rootsh"

# FINGER account enumeration attempt
SecFilter "a b c d e f"

# FINGER search query
SecFilter "search"

# FINGER root query
SecFilter "root"

# FINGER bomb attempt
SecFilter "@@"

# FINGER redirection attempt
SecFilter "@"

# FINGER 0 query
SecFilter "0"

# FINGER . query
SecFilter "\."

# FINGER version query
SecFilter "version"

# FTP MDTM overflow attempt
SecFilter "MDTM"

# FTP XMKD overflow attempt
SecFilter "XMKD"

# FTP NLST overflow attempt
SecFilter "NLST"

# FTP ALLO overflow attempt
SecFilter "ALLO"

# FTP RNTO overflow attempt
SecFilter "RNTO"

# FTP STOU overflow attempt
SecFilter "STOU"

# FTP APPE overflow attempt
SecFilter "APPE"

# FTP RETR overflow attempt
SecFilter "RETR"

# FTP STOR overflow attempt
SecFilter "STOR"

# FTP CEL overflow attempt
SecFilter "CEL"

# FTP XCWD overflow attempt
SecFilter "XCWD"

# FTP CWD overflow attempt
SecFilter "CWD"

# FTP CMD overflow attempt
SecFilter "CMD"

# FTP STAT overflow attempt
SecFilter "STAT"

# FTP SITE CHMOD overflow attempt
SecFilter "CHMOD"

# FTP SITE CHOWN overflow attempt
SecFilter "CHOWN"

# FTP SITE NEWER overflow attempt
SecFilter "NEWER"

# FTP SITE CPWD overflow attempt
SecFilter "CPWD"

# FTP SITE EXEC format string attempt
SecFilter "EXEC"

# FTP SITE overflow attempt
SecFilter "SITE"

# FTP USER overflow attempt
SecFilter "USER"

# FTP PASS overflow attempt
SecFilter "PASS"

# FTP RMDIR overflow attempt
SecFilter "RMDIR"

# FTP MKD overflow attempt
SecFilter "MKD"

# FTP REST overflow attempt
SecFilter "REST"

# FTP DELE overflow attempt
SecFilter "DELE"

# FTP RMD overflow attempt
SecFilter "RMD"

# FTP invalid MODE
SecFilter "MODE"

# FTP large PWD command
SecFilter "PWD"

# FTP large SYST command
SecFilter "SYST"

# FTP SITE ZIPCHK overflow attempt
SecFilter "ZIPCHK"

# FTP SITE NEWER attempt
SecFilter "NEWER"

# FTP SITE EXEC attempt
SecFilter "EXEC"

# FTP EXPLOIT STAT * dos attempt
SecFilter "*"

# FTP EXPLOIT STAT ? dos attempt
SecFilter "\?"

# FTP tar parameters
SecFilter " --use-compress-program "

# FTP CWD ~root attempt
SecFilter "~root"

# FTP CWD ...
SecFilter "\.\.\."

# FTP CWD ~ attempt
SecFilter "CWD"

# FTP serv-u directory transversal
SecFilter "\.\x20\."

# FTP wu-ftp bad file completion attempt [
SecFilter "\["

# FTP wu-ftp bad file completion attempt {
SecFilter "\{"

# FTP format string attempt
SecFilter "%p"

# FTP RNFR ././ attempt
SecFilter " \./\./"

# FTP command overflow attempt
SecFilter ""

# FTP LIST directory traversal attempt
SecFilter "\.\."

# FTP .forward
SecFilter "\.forward"

# FTP .rhosts
SecFilter "\.rhosts"

# FTP authorized_keys
SecFilter "authorized_keys"

# FTP passwd retrieval attempt
SecFilter "passwd"

# FTP shadow retrieval attempt
SecFilter "shadow"

# FTP ADMw0rm ftp login attempt
SecFilter "w0rm"

# FTP iss scan
SecFilter "pass -iss@iss"

# FTP pass wh00t
SecFilter "pass wh00t"

# FTP piss scan
SecFilter "pass -cklaus"

# FTP saint scan
SecFilter "pass -saint"

# FTP satan scan
SecFilter "pass -satan"

# FTP USER format string attempt
SecFilter "USER"

# FTP PASS format string attempt
SecFilter "PASS"

# FTP MKDIR format string attempt
SecFilter "MKDIR"

# FTP RENAME format string attempt
SecFilter "RENAME"

# FTP LIST buffer overflow attempt
SecFilter "LIST"

# FTP LIST integer overflow attempt
SecFilter "LIST"

# FTP Yak! FTP server default account login attempt
SecFilter "y049575046"

# FTP RMD / attempt
SecFilter "RMD"

# FTP invalid MDTM command attempt
SecFilter "MDTM"

# FTP format string attempt
SecFilter "%"

# 
SecFilter ""

# 
SecFilter ""

# ICMP IRDP router advertisement
SecFilter ""

# ICMP IRDP router selection
SecFilter ""

# ICMP PING Delphi-Piette Windows
SecFilter "Pinging from Del"

# ICMP PING LINUX/*BSD
SecFilter ""

# ICMP PING Microsoft Windows
SecFilter "0123456789abcdefghijklmnop"

# ICMP PING Network Toolbox 3 Windows
SecFilter "================"

# ICMP PING Ping-O-MeterWindows
SecFilter "OMeterObeseArmad"

# ICMP PING Sun Solaris
SecFilter ""

# ICMP PING Windows
SecFilter "abcdefghijklmnop"

# ICMP traceroute
SecFilter ""

# ICMP PING
SecFilter ""

# ICMP Address Mask Reply
SecFilter ""

# ICMP Address Mask Reply undefined code
SecFilter ""

# ICMP Address Mask Request
SecFilter ""

# ICMP Address Mask Request undefined code
SecFilter ""

# ICMP Alternate Host Address
SecFilter ""

# ICMP Alternate Host Address undefined code
SecFilter ""

# ICMP Datagram Conversion Error
SecFilter ""

# ICMP Datagram Conversion Error undefined code
SecFilter ""

# ICMP Destination Unreachable Destination Host Unknown
SecFilter ""

# ICMP Destination Unreachable Destination Network Unknown
SecFilter ""

# ICMP Destination Unreachable Fragmentation Needed and DF bit was set
SecFilter ""

# ICMP Destination Unreachable Host Precedence Violation
SecFilter ""

# ICMP Destination Unreachable Host Unreachable for Type of Service
SecFilter ""

# ICMP Destination Unreachable Host Unreachable
SecFilter ""

# ICMP Destination Unreachable Network Unreachable for Type of Service
SecFilter ""

# ICMP Destination Unreachable Network Unreachable
SecFilter ""

# ICMP Destination Unreachable Port Unreachable
SecFilter ""

# ICMP Destination Unreachable Precedence Cutoff in effect
SecFilter ""

# ICMP Destination Unreachable Protocol Unreachable
SecFilter ""

# ICMP Destination Unreachable Source Host Isolated
SecFilter ""

# ICMP Destination Unreachable Source Route Failed
SecFilter ""

# ICMP Destination Unreachable cndefined code
SecFilter ""

# ICMP Echo Reply
SecFilter ""

# ICMP Echo Reply undefined code
SecFilter ""

# ICMP Fragment Reassembly Time Exceeded
SecFilter ""

# ICMP IPV6 I-Am-Here
SecFilter ""

# ICMP IPV6 I-Am-Here undefined code
SecFilter ""

# ICMP IPV6 Where-Are-You
SecFilter ""

# ICMP IPV6 Where-Are-You undefined code
SecFilter ""

# ICMP Information Reply
SecFilter ""

# ICMP Information Reply undefined code
SecFilter ""

# ICMP Information Request
SecFilter ""

# ICMP Information Request undefined code
SecFilter ""

# ICMP Mobile Host Redirect
SecFilter ""

# ICMP Mobile Host Redirect undefined code
SecFilter ""

# ICMP Mobile Registration Reply
SecFilter ""

# ICMP Mobile Registration Reply undefined code
SecFilter ""

# ICMP Mobile Registration Request
SecFilter ""

# ICMP Mobile Registration Request undefined code
SecFilter ""

# ICMP Parameter Problem Bad Length
SecFilter ""

# ICMP Parameter Problem Missing a Required Option
SecFilter ""

# ICMP Parameter Problem Unspecified Error
SecFilter ""

# ICMP Parameter Problem undefined Code
SecFilter ""

# ICMP Photuris Reserved
SecFilter ""

# ICMP Photuris Unknown Security Parameters Index
SecFilter ""

# ICMP Photuris Valid Security Parameters, But Authentication Failed
SecFilter ""

# ICMP Photuris Valid Security Parameters, But Decryption Failed
SecFilter ""

# ICMP Photuris undefined code!
SecFilter ""

# ICMP Redirect for TOS and Host
SecFilter ""

# ICMP Redirect for TOS and Network
SecFilter ""

# ICMP Redirect undefined code
SecFilter ""

# ICMP Reserved for Security Type 19
SecFilter ""

# ICMP Reserved for Security Type 19 undefined code
SecFilter ""

# ICMP Router Advertisement
SecFilter ""

# ICMP Router Selection
SecFilter ""

# ICMP SKIP
SecFilter ""

# ICMP SKIP undefined code
SecFilter ""

# ICMP Source Quench undefined code
SecFilter ""

# ICMP Time-To-Live Exceeded in Transit
SecFilter ""

# ICMP Time-To-Live Exceeded in Transit undefined code
SecFilter ""

# ICMP Timestamp Reply
SecFilter ""

# ICMP Timestamp Reply undefined code
SecFilter ""

# ICMP Timestamp Request
SecFilter ""

# ICMP Timestamp Request undefined code
SecFilter ""

# ICMP Traceroute
SecFilter ""

# ICMP Traceroute undefined code
SecFilter ""

# ICMP unassigned type 1
SecFilter ""

# ICMP unassigned type 1 undefined code
SecFilter ""

# ICMP unassigned type 2
SecFilter ""

# ICMP unassigned type 2 undefined code
SecFilter ""

# ICMP unassigned type 7
SecFilter ""

# ICMP unassigned type 7 undefined code
SecFilter ""

# ICMP PING undefined code
SecFilter ""

# ICMP ISS Pinger
SecFilter "ISSPNGRQ"

# ICMP L3retriever Ping
SecFilter "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"

# ICMP PING NMAP
SecFilter ""

# ICMP icmpenum v1.1.1
SecFilter ""

# ICMP redirect host
SecFilter ""

# ICMP redirect net
SecFilter ""

# ICMP traceroute ipopts
SecFilter ""

# ICMP Source Quench
SecFilter ""

# ICMP Broadscan Smurf Scanner
SecFilter ""

# ICMP TJPingPro1.1Build 2 Windows
SecFilter "TJPingPro by Jim"

# ICMP PING WhatsupGold Windows
SecFilter "WhatsUp - A Netw"

# ICMP PING Sniffer Pro/NetXRay network scan
SecFilter "Cinco Network, Inc\."

# ICMP Destination Unreachable Communication Administratively Prohibited
SecFilter ""

# ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited
SecFilter ""

# ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited
SecFilter ""

# ICMP Large ICMP Packet
SecFilter ""

# IMAP login literal buffer overflow attempt
SecFilter "LOGIN"

# IMAP login buffer overflow attempt
SecFilter "LOGIN"

# IMAP authenticate literal overflow attempt
SecFilter "AUTHENTICATE"

# IMAP authenticate overflow attempt
SecFilter "AUTHENTICATE"

# IMAP auth literal overflow attempt
SecFilter "\{"

# IMAP auth overflow attempt
SecFilter "AUTH"

# IMAP lsub literal overflow attempt
SecFilter "LSUB"

# IMAP lsub overflow attempt
SecFilter "LSUB"

# IMAP list literal overflow attempt
SecFilter "LIST"

# IMAP list overflow attempt
SecFilter "LIST"

# IMAP rename literal overflow attempt
SecFilter "RENAME"

# IMAP rename overflow attempt
SecFilter "RENAME"

# IMAP find overflow attempt
SecFilter "FIND"

# IMAP partial body buffer overflow attempt
SecFilter "BODY\["

# IMAP partial body.peek buffer overflow attempt
SecFilter "BODY\.PEEK\["

# IMAP create buffer overflow attempt
SecFilter "CREATE"

# IMAP create literal buffer overflow attempt
SecFilter "CREATE"

# INFO Connection Closed MSG from Port 80
SecFilter "Connection closed by foreign host"

# INFO FTP no password
SecFilter "PASS"

# INFO battle-mail traffic
SecFilter "BattleMail"

# INFO FTP Bad login
SecFilter "530 "

# INFO TELNET Bad Login
SecFilter "Login failed"

# INFO TELNET Bad Login
SecFilter "Login incorrect"

# INFO psyBNC access
SecFilter "Welcome!psyBNC@lam3rz\.de"

# MISC source route lssr
SecFilter ""

# MISC source route lssre
SecFilter ""

# MISC source route ssrr
SecFilter ""

# MISC Source Port 20 to <1024
SecFilter ""

# MISC source port 53 to <1024
SecFilter ""

# MISC PCAnywhere Attempted Administrator Login
SecFilter "ADMINISTRATOR"

# MISC gopher proxy
SecFilter "@/"

# MISC PCAnywhere Failed Login
SecFilter "Invalid login"

# MISC Cisco Catalyst Remote Access
SecFilter ""

# MISC ramen worm
SecFilter "GET "

# MISC Tiny Fragments
SecFilter ""

# MISC UPnP malformed advertisement
SecFilter "NOTIFY * "

# MISC OpenSSL Worm traffic
SecFilter "TERM=xterm"

# MISC bootp hostname format string attempt
SecFilter "%"

# MISC GlobalSunTech Access Point Information Disclosure attempt
SecFilter "gstsearch"

# MISC CVS invalid repository response
SecFilter "I HATE YOU"

# MISC CVS invalid module response
SecFilter "error"

# MISC CVS non-relative path access attempt
SecFilter "Argument"

# MISC HP Web JetAdmin remote file upload attempt
SecFilter "Multipart" log,pass

# MISC HP Web JetAdmin setinfo access
SecFilter "/plugins/hpjdwm/script/test/setinfo\.hts" log,pass

# MISC HP Web JetAdmin file write attempt
SecFilter "WriteToFile" log,pass

# MISC rsync backup-dir directory traversal attempt
SecFilter "--backup-dir"

# MULTIMEDIA realplayer .ram playlist download attempt
SecFilterSelective THE_REQUEST "\.ram"

# MULTIMEDIA realplayer .rmp playlist download attempt
SecFilterSelective THE_REQUEST "\.rmp"

# MULTIMEDIA realplayer .smi playlist download attempt
SecFilterSelective THE_REQUEST "\.smi"

# MULTIMEDIA realplayer .rt playlist download attempt
SecFilterSelective THE_REQUEST "\.rt"

# MULTIMEDIA realplayer .rp playlist download attempt
SecFilterSelective THE_REQUEST "\.rp"

# NETBIOS RFParalyze Attempt
SecFilter "yep yep"

# NETBIOS DCEPRC ORPCThis request flood attempt
SecFilter "MEOW"

# NETBIOS SMB DCEPRC ORPCThis request flood attempt
SecFilter "MEOW"

# NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt
SecFilter "MEOW"

# NNTP return code buffer overflow attempt
SecFilter "200"

# NNTP AUTHINFO USER overflow attempt
SecFilter "USER"

# NNTP sendsys overflow attempt
SecFilter "sendsys"

# NNTP senduuname overflow attempt
SecFilter "senduuname"

# NNTP version overflow attempt
SecFilter "version"

# NNTP checkgroups overflow attempt
SecFilter "checkgroups"

# NNTP ihave overflow attempt
SecFilter "ihave"

# NNTP sendme overflow attempt
SecFilter "sendme"

# NNTP newgroup overflow attempt
SecFilter "newgroup"

# NNTP rmgroup overflow attempt
SecFilter "rmgroup"

# NNTP article post without path attempt
SecFilter "takethis"

# ORACLE EXECUTE_SYSTEM attempt
SecFilter "EXECUTE_SYSTEM"

# ORACLE select union attempt
SecFilter " union "

# ORACLE select like '%' attempt
SecFilter " like '%'"

# ORACLE describe attempt
SecFilter "describe "

# ORACLE all_constraints access
SecFilter "all_constraints"

# ORACLE all_views access
SecFilter "all_views"

# ORACLE all_source access
SecFilter "all_source"

# ORACLE all_tables access
SecFilter "all_tables"

# ORACLE all_tab_columns access
SecFilter "all_tab_columns"

# ORACLE all_tab_privs access
SecFilter "all_tab_privs"

# ORACLE dba_tablespace access
SecFilter "dba_tablespace"

# ORACLE dba_tables access
SecFilter "dba_tables"

# ORACLE user_tablespace access
SecFilter "user_tablespace"

# ORACLE sys.all_users access
SecFilter "sys\.all_users"

# ORACLE grant attempt
SecFilter " to "

# ORACLE ALTER USER attempt
SecFilter " identified by "

# ORACLE drop table attempt
SecFilter "drop table"

# ORACLE create table attempt
SecFilter "create table"

# ORACLE alter table attempt
SecFilter "alter table"

# ORACLE truncate table attempt
SecFilter "truncate table"

# ORACLE create database attempt
SecFilter "create database"

# ORACLE alter database attempt
SecFilter "alter database"

# OTHER-IDS ISS RealSecure 6 event collector connection attempt
SecFilter "6ISS ECNRA Built-In Provider, Strong Encryption"

# OTHER-IDS ISS RealSecure 6 daemon connection attempt
SecFilter "6ISS ECNRA Built-In Provider, Strong Encryption"

# P2P GNUTella GET
SecFilter "GET "

# P2P Outbound GNUTella client request
SecFilter "GNUTELLA CONNECT"

# P2P GNUTella client request
SecFilter "GNUTELLA OK"

# P2P Napster Client Data
SecFilter "\.mp3"

# P2P Napster Client Data
SecFilter "\.mp3"

# P2P Napster Client Data
SecFilter "\.mp3"

# P2P Napster Client Data
SecFilter "\.mp3"

# P2P Napster Server Login
SecFilter "anon@napster\.com"

# P2P Fastrack kazaa/morpheus GET request
SecFilter "GET "

# P2P BitTorrent announce request
SecFilter "event=started"

# POLICY FTP anonymous login attempt
SecFilter "USER"

# POLICY WinGate telnet server response
SecFilter "WinGate>"

# POLICY VNC server response
SecFilter "\.0"

# POLICY PCAnywhere server response
SecFilter "ST"

# POLICY SMTP relaying denied
SecFilter "550 5\.7\.1"

# POLICY HP JetDirect LCD modification attempt
SecFilter "@PJL RDYMSG DISPLAY ="

# POLICY HP JetDirect LCD modification attempt
SecFilter "@PJL RDYMSG DISPLAY ="

# POLICY poll.gotomypc.com access
SecFilter ""

# POLICY vncviewer Java applet download attempt
SecFilter "/vncviewer\.jar"

# POLICY FTP file_id.diz access possible warez site
SecFilter "file_id\.diz"

# POLICY FTP 'STOR 1MB' possible warez site
SecFilter "1MB"

# POLICY FTP 'RETR 1MB' possible warez site
SecFilter "1MB"

# POLICY FTP 'CWD  ' possible warez site
SecFilter "CWD  "

# POLICY FTP 'MKD  ' possible warez site
SecFilter "MKD  "

# POLICY FTP 'MKD .' possible warez site
SecFilter "MKD \."

# POLICY FTP 'CWD / ' possible warez site
SecFilter "/ "

# POLICY FTP 'MKD / ' possible warez site
SecFilter "/ "

# POP2 FOLD overflow attempt
SecFilter "FOLD"

# POP2 FOLD arbitrary file attempt
SecFilter "FOLD"

# POP3 DELE negative arguement attempt
SecFilter "DELE"

# POP3 UIDL negative arguement attempt
SecFilter "UIDL"

# POP3 USER overflow attempt
SecFilter "USER"

# POP3 CAPA overflow attempt
SecFilter "CAPA"

# POP3 TOP overflow attempt
SecFilter "TOP"

# POP3 STAT overflow attempt
SecFilter "STAT"

# POP3 DELE overflow attempt
SecFilter "DELE"

# POP3 RSET overflow attempt
SecFilter "RSET"

# POP3 AUTH overflow attempt
SecFilter "AUTH"

# POP3 LIST overflow attempt
SecFilter "LIST"

# POP3 XTND overflow attempt
SecFilter "XTND"

# POP3 PASS overflow attempt
SecFilter "PASS"

# POP3 APOP overflow attempt
SecFilter "APOP"

# POP3 USER format string attempt
SecFilter "%"

# POP3 APOP USER overflow attempt
SecFilter "APOP"

# PORN alt.binaries.pictures.erotica
SecFilter "alt\.binaries\.pictures\.erotica"

# PORN alt.binaries.pictures.tinygirls
SecFilter "alt\.binaries\.pictures\.tinygirls"

# PORN free XXX
SecFilter "FREE XXX"

# PORN hardcore anal
SecFilter "hardcore anal"

# PORN nude cheerleader
SecFilter "nude cheerleader"

# PORN up skirt
SecFilter "up skirt"

# PORN hot young sex
SecFilter "hot young sex"

# PORN fuck fuck fuck
SecFilter "fuck fuck fuck"

# PORN anal sex
SecFilter "anal sex"

# PORN hardcore rape
SecFilter "hardcore rape"

# PORN real snuff
SecFilter "real snuff"

# PORN fuck movies
SecFilter "fuck movies"

# PORN dildo
SecFilter "dildo"

# PORN nipple clamp
SecFilter "clamp"

# PORN oral sex
SecFilter "oral sex"

# PORN nude celeb
SecFilter "nude celeb"

# PORN raw sex
SecFilter "raw sex"

# PORN masturbation
SecFilter "masturbat"

# PORN ejaculation
SecFilter "ejaculat"

# PORN BDSM
SecFilter "BDSM"

# PORN naked lesbians
SecFilter "naked lesbians"

# RSERVICES rlogin login failure
SecFilter "login incorrect"

# SCAN myscan
SecFilter ""

# SCAN cybercop os probe
SecFilter ""

# SCAN Squid Proxy attempt
SecFilter ""

# SCAN SOCKS Proxy attempt
SecFilter ""

# SCAN Proxy Port 8080 attempt
SecFilter ""

# SCAN FIN
SecFilter ""

# SCAN ipEye SYN scan
SecFilter ""

# SCAN NULL
SecFilter ""

# SCAN SYN FIN
SecFilter ""

# SCAN XMAS
SecFilter ""

# SCAN nmap XMAS
SecFilter ""

# SCAN synscan portscan
SecFilter ""

# SCAN cybercop os PA12 attempt
SecFilter "AAAAAAAAAAAAAAAA"

# SCAN cybercop os SFU12 probe
SecFilter "AAAAAAAAAAAAAAAA"

# SCAN Amanda client version request
SecFilter "Amanda"

# SCAN cybercop udp bomb
SecFilter "cybercop"

# SCAN SSH Version map attempt
SecFilter "Version_Mapper"

# SCAN SolarWinds IP scan attempt
SecFilter "SolarWinds\.Net"

# SCAN cybercop os probe
SecFilter "AAAAAAAAAAAAAAAA"

# SHELLCODE x86 inc ebx NOOP
SecFilter "CCCCCCCCCCCCCCCCCCCCCCCC"

# SHELLCODE x86 NOOP
SecFilter "aaaaaaaaaaaaaaaaaaaaa"

# SMTP chameleon overflow
SecFilter "HELP"

# SMTP expn decode
SecFilter "decode"

# SMTP expn root
SecFilter "root"

# SMTP expn *@
SecFilter "*@"

# SMTP RCPT TO decode attempt
SecFilter "decode"

# SMTP vrfy decode
SecFilter "decode"

# SMTP vrfy root
SecFilter "root"

# SMTP expn cybercop attempt
SecFilter "expn cybercop"

# SMTP HELO overflow attempt
SecFilter "HELO"

# SMTP ETRN overflow attempt
SecFilter "ETRN"

# SMTP XEXCH50 overflow attempt
SecFilter "XEXCH50"

# SMTP EXPN overflow attempt
SecFilter "EXPN"

# SMTP VRFY overflow attempt
SecFilter "VRFY"

# SMTP AUTH LOGON brute force attempt
SecFilter "Authentication unsuccessful"

# SNMP public access udp
SecFilter "public"

# SNMP public access tcp
SecFilter "public"

# SNMP private access udp
SecFilter "private"

# SNMP private access tcp
SecFilter "private"

# SNMP Broadcast request
SecFilter ""

# SNMP broadcast trap
SecFilter ""

# SNMP request udp
SecFilter ""

# SNMP request tcp
SecFilter ""

# SNMP trap udp
SecFilter ""

# SNMP trap tcp
SecFilter ""

# SNMP AgentX/tcp request
SecFilter ""

# MS-SQL sa login failed
SecFilter "Login failed for user 'sa'"

# MS-SQL/SMB sa login failed
SecFilter "Login failed for user 'sa'"

# MS-SQL Worm propagation attempt
SecFilter "send"

# MS-SQL Worm propagation attempt OUTBOUND
SecFilter "send"

# TELNET SGI telnetd format bug
SecFilter "bin/sh"

# TELNET ld_library_path
SecFilter "ld_library_path"

# TELNET resolv_host_conf
SecFilter "resolv_host_conf"

# TELNET Attempted SU from wrong group
SecFilter "to su root"

# TELNET not on console
SecFilter "not on system console"

# TELNET login incorrect
SecFilter "Login incorrect"

# TELNET 4Dgifts SGI account attempt
SecFilter "4Dgifts"

# TELNET EZsetup account attempt
SecFilter "OutOfBox"

# TELNET APC SmartSlot default admin account attempt
SecFilter "TENmanUFactOryPOWER"

# TFTP GET Admin.dll
SecFilter "admin\.dll"

# TFTP GET nc.exe
SecFilter "nc\.exe"

# TFTP GET shadow
SecFilter "shadow"

# TFTP GET passwd
SecFilter "passwd"

# TFTP parent directory
SecFilter "\.\."

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# 
SecFilter ""

# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"

# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST "ps\x20"

# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"

# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"

# WEB-ATTACKS /usr/bin/id command attempt
SecFilter "/usr/bin/id"

# WEB-ATTACKS echo command attempt
SecFilter "/bin/echo"

# WEB-ATTACKS kill command attempt
SecFilter "/bin/kill"

# WEB-ATTACKS chmod command attempt
SecFilter "/bin/chmod"

# WEB-ATTACKS chgrp command attempt
SecFilter "/chgrp"

# WEB-ATTACKS chown command attempt
SecFilter "/chown"

# WEB-ATTACKS chsh command attempt
SecFilter "/usr/bin/chsh"

# WEB-ATTACKS tftp command attempt
SecFilter "tftp\x20"

# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilter "/usr/bin/gcc"

# WEB-ATTACKS gcc command attempt
SecFilter "gcc\x20-o"

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilter "/usr/bin/cc"

# WEB-ATTACKS cc command attempt
SecFilter "cc\x20"

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilter "/usr/bin/cpp"

# WEB-ATTACKS cpp command attempt
SecFilter "cpp\x20"

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilter "/usr/bin/g\+\+"

# WEB-ATTACKS g++ command attempt
SecFilter "g\+\+\x20"

# WEB-ATTACKS bin/python access attempt
SecFilter "bin/python"

# WEB-ATTACKS python access attempt
SecFilter "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecFilter "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecFilter "tclsh8\x20"

# WEB-ATTACKS bin/nasm command attempt
SecFilter "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecFilter "nasm\x20"

# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilter "/usr/bin/perl"

# WEB-ATTACKS perl execution attempt
SecFilter "perl\x20"

# WEB-ATTACKS nt admin addition attempt
SecFilter "net localgroup administrators /add"

# WEB-ATTACKS traceroute command attempt
SecFilter "traceroute\x20"

# WEB-ATTACKS ping command attempt
SecFilter "/bin/ping"

# WEB-ATTACKS netcat command attempt
SecFilter "nc\x20"

# WEB-ATTACKS nmap command attempt
SecFilter "nmap\x20"

# WEB-ATTACKS xterm command attempt
SecFilter "/usr/X11R6/bin/xterm"

# WEB-ATTACKS X application to remote host attempt
SecFilter "\x20-display\x20"

# WEB-ATTACKS lsof command attempt
SecFilter "lsof\x20"

# WEB-ATTACKS rm command attempt
SecFilter "rm\x20"

# WEB-ATTACKS mail command attempt
SecFilter "/bin/mail"

# WEB-ATTACKS mail command attempt
SecFilter "mail\x20"

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls"

# WEB-ATTACKS /etc/inetd.conf access
SecFilter "/etc/inetd\.conf" log,pass

# WEB-ATTACKS /etc/motd access
SecFilter "/etc/motd" log,pass

# WEB-ATTACKS /etc/shadow access
SecFilter "/etc/shadow" log,pass

# WEB-ATTACKS conf/httpd.conf attempt
SecFilter "conf/httpd\.conf" log,pass

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup" log,pass

# WEB-CGI HyperSeek hsx.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/hsx\.cgi" chain
SecFilter "\x00"

# WEB-CGI HyperSeek hsx.cgi access
SecFilterSelective THE_REQUEST "/hsx\.cgi" log,pass

# WEB-CGI SWSoft ASPSeek Overflow attempt
SecFilterSelective THE_REQUEST "/s\.cgi" chain
SecFilter "tmpl="

# WEB-CGI webspeed access
SecFilterSelective THE_REQUEST "/wsisa\.dll/WService=" chain
SecFilter "WSMadmin"

# WEB-CGI yabb directory traversal attempt
SecFilterSelective THE_REQUEST "/YaBB" chain
SecFilter "\.\./"

# WEB-CGI yabb access
SecFilterSelective THE_REQUEST "/YaBB"

# WEB-CGI /wwwboard/passwd.txt access
SecFilterSelective THE_REQUEST "/wwwboard/passwd\.txt"

# WEB-CGI webdriver access
SecFilterSelective THE_REQUEST "/webdriver"

# WEB-CGI whois_raw.cgi access
SecFilterSelective THE_REQUEST "/whois_raw\.cgi"

# WEB-CGI websitepro path access
SecFilter " /HTTP/1\."

# WEB-CGI webplus version access
SecFilterSelective THE_REQUEST "/webplus\?about"

# WEB-CGI webplus directory traversal
SecFilterSelective THE_REQUEST "/webplus\?script" chain
SecFilter "\.\./"

# WEB-CGI websendmail access
SecFilterSelective THE_REQUEST "/websendmail"

# WEB-CGI dcforum.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/dcforum\.cgi" chain
SecFilter "forum=\.\./\.\."

# WEB-CGI dcforum.cgi access
SecFilterSelective THE_REQUEST "/dcforum\.cgi"

# WEB-CGI dcboard.cgi invalid user addition attempt
SecFilterSelective THE_REQUEST "/dcboard\.cgi" chain
SecFilter "\x7cadmin"

# WEB-CGI dcboard.cgi access
SecFilterSelective THE_REQUEST "/dcboard\.cgi"

# WEB-CGI mmstdod.cgi access
SecFilterSelective THE_REQUEST "/mmstdod\.cgi"

# WEB-CGI anaconda directory transversal attempt
SecFilterSelective THE_REQUEST "/apexec\.pl" chain
SecFilter "template=\.\./"

# WEB-CGI imagemap.exe overflow attempt
SecFilterSelective THE_REQUEST "/imagemap\.exe\?"

# WEB-CGI imagemap.exe access
SecFilterSelective THE_REQUEST "/imagemap\.exe" log,pass

# WEB-CGI cvsweb.cgi access
SecFilterSelective THE_REQUEST "/cvsweb\.cgi"

# WEB-CGI php.cgi access
SecFilterSelective THE_REQUEST "/php\.cgi"

# WEB-CGI glimpse access
SecFilterSelective THE_REQUEST "/glimpse"

# WEB-CGI htmlscript attempt
SecFilterSelective THE_REQUEST "/htmlscript\?\.\./\.\."

# WEB-CGI htmlscript access
SecFilterSelective THE_REQUEST "/htmlscript"

# WEB-CGI info2www access
SecFilterSelective THE_REQUEST "/info2www"

# WEB-CGI maillist.pl access
SecFilterSelective THE_REQUEST "/maillist\.pl"

# WEB-CGI nph-test-cgi access
SecFilterSelective THE_REQUEST "/nph-test-cgi"

# WEB-CGI NPH-publish access
SecFilterSelective THE_REQUEST "/nph-maillist\.pl"

# WEB-CGI NPH-publish access
SecFilterSelective THE_REQUEST "/nph-publish"

# WEB-CGI rguest.exe access
SecFilterSelective THE_REQUEST "/rguest\.exe"

# WEB-CGI rwwwshell.pl access
SecFilterSelective THE_REQUEST "/rwwwshell\.pl"

# WEB-CGI test-cgi attempt
SecFilterSelective THE_REQUEST "/test-cgi/*\?*"

# WEB-CGI test-cgi access
SecFilterSelective THE_REQUEST "/test-cgi"

# WEB-CGI testcgi access
SecFilterSelective THE_REQUEST "/testcgi" log,pass

# WEB-CGI test.cgi access
SecFilterSelective THE_REQUEST "/test\.cgi" log,pass

# WEB-CGI textcounter.pl access
SecFilterSelective THE_REQUEST "/textcounter\.pl"

# WEB-CGI uploader.exe access
SecFilterSelective THE_REQUEST "/uploader\.exe"

# WEB-CGI webgais access
SecFilterSelective THE_REQUEST "/webgais"

# WEB-CGI finger access
SecFilterSelective THE_REQUEST "/finger"

# WEB-CGI perlshop.cgi access
SecFilterSelective THE_REQUEST "/perlshop\.cgi"

# WEB-CGI pfdisplay.cgi access
SecFilterSelective THE_REQUEST "/pfdisplay\.cgi"

# WEB-CGI aglimpse access
SecFilterSelective THE_REQUEST "/aglimpse"

# WEB-CGI anform2 access
SecFilterSelective THE_REQUEST "/AnForm2"

# WEB-CGI args.bat access
SecFilterSelective THE_REQUEST "/args\.bat"

# WEB-CGI args.cmd access
SecFilterSelective THE_REQUEST "/args\.cmd"

# WEB-CGI AT-admin.cgi access
SecFilterSelective THE_REQUEST "/AT-admin\.cgi"

# WEB-CGI AT-generated.cgi access
SecFilterSelective THE_REQUEST "/AT-generated\.cgi"

# WEB-CGI bnbform.cgi access
SecFilterSelective THE_REQUEST "/bnbform\.cgi"

# WEB-CGI campas access
SecFilterSelective THE_REQUEST "/campas"

# WEB-CGI view-source directory traversal
SecFilterSelective THE_REQUEST "/view-source" chain
SecFilter "\.\./"

# WEB-CGI view-source access
SecFilterSelective THE_REQUEST "/view-source"

# WEB-CGI wais.pl access
SecFilterSelective THE_REQUEST "/wais\.pl"

# WEB-CGI wwwwais access
SecFilterSelective THE_REQUEST "/wwwwais"

# WEB-CGI files.pl access
SecFilterSelective THE_REQUEST "/files\.pl"

# WEB-CGI wguest.exe access
SecFilterSelective THE_REQUEST "/wguest\.exe"

# WEB-CGI wrap access
SecFilterSelective THE_REQUEST "/wrap"

# WEB-CGI classifieds.cgi access
SecFilterSelective THE_REQUEST "/classifieds\.cgi"

# WEB-CGI environ.cgi access
SecFilterSelective THE_REQUEST "/environ\.cgi"

# WEB-CGI faxsurvey access
SecFilterSelective THE_REQUEST "/faxsurvey" log,pass

# WEB-CGI filemail access
SecFilterSelective THE_REQUEST "/filemail\.pl"

# WEB-CGI man.sh access
SecFilterSelective THE_REQUEST "/man\.sh"

# WEB-CGI snork.bat access
SecFilterSelective THE_REQUEST "/snork\.bat"

# WEB-CGI w3-msql access
SecFilterSelective THE_REQUEST "/w3-msql/"

# WEB-CGI day5datacopier.cgi access
SecFilterSelective THE_REQUEST "/day5datacopier\.cgi"

# WEB-CGI day5datanotifier.cgi access
SecFilterSelective THE_REQUEST "/day5datanotifier\.cgi"

# WEB-CGI post-query access
SecFilterSelective THE_REQUEST "/post-query"

# WEB-CGI visadmin.exe access
SecFilterSelective THE_REQUEST "/visadmin\.exe"

# WEB-CGI dumpenv.pl access
SecFilterSelective THE_REQUEST "/dumpenv\.pl"

# WEB-CGI calendar_admin.pl access
SecFilterSelective THE_REQUEST "/calendar_admin\.pl" log,pass

# WEB-CGI calendar-admin.pl access
SecFilterSelective THE_REQUEST "/calendar-admin\.pl" log,pass

# WEB-CGI calender.pl access
SecFilterSelective THE_REQUEST "/calender\.pl"

# WEB-CGI calendar access
SecFilterSelective THE_REQUEST "/calendar"

# WEB-CGI user_update_admin.pl access
SecFilterSelective THE_REQUEST "/user_update_admin\.pl"

# WEB-CGI user_update_passwd.pl access
SecFilterSelective THE_REQUEST "/user_update_passwd\.pl"

# WEB-CGI snorkerz.cmd access
SecFilterSelective THE_REQUEST "/snorkerz\.cmd"

# WEB-CGI survey.cgi access
SecFilterSelective THE_REQUEST "/survey\.cgi"

# WEB-CGI scriptalias access
SecFilterSelective THE_REQUEST "///"

# WEB-CGI win-c-sample.exe access
SecFilterSelective THE_REQUEST "/win-c-sample\.exe"

# WEB-CGI w3tvars.pm access
SecFilterSelective THE_REQUEST "/w3tvars\.pm"

# WEB-CGI admin.pl access
SecFilterSelective THE_REQUEST "/admin\.pl"

# WEB-CGI LWGate access
SecFilterSelective THE_REQUEST "/LWGate"

# WEB-CGI archie access
SecFilterSelective THE_REQUEST "/archie"

# WEB-CGI flexform access
SecFilterSelective THE_REQUEST "/flexform"

# WEB-CGI formmail arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/formmail" chain
SecFilter "\x0a"

# WEB-CGI formmail access
SecFilterSelective THE_REQUEST "/formmail" log,pass

# WEB-CGI phf arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/phf" chain
SecFilter "\x0a/"

# WEB-CGI phf access
SecFilterSelective THE_REQUEST "/phf" log,pass

# WEB-CGI www-sql access
SecFilterSelective THE_REQUEST "/www-sql"

# WEB-CGI wwwadmin.pl access
SecFilterSelective THE_REQUEST "/wwwadmin\.pl"

# WEB-CGI ppdscgi.exe access
SecFilterSelective THE_REQUEST "/ppdscgi\.exe"

# WEB-CGI sendform.cgi access
SecFilterSelective THE_REQUEST "/sendform\.cgi"

# WEB-CGI upload.pl access
SecFilterSelective THE_REQUEST "/upload\.pl"

# WEB-CGI AnyForm2 access
SecFilterSelective THE_REQUEST "/AnyForm2"

# WEB-CGI MachineInfo access
SecFilterSelective THE_REQUEST "/MachineInfo"

# WEB-CGI bb-hist.sh attempt
SecFilterSelective THE_REQUEST "/bb-hist\.sh\?HISTFILE=\.\./\.\."

# WEB-CGI bb-hist.sh access
SecFilterSelective THE_REQUEST "/bb-hist\.sh"

# WEB-CGI bb-histlog.sh access
SecFilterSelective THE_REQUEST "/bb-histlog\.sh"

# WEB-CGI bb-histsvc.sh access
SecFilterSelective THE_REQUEST "/bb-histsvc\.sh"

# WEB-CGI bb-hostscv.sh attempt
SecFilterSelective THE_REQUEST "/bb-hostsvc\.sh\?HOSTSVC\?\.\./\.\."

# WEB-CGI bb-hostscv.sh access
SecFilterSelective THE_REQUEST "/bb-hostsvc\.sh" log,pass

# WEB-CGI bb-rep.sh access
SecFilterSelective THE_REQUEST "/bb-rep\.sh"

# WEB-CGI bb-replog.sh access
SecFilterSelective THE_REQUEST "/bb-replog\.sh"

# WEB-CGI redirect access
SecFilterSelective THE_REQUEST "/redirect"

# WEB-CGI wayboard attempt
SecFilterSelective THE_REQUEST "/way-board/way-board\.cgi" chain
SecFilter "\.\./\.\."

# WEB-CGI way-board access
SecFilterSelective THE_REQUEST "/way-board" log,pass

# WEB-CGI pals-cgi arbitrary file access attempt
SecFilterSelective THE_REQUEST "/pals-cgi" chain
SecFilter "documentName="

# WEB-CGI pals-cgi access
SecFilterSelective THE_REQUEST "/pals-cgi"

# WEB-CGI commerce.cgi arbitrary file access attempt
SecFilterSelective THE_REQUEST "/commerce\.cgi" chain
SecFilter "/\.\./"

# WEB-CGI commerce.cgi access
SecFilterSelective THE_REQUEST "/commerce\.cgi"

# WEB-CGI Amaya templates sendtemp.pl directory traversal attempt
SecFilterSelective THE_REQUEST "/sendtemp\.pl" chain
SecFilter "templ="

# WEB-CGI Amaya templates sendtemp.pl access
SecFilterSelective THE_REQUEST "/sendtemp\.pl" log,pass

# WEB-CGI webspirs.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/webspirs\.cgi" chain
SecFilter "\.\./\.\./"

# WEB-CGI webspirs.cgi access
SecFilterSelective THE_REQUEST "/webspirs\.cgi"

# WEB-CGI tstisapi.dll access
SecFilterSelective THE_REQUEST "tstisapi\.dll"

# WEB-CGI sendmessage.cgi access
SecFilterSelective THE_REQUEST "/sendmessage\.cgi"

# WEB-CGI lastlines.cgi access
SecFilterSelective THE_REQUEST "/lastlines\.cgi"

# WEB-CGI zml.cgi attempt
SecFilterSelective THE_REQUEST "/zml\.cgi" chain
SecFilter "file=\.\./" log,pass

# WEB-CGI zml.cgi access
SecFilterSelective THE_REQUEST "/zml\.cgi" log,pass

# WEB-CGI AHG search.cgi access
SecFilterSelective THE_REQUEST "/publisher/search\.cgi" chain
SecFilter "template=" log,pass

# WEB-CGI agora.cgi attempt
SecFilterSelective THE_REQUEST "/store/agora\.cgi\?cart_id=<SCRIPT>"

# WEB-CGI agora.cgi access
SecFilterSelective THE_REQUEST "/store/agora\.cgi" log,pass

# WEB-CGI rksh access
SecFilterSelective THE_REQUEST "/rksh"

# WEB-CGI bash access
SecFilterSelective THE_REQUEST "/bash" log,pass

# WEB-CGI perl.exe command attempt
SecFilterSelective THE_REQUEST "/perl\.exe\?"

# WEB-CGI perl.exe access
SecFilterSelective THE_REQUEST "/perl\.exe"

# WEB-CGI perl command attempt
SecFilterSelective THE_REQUEST "/perl\?"

# WEB-CGI zsh access
SecFilterSelective THE_REQUEST "/zsh"

# WEB-CGI csh access
SecFilterSelective THE_REQUEST "/csh"

# WEB-CGI tcsh access
SecFilterSelective THE_REQUEST "/tcsh"

# WEB-CGI rsh access
SecFilterSelective THE_REQUEST "/rsh"

# WEB-CGI ksh access
SecFilterSelective THE_REQUEST "/ksh"

# WEB-CGI auktion.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/auktion\.cgi" chain
SecFilter "menue=\.\./\.\./"

# WEB-CGI auktion.cgi access
SecFilterSelective THE_REQUEST "/auktion\.cgi" log,pass

# WEB-CGI cgiforum.pl attempt
SecFilterSelective THE_REQUEST "/cgiforum\.pl\?thesection=\.\./\.\."

# WEB-CGI cgiforum.pl access
SecFilterSelective THE_REQUEST "/cgiforum\.pl" log,pass

# WEB-CGI directorypro.cgi attempt
SecFilterSelective THE_REQUEST "/directorypro\.cgi" chain
SecFilter "\.\./\.\."

# WEB-CGI directorypro.cgi access
SecFilterSelective THE_REQUEST "/directorypro\.cgi" log,pass

# WEB-CGI Web Shopper shopper.cgi attempt
SecFilterSelective THE_REQUEST "/shopper\.cgi" chain
SecFilter "newpage=\.\./"

# WEB-CGI Web Shopper shopper.cgi access
SecFilterSelective THE_REQUEST "/shopper\.cgi"

# WEB-CGI listrec.pl access
SecFilterSelective THE_REQUEST "/listrec\.pl"

# WEB-CGI mailnews.cgi access
SecFilterSelective THE_REQUEST "/mailnews\.cgi"

# WEB-CGI book.cgi access
SecFilterSelective THE_REQUEST "/book\.cgi" log,pass

# WEB-CGI newsdesk.cgi access
SecFilterSelective THE_REQUEST "/newsdesk\.cgi"

# WEB-CGI cal_make.pl directory traversal attempt
SecFilterSelective THE_REQUEST "/cal_make\.pl" chain
SecFilter "p0=\.\./\.\./"

# WEB-CGI cal_make.pl access
SecFilterSelective THE_REQUEST "/cal_make\.pl" log,pass

# WEB-CGI mailit.pl access
SecFilterSelective THE_REQUEST "/mailit\.pl"

# WEB-CGI sdbsearch.cgi access
SecFilterSelective THE_REQUEST "/sdbsearch\.cgi"

# WEB-CGI swc access
SecFilterSelective THE_REQUEST "/swc"

# WEB-CGI ttawebtop.cgi arbitrary file attempt
SecFilterSelective THE_REQUEST "/ttawebtop\.cgi" chain
SecFilter "pg=\.\./"

# WEB-CGI ttawebtop.cgi access
SecFilterSelective THE_REQUEST "/ttawebtop\.cgi"

# WEB-CGI upload.cgi access
SecFilterSelective THE_REQUEST "/upload\.cgi"

# WEB-CGI view_source access
SecFilterSelective THE_REQUEST "/view_source"

# WEB-CGI ustorekeeper.pl directory traversal attempt
SecFilterSelective THE_REQUEST "/ustorekeeper\.pl" chain
SecFilter "file=\.\./\.\./"

# WEB-CGI ustorekeeper.pl access
SecFilterSelective THE_REQUEST "/ustorekeeper\.pl" log,pass

# WEB-CGI icat access
SecFilterSelective THE_REQUEST "/icat" log,pass

# WEB-CGI Bugzilla doeditvotes.cgi access
SecFilterSelective THE_REQUEST "/doeditvotes\.cgi" log,pass

# WEB-CGI htsearch arbitrary configuration file attempt
SecFilterSelective THE_REQUEST "/htsearch\?-c"

# WEB-CGI htsearch arbitrary file read attempt
SecFilterSelective THE_REQUEST "/htsearch\?exclude=`"

# WEB-CGI htsearch access
SecFilterSelective THE_REQUEST "/htsearch" log,pass

# WEB-CGI a1stats a1disp3.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/a1disp3\.cgi\?/\.\./\.\./"

# WEB-CGI a1stats a1disp3.cgi access
SecFilterSelective THE_REQUEST "/a1disp3\.cgi" log,pass

# WEB-CGI a1stats access
SecFilterSelective THE_REQUEST "/a1stats/" log,pass

# WEB-CGI admentor admin.asp access
SecFilterSelective THE_REQUEST "/admentor/admin/admin\.asp" log,pass

# WEB-CGI alchemy http server PRN arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/PRN/\.\./\.\./" log,pass

# WEB-CGI alchemy http server NUL arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/NUL/\.\./\.\./" log,pass

# WEB-CGI alibaba.pl access
SecFilterSelective THE_REQUEST "/alibaba\.pl" log,pass

# WEB-CGI AltaVista Intranet Search directory traversal attempt
SecFilterSelective THE_REQUEST "/query\?mss=\.\."

# WEB-CGI test.bat access
SecFilterSelective THE_REQUEST "/test\.bat" log,pass

# WEB-CGI input.bat access
SecFilterSelective THE_REQUEST "/input\.bat" log,pass

# WEB-CGI input2.bat access
SecFilterSelective THE_REQUEST "/input2\.bat" log,pass

# WEB-CGI envout.bat access
SecFilterSelective THE_REQUEST "/envout\.bat" log,pass

# WEB-CGI echo.bat arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/echo\.bat" chain
SecFilter "&"

# WEB-CGI echo.bat access
SecFilterSelective THE_REQUEST "/echo\.bat" log,pass

# WEB-CGI hello.bat arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/hello\.bat" chain
SecFilter "&"

# WEB-CGI hello.bat access
SecFilterSelective THE_REQUEST "/hello\.bat" log,pass

# WEB-CGI tst.bat access
SecFilterSelective THE_REQUEST "/tst\.bat" log,pass

# WEB-CGI /cgi-bin/ls access
SecFilterSelective THE_REQUEST "/cgi-bin/ls" log,pass

# WEB-CGI cgimail access
SecFilterSelective THE_REQUEST "/cgimail" log,pass

# WEB-CGI cgiwrap access
SecFilterSelective THE_REQUEST "/cgiwrap" log,pass

# WEB-CGI csSearch.cgi arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/csSearch\.cgi" chain
SecFilter "`"

# WEB-CGI csSearch.cgi access
SecFilterSelective THE_REQUEST "/csSearch\.cgi" log,pass

# WEB-CGI /cart/cart.cgi access
SecFilterSelective THE_REQUEST "/cart/cart\.cgi" log,pass

# WEB-CGI dbman db.cgi access
SecFilterSelective THE_REQUEST "/dbman/db\.cgi" log,pass

# WEB-CGI DCShop access
SecFilterSelective THE_REQUEST "/dcshop" log,pass

# WEB-CGI DCShop orders.txt access
SecFilterSelective THE_REQUEST "/orders/orders\.txt" log,pass

# WEB-CGI DCShop auth_user_file.txt access
SecFilterSelective THE_REQUEST "/auth_data/auth_user_file\.txt" log,pass

# WEB-CGI eshop.pl access
SecFilterSelective THE_REQUEST "/eshop\.pl" log,pass

# WEB-CGI loadpage.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/loadpage\.cgi" chain
SecFilter "file=\.\./"

# WEB-CGI loadpage.cgi access
SecFilterSelective THE_REQUEST "/loadpage\.cgi" log,pass

# WEB-CGI faqmanager.cgi access
SecFilterSelective THE_REQUEST "/faqmanager\.cgi" log,pass

# WEB-CGI /fcgi-bin/echo.exe access
SecFilterSelective THE_REQUEST "/fcgi-bin/echo\.exe" log,pass

# WEB-CGI FormHandler.cgi directory traversal attempt attempt
SecFilterSelective THE_REQUEST "/FormHandler\.cgi" chain
SecFilter "/\.\./"

# WEB-CGI FormHandler.cgi external site redirection attempt
SecFilterSelective THE_REQUEST "/FormHandler\.cgi" chain
SecFilter "redirect=http"

# WEB-CGI FormHandler.cgi access
SecFilterSelective THE_REQUEST "/FormHandler\.cgi" log,pass

# WEB-CGI guestbook.cgi access
SecFilterSelective THE_REQUEST "/guestbook\.cgi" log,pass

# WEB-CGI Home Free search.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/search\.cgi" chain
SecFilter "letter=\.\./\.\."

# WEB-CGI search.cgi access
SecFilterSelective THE_REQUEST "/search\.cgi" log,pass

# WEB-CGI enivorn.pl access
SecFilterSelective THE_REQUEST "/enivron\.pl" log,pass

# WEB-CGI campus access
SecFilterSelective THE_REQUEST "/campus" log,pass

# WEB-CGI cart32.exe access
SecFilterSelective THE_REQUEST "/cart32\.exe" log,pass

# WEB-CGI pfdispaly.cgi arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/pfdispaly\.cgi\?'"

# WEB-CGI pfdispaly.cgi access
SecFilterSelective THE_REQUEST "/pfdispaly\.cgi" log,pass

# WEB-CGI pagelog.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/pagelog\.cgi" chain
SecFilter "name=\.\./" log,pass

# WEB-CGI pagelog.cgi access
SecFilterSelective THE_REQUEST "/pagelog\.cgi" log,pass

# WEB-CGI ad.cgi access
SecFilterSelective THE_REQUEST "/ad\.cgi" log,pass

# WEB-CGI bbs_forum.cgi access
SecFilterSelective THE_REQUEST "/bbs_forum\.cgi" log,pass

# WEB-CGI bsguest.cgi access
SecFilterSelective THE_REQUEST "/bsguest\.cgi" log,pass

# WEB-CGI bslist.cgi access
SecFilterSelective THE_REQUEST "/bslist\.cgi" log,pass

# WEB-CGI cgforum.cgi access
SecFilterSelective THE_REQUEST "/cgforum\.cgi" log,pass

# WEB-CGI newdesk access
SecFilterSelective THE_REQUEST "/newdesk" log,pass

# WEB-CGI register.cgi access
SecFilterSelective THE_REQUEST "/register\.cgi" log,pass

# WEB-CGI gbook.cgi access
SecFilterSelective THE_REQUEST "/gbook\.cgi" log,pass

# WEB-CGI simplestguest.cgi access
SecFilterSelective THE_REQUEST "/simplestguest\.cgi" log,pass

# WEB-CGI statusconfig.pl access
SecFilterSelective THE_REQUEST "/statusconfig\.pl" log,pass

# WEB-CGI talkback.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/talkbalk\.cgi" chain
SecFilter "article=\.\./\.\./"

# WEB-CGI talkback.cgi access
SecFilterSelective THE_REQUEST "/talkbalk\.cgi" log,pass

# WEB-CGI adcycle access
SecFilterSelective THE_REQUEST "/adcycle" log,pass

# WEB-CGI MachineInfo access
SecFilterSelective THE_REQUEST "/MachineInfo" log,pass

# WEB-CGI emumail.cgi NULL attempt
SecFilterSelective THE_REQUEST "/emumail\.cgi" chain
SecFilter "\x00" log,pass

# WEB-CGI emumail.cgi access
SecFilterSelective THE_REQUEST "/emumail\.cgi" log,pass

# WEB-CGI document.d2w access
SecFilterSelective THE_REQUEST "/document\.d2w" log,pass

# WEB-CGI db2www access
SecFilterSelective THE_REQUEST "/db2www" log,pass

# WEB-CGI /cgi-bin/ access
SecFilterSelective THE_REQUEST "/cgi-bin/" chain
SecFilter "/cgi-bin/ HTTP"

# WEB-CGI /cgi-dos/ access
SecFilterSelective THE_REQUEST "/cgi-dos/" chain
SecFilter "/cgi-dos/ HTTP"

# WEB-CGI technote main.cgi file directory traversal attempt
SecFilterSelective THE_REQUEST "/technote/main\.cgi" chain
SecFilter "\.\./\.\./"

# WEB-CGI technote print.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/technote/print\.cgi" chain
SecFilter "\x00"

# WEB-CGI eXtropia webstore directory traversal
SecFilterSelective THE_REQUEST "/web_store\.cgi" chain
SecFilter "page=\.\./"

# WEB-CGI eXtropia webstore access
SecFilterSelective THE_REQUEST "/web_store\.cgi" log,pass

# WEB-CGI shopping cart directory traversal
SecFilterSelective THE_REQUEST "/shop\.cgi" chain
SecFilter "page=\.\./"

# WEB-CGI Allaire Pro Web Shell attempt
SecFilterSelective THE_REQUEST "/authenticate\.cgi\?PASSWORD" chain
SecFilter "config\.ini"

# WEB-CGI Armada Style Master Index directory traversal
SecFilterSelective THE_REQUEST "/search\.cgi\?keys" chain
SecFilter "catigory=\.\./"

# WEB-CGI cached_feed.cgi moreover shopping cart directory traversal
SecFilterSelective THE_REQUEST "/cached_feed\.cgi" chain
SecFilter "\.\./"

# WEB-CGI cached_feed.cgi moreover shopping cart access
SecFilterSelective THE_REQUEST "/cached_feed\.cgi" log,pass

# WEB-CGI Talentsoft Web+ exploit attempt
SecFilterSelective THE_REQUEST "/webplus\.cgi\?Script=/webplus/webping/webping\.wml"

# WEB-CGI Poll-it access
SecFilterSelective THE_REQUEST "/pollit/Poll_It_SSI_v2\.0\.cgi" log,pass

# WEB-CGI count.cgi access
SecFilterSelective THE_REQUEST "/count\.cgi" log,pass

# WEB-CGI webdist.cgi access
SecFilterSelective THE_REQUEST "/webdist\.cgi" log,pass

# WEB-CGI bigconf.cgi access
SecFilterSelective THE_REQUEST "/bigconf\.cgi" log,pass

# WEB-CGI /cgi-bin/jj access
SecFilterSelective THE_REQUEST "/cgi-bin/jj" log,pass

# WEB-CGI bizdbsearch attempt
SecFilterSelective THE_REQUEST "/bizdb1-search\.cgi" chain
SecFilter "mail"

# WEB-CGI bizdbsearch access
SecFilterSelective THE_REQUEST "/bizdb1-search\.cgi" log,pass

# WEB-CGI sojourn.cgi File attempt
SecFilterSelective THE_REQUEST "/sojourn\.cgi\?cat=" chain
SecFilter "\x00"

# WEB-CGI sojourn.cgi access
SecFilterSelective THE_REQUEST "/sojourn\.cgi" log,pass

# WEB-CGI SGI InfoSearch fname attempt
SecFilterSelective THE_REQUEST "/infosrch\.cgi\?" chain
SecFilter "fname="

# WEB-CGI SGI InfoSearch fname access
SecFilterSelective THE_REQUEST "/infosrch\.cgi" log,pass

# WEB-CGI ax-admin.cgi access
SecFilterSelective THE_REQUEST "/ax-admin\.cgi" log,pass

# WEB-CGI axs.cgi access
SecFilterSelective THE_REQUEST "/axs\.cgi" log,pass

# WEB-CGI cachemgr.cgi access
SecFilterSelective THE_REQUEST "/cachemgr\.cgi" log,pass

# WEB-CGI responder.cgi access
SecFilterSelective THE_REQUEST "/responder\.cgi" log,pass

# WEB-CGI web-map.cgi access
SecFilterSelective THE_REQUEST "/web-map\.cgi" log,pass

# WEB-CGI ministats admin access
SecFilterSelective THE_REQUEST "/ministats/admin\.cgi" log,pass

# WEB-CGI dfire.cgi access
SecFilterSelective THE_REQUEST "/dfire\.cgi" log,pass

# WEB-CGI txt2html.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/txt2html\.cgi" chain
SecFilter "/\.\./\.\./\.\./\.\./"

# WEB-CGI txt2html.cgi access
SecFilterSelective THE_REQUEST "/txt2html\.cgi" log,pass

# WEB-CGI store.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/store\.cgi" chain
SecFilter "\.\./"

# WEB-CGI store.cgi access
SecFilterSelective THE_REQUEST "/store\.cgi" log,pass

# WEB-CGI SIX webboard generate.cgi attempt
SecFilterSelective THE_REQUEST "/generate\.cgi" chain
SecFilter "content=\.\./"

# WEB-CGI SIX webboard generate.cgi access
SecFilterSelective THE_REQUEST "/generate\.cgi" log,pass

# WEB-CGI spin_client.cgi access
SecFilterSelective THE_REQUEST "/spin_client\.cgi" log,pass

# WEB-CGI csPassword.cgi access
SecFilterSelective THE_REQUEST "/csPassword\.cgi" log,pass

# WEB-CGI csPassword password.cgi.tmp access
SecFilterSelective THE_REQUEST "/password\.cgi\.tmp" log,pass

# WEB-CGI Nortel Contivity cgiproc DOS attempt
SecFilterSelective THE_REQUEST "/cgiproc\?Nocfile="

# WEB-CGI Nortel Contivity cgiproc access
SecFilterSelective THE_REQUEST "/cgiproc" log,pass

# WEB-CGI Oracle reports CGI access
SecFilterSelective THE_REQUEST "/rwcgi60" chain
SecFilter "setauth=" log,pass

# WEB-CGI alienform.cgi access
SecFilterSelective THE_REQUEST "/alienform\.cgi" log,pass

# WEB-CGI AlienForm af.cgi access
SecFilterSelective THE_REQUEST "/af\.cgi" log,pass

# WEB-CGI story.pl arbitrary file read attempt
SecFilterSelective THE_REQUEST "/story\.pl" chain
SecFilter "next=\.\./"

# WEB-CGI story.pl access
SecFilterSelective THE_REQUEST "/story\.pl"

# WEB-CGI siteUserMod.cgi access
SecFilterSelective THE_REQUEST "/\.cobalt/siteUserMod/siteUserMod\.cgi" log,pass

# WEB-CGI cgicso access
SecFilterSelective THE_REQUEST "/cgicso" log,pass

# WEB-CGI nph-publish.cgi access
SecFilterSelective THE_REQUEST "/nph-publish\.cgi" log,pass

# WEB-CGI printenv access
SecFilterSelective THE_REQUEST "/printenv" log,pass

# WEB-CGI sdbsearch.cgi access
SecFilterSelective THE_REQUEST "/sdbsearch\.cgi" log,pass

# WEB-CGI rpc-nlog.pl access
SecFilterSelective THE_REQUEST "/rpc-nlog\.pl" log,pass

# WEB-CGI rpc-smb.pl access
SecFilterSelective THE_REQUEST "/rpc-smb\.pl" log,pass

# WEB-CGI cart.cgi access
SecFilterSelective THE_REQUEST "/cart\.cgi" log,pass

# WEB-CGI vpasswd.cgi access
SecFilterSelective THE_REQUEST "/vpasswd\.cgi" log,pass

# WEB-CGI alya.cgi access
SecFilterSelective THE_REQUEST "/alya\.cgi" log,pass

# WEB-CGI viralator.cgi access
SecFilterSelective THE_REQUEST "/viralator\.cgi" log,pass

# WEB-CGI smartsearch.cgi access
SecFilterSelective THE_REQUEST "/smartsearch\.cgi" log,pass

# WEB-CGI mrtg.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/mrtg\.cgi" chain
SecFilter "cfg=/\.\./"

# WEB-CGI overflow.cgi access
SecFilterSelective THE_REQUEST "/overflow\.cgi" log,pass

# WEB-CGI way-board.cgi access
SecFilterSelective THE_REQUEST "/way-board\.cgi" log,pass

# WEB-CGI process_bug.cgi access
SecFilterSelective THE_REQUEST "/process_bug\.cgi" log,pass

# WEB-CGI enter_bug.cgi access
SecFilterSelective THE_REQUEST "/enter_bug\.cgi" log,pass

# WEB-CGI parse_xml.cgi access
SecFilterSelective THE_REQUEST "/parse_xml\.cgi" log,pass

# WEB-CGI streaming server parse_xml.cgi access
SecFilter "/parse_xml\.cgi" log,pass

# WEB-CGI album.pl access
SecFilter "/album\.pl" log,pass

# WEB-CGI chipcfg.cgi access
SecFilterSelective THE_REQUEST "/chipcfg\.cgi" log,pass

# WEB-CGI ikonboard.cgi access
SecFilterSelective THE_REQUEST "/ikonboard\.cgi" log,pass

# WEB-CGI swsrv.cgi access
SecFilterSelective THE_REQUEST "/srsrv\.cgi" log,pass

# WEB-CGI CSMailto.cgi access
SecFilterSelective THE_REQUEST "/CSMailto\.cgi" log,pass

# WEB-CGI alert.cgi access
SecFilterSelective THE_REQUEST "/alert\.cgi" log,pass

# WEB-CGI catgy.cgi access
SecFilterSelective THE_REQUEST "/alert\.cgi" log,pass

# WEB-CGI cvsview2.cgi access
SecFilterSelective THE_REQUEST "/cvsview2\.cgi" log,pass

# WEB-CGI cvslog.cgi access
SecFilterSelective THE_REQUEST "/cvslog\.cgi" log,pass

# WEB-CGI multidiff.cgi access
SecFilterSelective THE_REQUEST "/multidiff\.cgi" log,pass

# WEB-CGI dnewsweb.cgi access
SecFilterSelective THE_REQUEST "/dnewsweb\.cgi" log,pass

# WEB-CGI download.cgi access
SecFilterSelective THE_REQUEST "/download\.cgi" log,pass

# WEB-CGI edit_action.cgi access
SecFilterSelective THE_REQUEST "/edit_action\.cgi" log,pass

# WEB-CGI everythingform.cgi access
SecFilterSelective THE_REQUEST "/everythingform\.cgi" log,pass

# WEB-CGI ezadmin.cgi access
SecFilterSelective THE_REQUEST "/ezadmin\.cgi" log,pass

# WEB-CGI ezboard.cgi access
SecFilterSelective THE_REQUEST "/ezboard\.cgi" log,pass

# WEB-CGI ezman.cgi access
SecFilterSelective THE_REQUEST "/ezman\.cgi" log,pass

# WEB-CGI fileseek.cgi access
SecFilterSelective THE_REQUEST "/fileseek\.cgi" log,pass

# WEB-CGI fom.cgi access
SecFilterSelective THE_REQUEST "/fom\.cgi" log,pass

# WEB-CGI getdoc.cgi access
SecFilterSelective THE_REQUEST "/getdoc\.cgi" log,pass

# WEB-CGI global.cgi access
SecFilterSelective THE_REQUEST "/global\.cgi" log,pass

# WEB-CGI guestserver.cgi access
SecFilterSelective THE_REQUEST "/guestserver\.cgi" log,pass

# WEB-CGI imageFolio.cgi access
SecFilterSelective THE_REQUEST "/imageFolio\.cgi" log,pass

# WEB-CGI mailfile.cgi access
SecFilterSelective THE_REQUEST "/mailfile\.cgi" log,pass

# WEB-CGI mailview.cgi access
SecFilterSelective THE_REQUEST "/mailview\.cgi" log,pass

# WEB-CGI nsManager.cgi access
SecFilterSelective THE_REQUEST "/nsManager\.cgi" log,pass

# WEB-CGI readmail.cgi access
SecFilterSelective THE_REQUEST "/readmail\.cgi" log,pass

# WEB-CGI printmail.cgi access
SecFilterSelective THE_REQUEST "/printmail\.cgi" log,pass

# WEB-CGI service.cgi access
SecFilterSelective THE_REQUEST "/service\.cgi" log,pass

# WEB-CGI setpasswd.cgi access
SecFilterSelective THE_REQUEST "/setpasswd\.cgi" log,pass

# WEB-CGI simplestmail.cgi access
SecFilterSelective THE_REQUEST "/simplestmail\.cgi" log,pass

# WEB-CGI ws_mail.cgi access
SecFilterSelective THE_REQUEST "/ws_mail\.cgi" log,pass

# WEB-CGI nph-exploitscanget.cgi access
SecFilterSelective THE_REQUEST "/nph-exploitscanget\.cgi" log,pass

# WEB-CGI csNews.cgi access
SecFilterSelective THE_REQUEST "/csNews\.cgi" log,pass

# WEB-CGI psunami.cgi access
SecFilterSelective THE_REQUEST "/psunami\.cgi" log,pass

# WEB-CGI gozila.cgi access
SecFilterSelective THE_REQUEST "/gozila\.cgi" log,pass

# WEB-CGI quickstore.cgi access
SecFilterSelective THE_REQUEST "/quickstore\.cgi" log,pass

# WEB-CGI view_broadcast.cgi access
SecFilterSelective THE_REQUEST "/view_broadcast\.cgi" log,pass

# WEB-CGI streaming server view_broadcast.cgi access
SecFilterSelective THE_REQUEST "/view_broadcast\.cgi" log,pass

# WEB-CGI CCBill whereami.cgi arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/whereami\.cgi\?g="

# WEB-CGI CCBill whereami.cgi access
SecFilterSelective THE_REQUEST "/whereami\.cgi" log,pass

# WEB-CGI MDaemon form2raw.cgi overflow attempt
SecFilterSelective THE_REQUEST "/form2raw\.cgi"

# WEB-CGI MDaemon form2raw.cgi access
SecFilter "/form2raw\.cgi" log,pass

# WEB-CLIENT Outlook EML access
SecFilterSelective THE_REQUEST "\.eml"

# WEB-CLIENT Microsoft emf metafile access
SecFilterSelective THE_REQUEST "\.emf"

# WEB-CLIENT Microsoft wmf metafile access
SecFilterSelective THE_REQUEST "\.wmf"

# WEB-CLIENT readme.eml download attempt
SecFilterSelective THE_REQUEST "/readme\.eml"

# WEB-CLIENT Nortan antivirus sysmspam.dll load attempt
SecFilter "0534CF61-83C5-4765-B19B-45F7A4E135D0"

# WEB-COLDFUSION cfcache.map access
SecFilterSelective THE_REQUEST "/cfcache\.map"

# WEB-COLDFUSION exampleapp application.cfm
SecFilterSelective THE_REQUEST "/cfdocs/exampleapp/email/application\.cfm"

# WEB-COLDFUSION application.cfm access
SecFilterSelective THE_REQUEST "/cfdocs/exampleapp/publish/admin/application\.cfm"

# WEB-COLDFUSION getfile.cfm access
SecFilterSelective THE_REQUEST "/cfdocs/exampleapp/email/getfile\.cfm"

# WEB-COLDFUSION addcontent.cfm access
SecFilterSelective THE_REQUEST "/cfdocs/exampleapp/publish/admin/addcontent\.cfm"

# WEB-COLDFUSION administrator access
SecFilterSelective THE_REQUEST "/cfide/administrator/index\.cfm"

# WEB-COLDFUSION fileexists.cfm access
SecFilterSelective THE_REQUEST "/cfdocs/snippets/fileexists\.cfm"

# WEB-COLDFUSION exprcalc access
SecFilterSelective THE_REQUEST "/cfdocs/expeval/exprcalc\.cfm"

# WEB-COLDFUSION parks access
SecFilterSelective THE_REQUEST "/cfdocs/examples/parks/detail\.cfm"

# WEB-COLDFUSION cfappman access
SecFilterSelective THE_REQUEST "/cfappman/index\.cfm"

# WEB-COLDFUSION beaninfo access
SecFilterSelective THE_REQUEST "/cfdocs/examples/cvbeans/beaninfo\.cfm"

# WEB-COLDFUSION evaluate.cfm access
SecFilterSelective THE_REQUEST "/cfdocs/snippets/evaluate\.cfm"

# WEB-COLDFUSION expeval access
SecFilterSelective THE_REQUEST "/cfdocs/expeval/"

# WEB-COLDFUSION displayfile access
SecFilterSelective THE_REQUEST "/cfdocs/expeval/displayopenedfile\.cfm"

# WEB-COLDFUSION mainframeset access
SecFilterSelective THE_REQUEST "/cfdocs/examples/mainframeset\.cfm"

# WEB-COLDFUSION exampleapp access
SecFilterSelective THE_REQUEST "/cfdocs/exampleapp/"

# WEB-COLDFUSION snippets attempt
SecFilterSelective THE_REQUEST "/cfdocs/snippets/"

# WEB-COLDFUSION cfmlsyntaxcheck.cfm access
SecFilterSelective THE_REQUEST "/cfdocs/cfmlsyntaxcheck\.cfm"

# WEB-COLDFUSION application.cfm access
SecFilterSelective THE_REQUEST "/application\.cfm"

# WEB-COLDFUSION onrequestend.cfm access
SecFilterSelective THE_REQUEST "/onrequestend\.cfm"

# WEB-COLDFUSION startstop DOS access
SecFilterSelective THE_REQUEST "/cfide/administrator/startstop\.html"

# WEB-COLDFUSION gettempdirectory.cfm access 
SecFilterSelective THE_REQUEST "/cfdocs/snippets/gettempdirectory\.cfm"

# WEB-COLDFUSION sendmail.cfm access
SecFilterSelective THE_REQUEST "/sendmail\.cfm"

# WEB-COLDFUSION ?Mode=debug attempt
SecFilterSelective THE_REQUEST "Mode=debug" log,pass

# WEB-FRONTPAGE rad fp30reg.dll access
SecFilterSelective THE_REQUEST "/fp30reg\.dll" log,pass

# WEB-FRONTPAGE frontpage rad fp4areg.dll access
SecFilterSelective THE_REQUEST "/fp4areg\.dll" log,pass

# WEB-FRONTPAGE _vti_rpc access
SecFilterSelective THE_REQUEST "/_vti_rpc" log,pass

# WEB-FRONTPAGE posting
SecFilterSelective THE_REQUEST "/author\.dll" chain
SecFilter "POST" log,pass

# WEB-FRONTPAGE shtml.dll access
SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.dll" log,pass

# WEB-FRONTPAGE contents.htm access
SecFilterSelective THE_REQUEST "/admcgi/contents\.htm" log,pass

# WEB-FRONTPAGE orders.htm access
SecFilterSelective THE_REQUEST "/_private/orders\.htm" log,pass

# WEB-FRONTPAGE fpsrvadm.exe access
SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" log,pass

# WEB-FRONTPAGE fpremadm.exe access
SecFilterSelective THE_REQUEST "/fpremadm\.exe" log,pass

# WEB-FRONTPAGE fpadmin.htm access
SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" log,pass

# WEB-FRONTPAGE fpadmcgi.exe access
SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" log,pass

# WEB-FRONTPAGE orders.txt access
SecFilterSelective THE_REQUEST "/_private/orders\.txt" log,pass

# WEB-FRONTPAGE form_results access
SecFilterSelective THE_REQUEST "/_private/form_results\.txt" log,pass

# WEB-FRONTPAGE registrations.htm access
SecFilterSelective THE_REQUEST "/_private/registrations\.htm" log,pass

# WEB-FRONTPAGE cfgwiz.exe access
SecFilterSelective THE_REQUEST "/cfgwiz\.exe" log,pass

# WEB-FRONTPAGE authors.pwd access
SecFilterSelective THE_REQUEST "/authors\.pwd" log,pass

# WEB-FRONTPAGE author.exe access
SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" log,pass

# WEB-FRONTPAGE administrators.pwd access
SecFilterSelective THE_REQUEST "/administrators\.pwd" log,pass

# WEB-FRONTPAGE form_results.htm access
SecFilterSelective THE_REQUEST "/_private/form_results\.htm" log,pass

# WEB-FRONTPAGE access.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" log,pass

# WEB-FRONTPAGE register.txt access
SecFilterSelective THE_REQUEST "/_private/register\.txt" log,pass

# WEB-FRONTPAGE registrations.txt access
SecFilterSelective THE_REQUEST "/_private/registrations\.txt" log,pass

# WEB-FRONTPAGE service.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" log,pass

# WEB-FRONTPAGE service.pwd
SecFilterSelective THE_REQUEST "/service\.pwd" log,pass

# WEB-FRONTPAGE service.stp access
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" log,pass

# WEB-FRONTPAGE services.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" log,pass

# WEB-FRONTPAGE shtml.exe access
SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" log,pass

# WEB-FRONTPAGE svcacl.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" log,pass

# WEB-FRONTPAGE users.pwd access
SecFilterSelective THE_REQUEST "/users\.pwd" log,pass

# WEB-FRONTPAGE writeto.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" log,pass

# WEB-FRONTPAGE .... request
SecFilterSelective THE_REQUEST "\.\.\.\./"

# WEB-FRONTPAGE dvwssr.dll access
SecFilterSelective THE_REQUEST "/dvwssr\.dll" log,pass

# WEB-FRONTPAGE register.htm access
SecFilterSelective THE_REQUEST "/_private/register\.htm" log,pass

# WEB-FRONTPAGE /_vti_bin/ access
SecFilterSelective THE_REQUEST "/_vti_bin/" log,pass

# WEB-IIS repost.asp access
SecFilterSelective THE_REQUEST "/scripts/repost\.asp" log,pass

# WEB-IIS .htr chunked Transfer-Encoding
SecFilterSelective THE_REQUEST "\.htr" chain
SecFilter "chunked"

# WEB-IIS .asp chunked Transfer-Encoding
SecFilterSelective THE_REQUEST "\.asp" chain
SecFilter "chunked"

# WEB-IIS /StoreCSVS/InstantOrder.asmx request
SecFilterSelective THE_REQUEST "/StoreCSVS/InstantOrder\.asmx" log,pass

# WEB-IIS users.xml access
SecFilterSelective THE_REQUEST "/users\.xml" log,pass

# WEB-IIS as_web.exe access
SecFilterSelective THE_REQUEST "/as_web\.exe" log,pass

# WEB-IIS as_web4.exe access
SecFilterSelective THE_REQUEST "/as_web4\.exe" log,pass

# WEB-IIS NewsPro administration authentication attempt
SecFilter "logged,true" log,pass

# WEB-IIS pbserver access
SecFilterSelective THE_REQUEST "/pbserver/pbserver\.dll" log,pass

# WEB-IIS trace.axd access
SecFilterSelective THE_REQUEST "/trace\.axd" log,pass

# WEB-IIS /isapi/tstisapi.dll access
SecFilterSelective THE_REQUEST "/isapi/tstisapi\.dll" log,pass

# WEB-IIS mkilog.exe access
SecFilterSelective THE_REQUEST "/mkilog\.exe" log,pass

# WEB-IIS ctss.idc access
SecFilterSelective THE_REQUEST "/ctss\.idc" log,pass

# WEB-IIS /iisadmpwd/aexp2.htr access
SecFilterSelective THE_REQUEST "/iisadmpwd/aexp2\.htr" log,pass

# WEB-IIS WebDAV file lock attempt
SecFilter "LOCK " log,pass

# WEB-IIS ISAPI .printer access
SecFilterSelective THE_REQUEST "\.printer" log,pass

# WEB-IIS ISAPI .ida attempt
SecFilterSelective THE_REQUEST "\.ida\?"

# WEB-IIS ISAPI .ida access
SecFilterSelective THE_REQUEST "\.ida" log,pass

# WEB-IIS ISAPI .idq attempt
SecFilterSelective THE_REQUEST "\.idq\?"

# WEB-IIS ISAPI .idq access
SecFilterSelective THE_REQUEST "\.idq" log,pass

# WEB-IIS %2E-asp access
SecFilter "\x2easp" log,pass

# WEB-IIS *.idc attempt
SecFilterSelective THE_REQUEST "/*\.idc"

# WEB-IIS .bat? access
SecFilterSelective THE_REQUEST "\.bat\?" log,pass

# WEB-IIS .cnf access
SecFilterSelective THE_REQUEST "\.cnf" log,pass

# WEB-IIS ASP contents view
SecFilter "&CiHiliteType=Full"

# WEB-IIS ASP contents view
SecFilterSelective THE_REQUEST "\.htw\?CiWebHitsFile"

# WEB-IIS CGImail.exe access
SecFilterSelective THE_REQUEST "/scripts/CGImail\.exe" log,pass

# WEB-IIS unicode directory traversal attempt
SecFilter "/\.\.\xc0\xaf\.\./"

# WEB-IIS unicode directory traversal attempt
SecFilter "/\.\.\xc1\x1c\.\./"

# WEB-IIS unicode directory traversal attempt
SecFilter "/\.\.\xc1\x9c\.\./"

# WEB-IIS unicode directory traversal attempt
SecFilter "/\.\.\x255c\.\."

# WEB-IIS MSProxy access
SecFilterSelective THE_REQUEST "/scripts/proxy/w3proxy\.dll" log,pass

# WEB-IIS +.htr code fragment attempt
SecFilterSelective THE_REQUEST "\+\.htr"

# WEB-IIS .htr access
SecFilterSelective THE_REQUEST "\.htr" log,pass

# WEB-IIS SAM Attempt
SecFilter "sam\._"

# WEB-IIS Unicode2.pl script File permission canonicalization
SecFilterSelective THE_REQUEST "/sensepost\.exe" log,pass

# WEB-IIS _vti_inf access
SecFilterSelective THE_REQUEST "_vti_inf\.html" log,pass

# WEB-IIS achg.htr access
SecFilterSelective THE_REQUEST "/iisadmpwd/achg\.htr" log,pass

# WEB-IIS /scripts/iisadmin/default.htm access
SecFilterSelective THE_REQUEST "/scripts/iisadmin/default\.htm"

# WEB-IIS ism.dll access
SecFilterSelective THE_REQUEST "/scripts/iisadmin/ism\.dll\?http/dir"

# WEB-IIS anot.htr access
SecFilterSelective THE_REQUEST "/iisadmpwd/anot" log,pass

# WEB-IIS asp-dot attempt
SecFilterSelective THE_REQUEST "\.asp\."

# WEB-IIS bdir.htr access
SecFilterSelective THE_REQUEST "/bdir\.htr" log,pass

# WEB-IIS cmd32.exe access
SecFilter "cmd32\.exe"

# WEB-IIS cmd.exe access
SecFilter "cmd\.exe"

# WEB-IIS cmd? access
SecFilter "\.cmd\?&"

# WEB-IIS cross-site scripting attempt
SecFilterSelective THE_REQUEST "/Form_JScript\.asp"

# WEB-IIS cross-site scripting attempt
SecFilterSelective THE_REQUEST "/Form_VBScript\.asp"

# WEB-IIS directory listing
SecFilterSelective THE_REQUEST "/ServerVariables_Jscript\.asp"

# WEB-IIS encoding access
SecFilter "%1u" log,pass

# WEB-IIS fpcount attempt
SecFilterSelective THE_REQUEST "/fpcount\.exe" chain
SecFilter "Digits="

# WEB-IIS fpcount access
SecFilterSelective THE_REQUEST "/fpcount\.exe" log,pass

# WEB-IIS getdrvs.exe access
SecFilterSelective THE_REQUEST "/scripts/tools/getdrvs\.exe" log,pass

# WEB-IIS global.asa access
SecFilterSelective THE_REQUEST "/global\.asa" log,pass

# WEB-IIS iisadmpwd attempt
SecFilterSelective THE_REQUEST "/iisadmpwd/aexp"

# WEB-IIS index server file source code attempt
SecFilterSelective THE_REQUEST "\?CiWebHitsFile=/" chain
SecFilter "&CiRestriction=none&CiHiliteType=Full"

# WEB-IIS ism.dll attempt
SecFilterSelective THE_REQUEST " \.htr"

# WEB-IIS jet vba access
SecFilterSelective THE_REQUEST "/advworks/equipment/catalog_type\.asp" log,pass

# WEB-IIS msadcs.dll access
SecFilterSelective THE_REQUEST "/msadcs\.dll" log,pass

# WEB-IIS newdsn.exe access
SecFilterSelective THE_REQUEST "/scripts/tools/newdsn\.exe" log,pass

# WEB-IIS perl access
SecFilterSelective THE_REQUEST "/scripts/perl" log,pass

# WEB-IIS perl-browse space attempt
SecFilterSelective THE_REQUEST " \.pl"

# WEB-IIS scripts-browse access
SecFilterSelective THE_REQUEST "/scripts/ "

# WEB-IIS search97.vts access
SecFilterSelective THE_REQUEST "/search97\.vts" log,pass

# WEB-IIS showcode.asp access
SecFilterSelective THE_REQUEST "/showcode\.asp" log,pass

# WEB-IIS site server config access
SecFilterSelective THE_REQUEST "/adsamples/config/site\.csc" log,pass

# WEB-IIS srch.htm access
SecFilterSelective THE_REQUEST "/samples/isapi/srch\.htm" log,pass

# WEB-IIS srchadm access
SecFilterSelective THE_REQUEST "/srchadm" log,pass

# WEB-IIS uploadn.asp access
SecFilterSelective THE_REQUEST "/scripts/uploadn\.asp" log,pass

# WEB-IIS viewcode.asp access
SecFilterSelective THE_REQUEST "/viewcode\.asp" log,pass

# WEB-IIS webhits access
SecFilterSelective THE_REQUEST "\.htw" log,pass

# WEB-IIS doctodep.btr access
SecFilterSelective THE_REQUEST "doctodep\.btr" log,pass

# WEB-IIS site/iisamples access
SecFilterSelective THE_REQUEST "/site/iisamples" log,pass

# WEB-IIS CodeRed v2 root.exe access
SecFilterSelective THE_REQUEST "/root\.exe"

# WEB-IIS outlook web dos
SecFilterSelective THE_REQUEST "/exchange/LogonFrm\.asp\?" chain
SecFilter "%%%"

# WEB-IIS /scripts/samples/ access
SecFilterSelective THE_REQUEST "/scripts/samples/"

# WEB-IIS /msadc/samples/ access
SecFilterSelective THE_REQUEST "/msadc/samples/"

# WEB-IIS iissamples access
SecFilterSelective THE_REQUEST "/iissamples/"

# WEB-IIS iisadmin access
SecFilterSelective THE_REQUEST "/iisadmin"

# WEB-IIS msdac access
SecFilterSelective THE_REQUEST "/msdac/" log,pass

# WEB-IIS _mem_bin access
SecFilterSelective THE_REQUEST "/_mem_bin/" log,pass

# WEB-IIS htimage.exe access
SecFilterSelective THE_REQUEST "/htimage\.exe" log,pass

# WEB-IIS MS Site Server admin attempt
SecFilterSelective THE_REQUEST "/Site Server/Admin/knowledge/persmbr/"

# WEB-IIS postinfo.asp access
SecFilterSelective THE_REQUEST "/scripts/postinfo\.asp" log,pass

# WEB-IIS /exchange/root.asp attempt
SecFilterSelective THE_REQUEST "/exchange/root\.asp\?acs=anon"

# WEB-IIS /exchange/root.asp access
SecFilterSelective THE_REQUEST "/exchange/root\.asp" log,pass

# WEB-IIS Battleaxe Forum login.asp access
SecFilterSelective THE_REQUEST "myaccount/login\.asp" log,pass

# WEB-IIS nsiislog.dll access
SecFilterSelective THE_REQUEST "/nsiislog\.dll" log,pass

# WEB-IIS IISProtect siteadmin.asp access
SecFilterSelective THE_REQUEST "/iisprotect/admin/SiteAdmin\.asp" log,pass

# WEB-IIS IISProtect globaladmin.asp access
SecFilterSelective THE_REQUEST "/iisprotect/admin/GlobalAdmin\.asp" log,pass

# WEB-IIS IISProtect access
SecFilterSelective THE_REQUEST "/iisprotect/admin/" log,pass

# WEB-IIS Synchrologic Email Accelerator userid list access attempt
SecFilterSelective THE_REQUEST "/en/admin/aggregate\.asp" log,pass

# WEB-IIS MS BizTalk server access
SecFilterSelective THE_REQUEST "/biztalkhttpreceive\.dll" log,pass

# WEB-IIS register.asp access
SecFilterSelective THE_REQUEST "/register\.asp" log,pass

# WEB-IIS UploadScript11.asp access
SecFilterSelective THE_REQUEST "/UploadScript11\.asp" log,pass

# WEB-IIS DirectoryListing.asp access
SecFilterSelective THE_REQUEST "/DirectoryListing\.asp" log,pass

# WEB-IIS /pcadmin/login.asp access
SecFilterSelective THE_REQUEST "/pcadmin/login\.asp" log,pass

# WEB-IIS foxweb.exe access
SecFilterSelective THE_REQUEST "/foxweb\.exe" log,pass

# WEB-IIS foxweb.dll access
SecFilterSelective THE_REQUEST "/foxweb\.dll" log,pass

# WEB-IIS VP-ASP shopsearch.asp access
SecFilterSelective THE_REQUEST "/shopsearch\.asp" log,pass

# WEB-IIS VP-ASP ShopDisplayProducts.asp access
SecFilterSelective THE_REQUEST "/ShopDisplayProducts\.asp" log,pass

# WEB-IIS sgdynamo.exe access
SecFilterSelective THE_REQUEST "/sgdynamo\.exe" log,pass

# WEB-MISC cross site scripting attempt
SecFilter "<SCRIPT>"

# WEB-MISC cross site scripting HTML Image tag set to javascript attempt
SecFilter "img src=javascript"

# WEB-MISC Cisco IOS HTTP configuration attempt
SecFilterSelective THE_REQUEST "/exec/"

# WEB-MISC Netscape Enterprise DOS
SecFilter "REVLOG / "

# WEB-MISC Netscape Enterprise directory listing attempt
SecFilter "INDEX "

# WEB-MISC iPlanet GETPROPERTIES attempt
SecFilter "GETPROPERTIES"

# WEB-MISC Tomcat view source attempt
SecFilterSelective THE_REQUEST "\x252ejsp"

# WEB-MISC ftp attempt
SecFilter "ftp\.exe" log,pass

# WEB-MISC xp_enumdsn attempt
SecFilter "xp_enumdsn"

# WEB-MISC xp_filelist attempt
SecFilter "xp_filelist"

# WEB-MISC xp_availablemedia attempt
SecFilter "xp_availablemedia"

# WEB-MISC xp_cmdshell attempt
SecFilter "xp_cmdshell"

# WEB-MISC nc.exe attempt
SecFilter "nc\.exe" log,pass

# WEB-MISC wsh attempt
SecFilter "wsh\.exe" log,pass

# WEB-MISC rcmd attempt
SecFilter "rcmd\.exe" log,pass

# WEB-MISC telnet attempt
SecFilter "telnet\.exe" log,pass

# WEB-MISC net attempt
SecFilter "net\.exe" log,pass

# WEB-MISC tftp attempt
SecFilter "tftp\.exe" log,pass

# WEB-MISC xp_regread attempt
SecFilter "xp_regread" log,pass

# WEB-MISC xp_regwrite attempt
SecFilter "xp_regwrite" log,pass

# WEB-MISC xp_regdeletekey attempt
SecFilter "xp_regdeletekey" log,pass

# WEB-MISC WebDAV search access
SecFilter "SEARCH " log,pass

# WEB-MISC .htpasswd access
SecFilter "\.htpasswd"

# WEB-MISC Lotus Domino directory traversal
SecFilterSelective THE_REQUEST "\.\./"

# WEB-MISC queryhit.htm access
SecFilterSelective THE_REQUEST "/samples/search/queryhit\.htm" log,pass

# WEB-MISC counter.exe access
SecFilterSelective THE_REQUEST "/counter\.exe" log,pass

# WEB-MISC unify eWave ServletExec upload
SecFilterSelective THE_REQUEST "/servlet/com\.unify\.servletexec\.UploadServlet"

# WEB-MISC Netscape Servers suite DOS
SecFilterSelective THE_REQUEST "/dsgw/bin/search\?context="

# WEB-MISC amazon 1-click cookie theft
SecFilter "ref\x3Cscript\x20language\x3D\x22Javascript"

# WEB-MISC unify eWave ServletExec DOS
SecFilterSelective THE_REQUEST "/servlet/ServletExec" log,pass

# WEB-MISC Allaire JRUN DOS attempt
SecFilterSelective THE_REQUEST "servlet/\.\.\.\.\.\.\."

# WEB-MISC ICQ Webfront HTTP DOS
SecFilterSelective THE_REQUEST "\?\?\?\?\?\?\?\?\?\?"

# WEB-MISC Talentsoft Web+ Source Code view access
SecFilterSelective THE_REQUEST "/webplus\.exe\?script=test\.wml"

# WEB-MISC Talentsoft Web+ internal IP Address access
SecFilterSelective THE_REQUEST "/webplus\.exe\?about" log,pass

# WEB-MISC SmartWin CyberOffice Shopping Cart access
SecFilterSelective THE_REQUEST "_private/shopping_cart\.mdb"

# WEB-MISC cybercop scan
SecFilterSelective THE_REQUEST "/cybercop" log,pass

# WEB-MISC Nessus 404 probe
SecFilterSelective THE_REQUEST "/nessus_is_probing_you_"

# WEB-MISC Netscape admin passwd
SecFilterSelective THE_REQUEST "/admin-serv/config/admpw"

# WEB-MISC BigBrother access
SecFilterSelective THE_REQUEST "/bb-hostsvc\.sh\?HOSTSVC"

# WEB-MISC ftp.pl attempt
SecFilterSelective THE_REQUEST "/ftp\.pl\?dir=\.\./\.\."

# WEB-MISC ftp.pl access
SecFilterSelective THE_REQUEST "/ftp\.pl" log,pass

# WEB-MISC Tomcat server snoop access
SecFilterSelective THE_REQUEST "\.snp"

# WEB-MISC ROXEN directory list attempt
SecFilterSelective THE_REQUEST "/\x00"

# WEB-MISC apache source.asp file access
SecFilterSelective THE_REQUEST "/site/eg/source\.asp"

# WEB-MISC Tomcat server exploit access
SecFilterSelective THE_REQUEST "/contextAdmin/contextAdmin\.html"

# WEB-MISC ICQ webserver DOS
SecFilterSelective THE_REQUEST "\.html/\.\.\.\.\.\."

# WEB-MISC Lotus DelDoc attempt
SecFilterSelective THE_REQUEST "\?DeleteDocument"

# WEB-MISC Lotus EditDoc attempt
SecFilterSelective THE_REQUEST "\?EditDocument"

# WEB-MISC ls%20-l
SecFilter "ls\x20-l"

# WEB-MISC mlog.phtml access
SecFilterSelective THE_REQUEST "/mlog\.phtml"

# WEB-MISC mylog.phtml access
SecFilterSelective THE_REQUEST "/mylog\.phtml"

# WEB-MISC /etc/passwd
SecFilter "/etc/passwd"

# WEB-MISC ?PageServices access
SecFilterSelective THE_REQUEST "\?PageServices"

# WEB-MISC Ecommerce check.txt access
SecFilterSelective THE_REQUEST "/config/check\.txt"

# WEB-MISC webcart access
SecFilterSelective THE_REQUEST "/webcart/"

# WEB-MISC AuthChangeUrl access
SecFilterSelective THE_REQUEST "_AuthChangeUrl\?"

# WEB-MISC convert.bas access
SecFilterSelective THE_REQUEST "/scripts/convert\.bas"

# WEB-MISC cpshost.dll access
SecFilterSelective THE_REQUEST "/scripts/cpshost\.dll"

# WEB-MISC .htaccess access
SecFilter "\.htaccess"

# WEB-MISC .wwwacl access
SecFilterSelective THE_REQUEST "\.wwwacl"

# WEB-MISC .wwwacl access
SecFilterSelective THE_REQUEST "\.www_acl"

# WEB-MISC cd..
SecFilter "cd\.\."

# WEB-MISC guestbook.pl access
SecFilterSelective THE_REQUEST "/guestbook\.pl"

# WEB-MISC handler access
SecFilterSelective THE_REQUEST "/handler" log,pass

# WEB-MISC /.... access
SecFilter "/\.\.\.\."

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"

# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# WEB-MISC Ecommerce import.txt access
SecFilterSelective THE_REQUEST "/config/import\.txt"

# WEB-MISC cat%20 access
SecFilter "cat\x20"

# WEB-MISC Ecommerce import.txt access
SecFilterSelective THE_REQUEST "/orders/import\.txt"

# WEB-MISC Domino catalog.nsf access
SecFilterSelective THE_REQUEST "/catalog\.nsf"

# WEB-MISC Domino domcfg.nsf access
SecFilterSelective THE_REQUEST "/domcfg\.nsf"

# WEB-MISC Domino domlog.nsf access
SecFilterSelective THE_REQUEST "/domlog\.nsf"

# WEB-MISC Domino log.nsf access
SecFilterSelective THE_REQUEST "/log\.nsf"

# WEB-MISC Domino names.nsf access
SecFilterSelective THE_REQUEST "/names\.nsf"

# WEB-MISC Domino mab.nsf access
SecFilterSelective THE_REQUEST "/mab\.nsf"

# WEB-MISC Domino cersvr.nsf access
SecFilterSelective THE_REQUEST "/cersvr\.nsf"

# WEB-MISC Domino setup.nsf access
SecFilterSelective THE_REQUEST "/setup\.nsf"

# WEB-MISC Domino statrep.nsf access
SecFilterSelective THE_REQUEST "/statrep\.nsf"

# WEB-MISC Domino webadmin.nsf access
SecFilterSelective THE_REQUEST "/webadmin\.nsf"

# WEB-MISC Domino events4.nsf access
SecFilterSelective THE_REQUEST "/events4\.nsf"

# WEB-MISC Domino ntsync4.nsf access
SecFilterSelective THE_REQUEST "/ntsync4\.nsf"

# WEB-MISC Domino collect4.nsf access
SecFilterSelective THE_REQUEST "/collect4\.nsf"

# WEB-MISC Domino mailw46.nsf access
SecFilterSelective THE_REQUEST "/mailw46\.nsf"

# WEB-MISC Domino bookmark.nsf access
SecFilterSelective THE_REQUEST "/bookmark\.nsf"

# WEB-MISC Domino agentrunner.nsf access
SecFilterSelective THE_REQUEST "/agentrunner\.nsf"

# WEB-MISC Domino mail.box access
SecFilterSelective THE_REQUEST "/mail\.box"

# WEB-MISC Ecommerce checks.txt access
SecFilterSelective THE_REQUEST "/orders/checks\.txt"

# WEB-MISC apache DOS attempt
SecFilter "////////"

# WEB-MISC Netscape PublishingXpert access
SecFilterSelective THE_REQUEST "/PSUser/PSCOErrPage\.htm" log,pass

# WEB-MISC windmail.exe access
SecFilterSelective THE_REQUEST "/windmail\.exe"

# WEB-MISC webplus access
SecFilterSelective THE_REQUEST "/webplus\?script"

# WEB-MISC Netscape dir index wp
SecFilterSelective THE_REQUEST "\?wp-"

# WEB-MISC cart 32 AdminPwd access
SecFilterSelective THE_REQUEST "/c32web\.exe/ChangeAdminPassword"

# WEB-MISC shopping cart access
SecFilterSelective THE_REQUEST "/quikstore\.cfg"

# WEB-MISC Novell Groupwise gwweb.exe attempt
SecFilterSelective THE_REQUEST "/GWWEB\.EXE\?HELP="

# WEB-MISC Novell Groupwise gwweb.exe access
SecFilter "/GWWEB\.EXE"

# WEB-MISC ws_ftp.ini access
SecFilterSelective THE_REQUEST "/ws_ftp\.ini"

# WEB-MISC rpm_query access
SecFilterSelective THE_REQUEST "/rpm_query"

# WEB-MISC mall log order access
SecFilterSelective THE_REQUEST "/mall_log_files/order\.log"

# WEB-MISC architext_query.pl access
SecFilterSelective THE_REQUEST "/ews/architext_query\.pl"

# WEB-MISC wwwboard.pl access
SecFilterSelective THE_REQUEST "/wwwboard\.pl"

# WEB-MISC order.log access
SecFilterSelective THE_REQUEST "/admin_files/order\.log"

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-verify-link"

# WEB-MISC get32.exe access
SecFilterSelective THE_REQUEST "/get32\.exe"

# WEB-MISC Annex Terminal DOS attempt
SecFilterSelective THE_REQUEST "/ping\?query="

# WEB-MISC cgitest.exe access
SecFilterSelective THE_REQUEST "/cgitest\.exe" log,pass

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-cs-dump"

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-ver-info"

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-ver-diff"

# WEB-MISC SalesLogix Eviewer web command attempt
SecFilterSelective THE_REQUEST "/slxweb\.dll/admin\?command="

# WEB-MISC SalesLogix Eviewer access
SecFilterSelective THE_REQUEST "/slxweb\.dll" log,pass

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-start-ver"

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-stop-ver"

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-uncheckout"

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-html-rend"

# WEB-MISC Trend Micro OfficeScan attempt
SecFilterSelective THE_REQUEST "event="

# WEB-MISC Trend Micro OfficeScan access
SecFilterSelective THE_REQUEST "/officescan/cgi/jdkRqNotify\.exe"

# WEB-MISC oracle web arbitrary command execution attempt
SecFilterSelective THE_REQUEST "\?&"

# WEB-MISC oracle web application server access
SecFilterSelective THE_REQUEST "/ows-bin/" log,pass

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-usr-prop"

# WEB-MISC search.vts access
SecFilterSelective THE_REQUEST "/search\.vts"

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"

# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass

# WEB-MISC .nsconfig access
SecFilterSelective THE_REQUEST "/\.nsconfig"

# WEB-MISC Admin_files access
SecFilterSelective THE_REQUEST "/admin_files"

# WEB-MISC backup access
SecFilterSelective THE_REQUEST "/backup"

# WEB-MISC intranet access
SecFilterSelective THE_REQUEST "/intranet/"

# WEB-MISC filemail access
SecFilterSelective THE_REQUEST "/filemail"

# WEB-MISC plusmail access
SecFilterSelective THE_REQUEST "/plusmail"

# WEB-MISC adminlogin access
SecFilterSelective THE_REQUEST "/adminlogin"

# WEB-MISC ultraboard access
SecFilterSelective THE_REQUEST "/ultraboard"

# WEB-MISC musicat empower attempt
SecFilterSelective THE_REQUEST "/empower\?DB="

# WEB-MISC musicat empower access
SecFilterSelective THE_REQUEST "/empower" log,pass

# WEB-MISC ROADS search.pl attempt
SecFilterSelective THE_REQUEST "/ROADS/cgi-bin/search\.pl" chain
SecFilter "form="

# WEB-MISC VirusWall FtpSave access
SecFilterSelective THE_REQUEST "/FtpSave\.dll"

# WEB-MISC VirusWall FtpSaveCSP access
SecFilterSelective THE_REQUEST "/FtpSaveCSP\.dll"

# WEB-MISC VirusWall FtpSaveCVP access
SecFilterSelective THE_REQUEST "/FtpSaveCVP\.dll"

# WEB-MISC weblogic/tomcat .jsp view source attempt
SecFilterSelective THE_REQUEST "\.jsp"

# WEB-MISC SWEditServlet directory traversal attempt
SecFilterSelective THE_REQUEST "/SWEditServlet" chain
SecFilter "template=\.\./\.\./\.\./"

# WEB-MISC SWEditServlet access
SecFilterSelective THE_REQUEST "/SWEditServlet"

# WEB-MISC whisker HEAD/./
SecFilter "HEAD/\./"

# WEB-MISC HP OpenView Manager DOS
SecFilterSelective THE_REQUEST "/OvCgi/OpenView5\.exe\?Context=Snmp&Action=Snmp&Host=&Oid="

# WEB-MISC sml3com access
SecFilterSelective THE_REQUEST "/graphics/sml3com" log,pass

# WEB-MISC carbo.dll access
SecFilterSelective THE_REQUEST "/carbo\.dll" chain
SecFilter "icatcommand="

# WEB-MISC console.exe access
SecFilterSelective THE_REQUEST "/cgi-bin/console\.exe"

# WEB-MISC cs.exe access
SecFilterSelective THE_REQUEST "/cgi-bin/cs\.exe"

# WEB-MISC http directory traversal
SecFilter "\.\./"

# WEB-MISC sadmind worm access
SecFilter "GET x HTTP/1\.0"

# WEB-MISC jrun directory browse attempt
SecFilterSelective THE_REQUEST "/\?\.jsp"

# WEB-MISC mod-plsql administration access
SecFilterSelective THE_REQUEST "/admin_/" log,pass

# WEB-MISC Phorecast remote code execution attempt
SecFilter "includedir="

# WEB-MISC viewcode access
SecFilterSelective THE_REQUEST "/viewcode"

# WEB-MISC showcode access
SecFilterSelective THE_REQUEST "/showcode"

# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# WEB-MISC RBS ISP /newuser  directory traversal attempt
SecFilterSelective THE_REQUEST "/newuser\?Image=\.\./\.\."

# WEB-MISC RBS ISP /newuser access
SecFilterSelective THE_REQUEST "/newuser" log,pass

# WEB-MISC mkplog.exe access
SecFilterSelective THE_REQUEST "/mkplog\.exe" log,pass

# WEB-MISC PCCS mysql database admin tool access
SecFilter "pccsmysqladm/incs/dbconnect\.inc"

# WEB-MISC .DS_Store access
SecFilterSelective THE_REQUEST "/\.DS_Store" log,pass

# WEB-MISC .FBCIndex access
SecFilterSelective THE_REQUEST "/\.FBCIndex" log,pass

# WEB-MISC ExAir access
SecFilterSelective THE_REQUEST "/exair/search/" log,pass

# WEB-MISC apache ?M=D directory list attempt
SecFilterSelective THE_REQUEST "/\?M=D" log,pass

# WEB-MISC server-info access
SecFilterSelective THE_REQUEST "/server-info" log,pass

# WEB-MISC server-status access
SecFilterSelective THE_REQUEST "/server-status" log,pass

# WEB-MISC ans.pl attempt
SecFilterSelective THE_REQUEST "/ans\.pl\?p=\.\./\.\./"

# WEB-MISC ans.pl access
SecFilterSelective THE_REQUEST "/ans\.pl" log,pass

# WEB-MISC AxisStorpoint CD attempt
SecFilterSelective THE_REQUEST "/cd/\.\./config/html/cnf_gi\.htm"

# WEB-MISC Axis Storpoint CD access
SecFilterSelective THE_REQUEST "/config/html/cnf_gi\.htm" log,pass

# WEB-MISC basilix sendmail.inc access
SecFilterSelective THE_REQUEST "/inc/sendmail\.inc" log,pass

# WEB-MISC basilix mysql.class access
SecFilterSelective THE_REQUEST "/class/mysql\.class" log,pass

# WEB-MISC BBoard access
SecFilterSelective THE_REQUEST "/servlet/sunexamples\.BBoardServlet" log,pass

# WEB-MISC Cisco Catalyst command execution attempt
SecFilterSelective THE_REQUEST "/exec/show/config/cr" log,pass

# WEB-MISC /CVS/Entries access
SecFilterSelective THE_REQUEST "/CVS/Entries" log,pass

# WEB-MISC cvsweb version access
SecFilterSelective THE_REQUEST "/cvsweb/version" log,pass

# WEB-MISC /doc/packages access
SecFilterSelective THE_REQUEST "/doc/packages" log,pass

# WEB-MISC /doc/ access
SecFilterSelective THE_REQUEST "/doc/" log,pass

# WEB-MISC login.htm attempt
SecFilterSelective THE_REQUEST "/login\.htm\?password=" log,pass

# WEB-MISC login.htm access
SecFilterSelective THE_REQUEST "/login\.htm" log,pass

# WEB-MISC DELETE attempt
SecFilter "DELETE " log,pass

# WEB-MISC /home/ftp access
SecFilterSelective THE_REQUEST "/home/ftp" log,pass

# WEB-MISC /home/www access
SecFilterSelective THE_REQUEST "/home/www" log,pass

# WEB-MISC global.inc access
SecFilterSelective THE_REQUEST "/global\.inc"

# WEB-MISC SecureSite authentication bypass attempt
SecFilter "secure_site, ok"

# WEB-MISC search.dll directory listing attempt
SecFilterSelective THE_REQUEST "/search\.dll" chain
SecFilter "query=\x00"

# WEB-MISC search.dll access
SecFilterSelective THE_REQUEST "/search\.dll" log,pass

# WEB-MISC PIX firewall manager directory traversal attempt
SecFilter "/\.\./\.\./"

# WEB-MISC iChat directory traversal attempt
SecFilter "/\.\./\.\./" log,pass

# WEB-MISC nstelemetry.adp access
SecFilter "/nstelemetry\.adp" log,pass

# WEB-MISC Compaq Insight directory traversal
SecFilter "\.\./"

# WEB-MISC VirusWall catinfo access
SecFilterSelective THE_REQUEST "/catinfo"

# WEB-MISC VirusWall catinfo access
SecFilter "/catinfo"

# WEB-MISC Chunked-Encoding transfer attempt
SecFilter "chunked"

# WEB-MISC CISCO VoIP DOS ATTEMPT
SecFilterSelective THE_REQUEST "/StreamingStatistics"

# WEB-MISC IBM Net.Commerce orderdspc.d2w access
SecFilterSelective THE_REQUEST "/ncommerce3/ExecMacro/orderdspc\.d2w" log,pass

# WEB-MISC WEB-INF access
SecFilterSelective THE_REQUEST "/WEB-INF" log,pass

# WEB-MISC Tomcat servlet mapping cross site scripting attempt
SecFilterSelective THE_REQUEST "/org\.apache\."

# WEB-MISC iPlanet Search directory traversal attempt
SecFilterSelective THE_REQUEST "/search" chain
SecFilter "\.\./\.\./"

# WEB-MISC Tomcat TroubleShooter servlet access
SecFilterSelective THE_REQUEST "/examples/servlet/TroubleShooter" log,pass

# WEB-MISC Tomcat SnoopServlet servlet access
SecFilterSelective THE_REQUEST "/examples/servlet/SnoopServlet" log,pass

# WEB-MISC jigsaw dos attempt
SecFilterSelective THE_REQUEST "/servlet/con"

# WEB-MISC Macromedia SiteSpring cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-MISC mailman cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-MISC webalizer access
SecFilterSelective THE_REQUEST "/webalizer/" log,pass

# WEB-MISC webcart-lite access
SecFilterSelective THE_REQUEST "/webcart-lite/" log,pass

# WEB-MISC webfind.exe access
SecFilterSelective THE_REQUEST "/webfind\.exe" log,pass

# WEB-MISC active.log access
SecFilterSelective THE_REQUEST "/active\.log" log,pass

# WEB-MISC robots.txt access
SecFilterSelective THE_REQUEST "/robots\.txt" log,pass

# WEB-MISC robot.txt access
SecFilterSelective THE_REQUEST "/robot\.txt" log,pass

# WEB-MISC CISCO PIX Firewall Manager directory traversal attempt
SecFilter "/pixfir~1/how_to_login\.html"

# WEB-MISC Sun JavaServer default password login attempt
SecFilter "ae9f86d6beaa3f9ecb9a5b7e072a4138"

# WEB-MISC Linksys router default username and password login attempt
SecFilter "YWRtaW46YWRtaW4"

# WEB-MISC NetGear router default password login attempt admin/password
SecFilter "YWRtaW46cGFzc3dvcmQ"

# WEB-MISC Oracle XSQLConfig.xml access
SecFilterSelective THE_REQUEST "/XSQLConfig\.xml" log,pass

# WEB-MISC Oracle Dynamic Monitoring Services dms access
SecFilterSelective THE_REQUEST "/dms0" log,pass

# WEB-MISC globals.jsa access
SecFilterSelective THE_REQUEST "/globals\.jsa" log,pass

# WEB-MISC Oracle Java Process Manager access
SecFilterSelective THE_REQUEST "/oprocmgr-status" log,pass

# WEB-MISC whisker space splice attack
SecFilter " "

# WEB-MISC /Carello/add.exe access
SecFilterSelective THE_REQUEST "/Carello/add\.exe" log,pass

# WEB-MISC /ecscripts/ecware.exe access
SecFilterSelective THE_REQUEST "/ecscripts/ecware\.exe" log,pass

# WEB-MISC ion-p access
SecFilterSelective THE_REQUEST "/ion-p" log,pass

# WEB-MISC SiteScope Service access
SecFilter "/SiteScope/cgi/go\.exe/SiteScope" log,pass

# WEB-MISC answerbook2 admin attempt
SecFilter "/cgi-bin/admin/admin" log,pass

# WEB-MISC perl post attempt
SecFilterSelective THE_REQUEST "/perl/" chain
SecFilter "POST"

# WEB-MISC TRACE attempt
SecFilter "TRACE"

# WEB-MISC helpout.exe access
SecFilterSelective THE_REQUEST "/helpout\.exe" log,pass

# WEB-MISC MsmMask.exe attempt
SecFilterSelective THE_REQUEST "/MsmMask\.exe" chain
SecFilter "mask="

# WEB-MISC MsmMask.exe access
SecFilterSelective THE_REQUEST "/MsmMask\.exe" log,pass

# WEB-MISC DB4Web access
SecFilterSelective THE_REQUEST "/DB4Web/" log,pass

# WEB-MISC iPlanet .perf access
SecFilterSelective THE_REQUEST "/\.perf" log,pass

# WEB-MISC Demarc SQL injection attempt
SecFilterSelective THE_REQUEST "/dm/demarc" chain
SecFilter "'" log,pass

# WEB-MISC Lotus Notes .csp script source download attempt
SecFilterSelective THE_REQUEST "\.csp" chain
SecFilter "\."

# WEB-MISC Lotus Notes .pl script source download attempt
SecFilterSelective THE_REQUEST "\.pl" chain
SecFilter "\."

# WEB-MISC Lotus Notes .exe script source download attempt
SecFilterSelective THE_REQUEST "\.exe" chain
SecFilter "\."

# WEB-MISC BitKeeper arbitrary command attempt
SecFilterSelective THE_REQUEST "/diffs/" chain
SecFilter "'"

# WEB-MISC chip.ini access
SecFilterSelective THE_REQUEST "/chip\.ini" log,pass

# WEB-MISC post32.exe access
SecFilterSelective THE_REQUEST "/post32\.exe" log,pass

# WEB-MISC lyris.pl access
SecFilterSelective THE_REQUEST "/lyris\.pl" log,pass

# WEB-MISC globals.pl access
SecFilterSelective THE_REQUEST "/globals\.pl" log,pass

# WEB-MISC philboard.mdb access
SecFilterSelective THE_REQUEST "/philboard\.mdb" log,pass

# WEB-MISC philboard_admin.asp authentication bypass attempt
SecFilterSelective THE_REQUEST "/philboard_admin\.asp" chain
SecFilter "philboard_admin=True"

# WEB-MISC philboard_admin.asp access
SecFilterSelective THE_REQUEST "/philboard_admin\.asp" log,pass

# WEB-MISC logicworks.ini access
SecFilterSelective THE_REQUEST "/logicworks\.ini" log,pass

# WEB-MISC /*.shtml access
SecFilterSelective THE_REQUEST "/*\.shtml" log,pass

# WEB-MISC mod_gzip_status access
SecFilterSelective THE_REQUEST "/mod_gzip_status" log,pass

# WEB-MISC register.dll access
SecFilterSelective THE_REQUEST "/register\.dll" log,pass

# WEB-MISC ContentFilter.dll access
SecFilterSelective THE_REQUEST "/ContentFilter\.dll" log,pass

# WEB-MISC SFNofitication.dll access
SecFilterSelective THE_REQUEST "/SFNofitication\.dll" log,pass

# WEB-MISC TOP10.dll access
SecFilterSelective THE_REQUEST "/TOP10\.dll" log,pass

# WEB-MISC SpamExcp.dll access
SecFilterSelective THE_REQUEST "/SpamExcp\.dll" log,pass

# WEB-MISC spamrule.dll access
SecFilterSelective THE_REQUEST "/spamrule\.dll" log,pass

# WEB-MISC cgiWebupdate.exe access
SecFilterSelective THE_REQUEST "/cgiWebupdate\.exe" log,pass

# WEB-MISC WebLogic ConsoleHelp view source attempt
SecFilterSelective THE_REQUEST "\.jsp"

# WEB-MISC redirect.exe access
SecFilterSelective THE_REQUEST "/redirect\.exe" log,pass

# WEB-MISC changepw.exe access
SecFilterSelective THE_REQUEST "/changepw\.exe" log,pass

# WEB-MISC cwmail.exe access
SecFilterSelective THE_REQUEST "/cwmail\.exe" log,pass

# WEB-MISC ddicgi.exe access
SecFilterSelective THE_REQUEST "/ddicgi\.exe" log,pass

# WEB-MISC ndcgi.exe access
SecFilterSelective THE_REQUEST "/ndcgi\.exe" log,pass

# WEB-MISC VsSetCookie.exe access
SecFilterSelective THE_REQUEST "/VsSetCookie\.exe" log,pass

# WEB-MISC Webnews.exe access
SecFilterSelective THE_REQUEST "/Webnews\.exe" log,pass

# WEB-MISC webadmin.dll access
SecFilterSelective THE_REQUEST "/webadmin\.dll" log,pass

# WEB-MISC oracle portal demo access
SecFilterSelective THE_REQUEST "/pls/portal/PORTAL_DEMO" log,pass

# WEB-MISC PeopleSoft PeopleBooks psdoccgi access
SecFilterSelective THE_REQUEST "/psdoccgi" log,pass

# WEB-MISC bsml.pl access
SecFilterSelective THE_REQUEST "/bsml\.pl" log,pass

# WEB-MISC ISAPISkeleton.dll access
SecFilterSelective THE_REQUEST "/ISAPISkeleton\.dll" log,pass

# WEB-MISC BugPort config.conf file access
SecFilterSelective THE_REQUEST "/config\.conf"

# WEB-MISC Sample_showcode.html access
SecFilterSelective THE_REQUEST "/Sample_showcode\.html" chain
SecFilter "fname" log,pass

# WEB-MISC Compaq web-based management agent denial of service attempt
SecFilter ">"

# WEB-MISC InteractiveQuery.jsp access
SecFilterSelective THE_REQUEST "/InteractiveQuery\.jsp" log,pass

# WEB-MISC edittag.pl access
SecFilterSelective THE_REQUEST "/edittag\.pl" log,pass

# WEB-MISC util.pl access
SecFilterSelective THE_REQUEST "/util\.pl" log,pass

# WEB-MISC Invision Power Board search.pl access
SecFilterSelective THE_REQUEST "/search\.pl" chain
SecFilter "st=" log,pass

# WEB-MISC Real Server DESCRIBE buffer overflow attempt
SecFilter "\.\./"

# WEB-MISC source.jsp access
SecFilterSelective THE_REQUEST "/source\.jsp" log,pass

# WEB-MISC ServletManager access
SecFilterSelective THE_REQUEST "/servlet/ServletManager" log,pass

# WEB-MISC setinfo.hts access
SecFilterSelective THE_REQUEST "/setinfo\.hts" log,pass

# WEB-MISC McAfee ePO file upload attempt
SecFilter "Command=BEGIN"

# WEB-PHP bb_smilies.php access
SecFilterSelective THE_REQUEST "/bb_smilies\.php" log,pass

# WEB-PHP squirrel mail spell-check arbitrary command attempt
SecFilterSelective THE_REQUEST "/squirrelspell/modules/check_me\.mod\.php" chain
SecFilter "SQSPELL_APP\["

# WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective THE_REQUEST "/left_main\.php" chain
SecFilter "cmdd="

# WEB-PHP DNSTools administrator authentication bypass attempt
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_dnstools_administrator=true"

# WEB-PHP DNSTools authentication bypass attempt
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_logged_in=true"

# WEB-PHP DNSTools access
SecFilterSelective THE_REQUEST "/dnstools\.php" log,pass

# WEB-PHP Blahz-DNS dostuff.php modify user attempt
SecFilterSelective THE_REQUEST "/dostuff\.php\?action=modify_user"

# WEB-PHP Blahz-DNS dostuff.php access
SecFilterSelective THE_REQUEST "/dostuff\.php" log,pass

# WEB-PHP Messagerie supp_membre.php access
SecFilterSelective THE_REQUEST "/supp_membre\.php" log,pass

# WEB-PHP php.exe access
SecFilterSelective THE_REQUEST "/php\.exe" log,pass

# WEB-PHP directory.php access
SecFilterSelective THE_REQUEST "/directory\.php"

# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
SecFilter "phpbb_root_path="

# WEB-PHP phpbb quick-reply.php access
SecFilterSelective THE_REQUEST "/quick-reply\.php" log,pass

# WEB-PHP read_body.php access attempt
SecFilterSelective THE_REQUEST "/read_body\.php" log,pass

# WEB-PHP calendar.php access
SecFilterSelective THE_REQUEST "/calendar\.php" log,pass

# WEB-PHP edit_image.php access
SecFilterSelective THE_REQUEST "/edit_image\.php" log,pass

# WEB-PHP readmsg.php access
SecFilterSelective THE_REQUEST "/readmsg\.php" log,pass

# WEB-PHP Phorum admin access
SecFilterSelective THE_REQUEST "/admin\.php3"

# WEB-PHP piranha passwd.php3 access
SecFilterSelective THE_REQUEST "/passwd\.php3"

# WEB-PHP Phorum read access
SecFilterSelective THE_REQUEST "/read\.php3"

# WEB-PHP Phorum violation access
SecFilterSelective THE_REQUEST "/violation\.php3"

# WEB-PHP Phorum code access
SecFilterSelective THE_REQUEST "/code\.php3"

# WEB-PHP admin.php file upload attempt
SecFilterSelective THE_REQUEST "/admin\.php" chain
SecFilter "file_name="

# WEB-PHP admin.php access
SecFilterSelective THE_REQUEST "/admin\.php"

# WEB-PHP smssend.php access
SecFilterSelective THE_REQUEST "/smssend\.php" log,pass

# WEB-PHP Phorum /support/common.php attempt
SecFilterSelective THE_REQUEST "/support/common\.php" chain
SecFilter "ForumLang=\.\./"

# WEB-PHP Phorum /support/common.php access
SecFilterSelective THE_REQUEST "/support/common\.php"

# WEB-PHP Phorum authentication access
SecFilter "PHP_AUTH_USER=boogieman"

# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"

# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\[libdir\]"

# WEB-PHP PHPLIB remote command attempt
SecFilterSelective THE_REQUEST "/db_mysql\.inc"

# WEB-PHP Mambo uploadimage.php upload php file attempt
SecFilterSelective THE_REQUEST "/uploadimage\.php" chain
SecFilter "\.php"

# WEB-PHP Mambo upload.php upload php file attempt
SecFilterSelective THE_REQUEST "/upload\.php" chain
SecFilter "\.php"

# WEB-PHP Mambo uploadimage.php access
SecFilterSelective THE_REQUEST "/uploadimage\.php" log,pass

# WEB-PHP Mambo upload.php access
SecFilterSelective THE_REQUEST "/upload\.php" log,pass

# WEB-PHP phpBB privmsg.php access
SecFilterSelective THE_REQUEST "/privmsg\.php" log,pass

# WEB-PHP p-news.php access
SecFilterSelective THE_REQUEST "/p-news\.php" log,pass

# WEB-PHP shoutbox.php directory traversal attempt
SecFilterSelective THE_REQUEST "/shoutbox\.php" chain
SecFilter "\.\./"

# WEB-PHP shoutbox.php access
SecFilterSelective THE_REQUEST "/shoutbox\.php" log,pass

# WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt
SecFilterSelective THE_REQUEST "/gm-2-b2\.php" chain
SecFilter "b2inc=http"

# WEB-PHP b2 cafelog gm-2-b2.php access
SecFilterSelective THE_REQUEST "/gm-2-b2\.php" log,pass

# WEB-PHP TextPortal admin.php default password admin attempt
SecFilterSelective THE_REQUEST "/admin\.php" chain
SecFilter "password=admin" log,pass

# WEB-PHP TextPortal admin.php default password 12345 attempt
SecFilterSelective THE_REQUEST "/admin\.php" chain
SecFilter "password=12345" log,pass

# WEB-PHP BLNews objects.inc.php4 remote command execution attempt
SecFilterSelective THE_REQUEST "/objects\.inc\.php4" chain
SecFilter "Server\[path\]=http"

# WEB-PHP BLNews objects.inc.php4 access
SecFilterSelective THE_REQUEST "/objects\.inc\.php4" log,pass

# WEB-PHP Turba status.php access
SecFilterSelective THE_REQUEST "/turba/status\.php" log,pass

# WEB-PHP ttCMS header.php remote command execution attempt
SecFilterSelective THE_REQUEST "/admin/templates/header\.php" chain
SecFilter "admin_root=http"

# WEB-PHP ttCMS header.php access
SecFilterSelective THE_REQUEST "/admin/templates/header\.php" log,pass

# WEB-PHP test.php access
SecFilterSelective THE_REQUEST "/test\.php" log,pass

# WEB-PHP autohtml.php directory traversal attempt
SecFilterSelective THE_REQUEST "/autohtml\.php" chain
SecFilter "\.\./\.\./"

# WEB-PHP autohtml.php access
SecFilterSelective THE_REQUEST "/autohtml\.php" log,pass

# WEB-PHP ttforum remote command execution attempt
SecFilterSelective THE_REQUEST "forum/index\.php" chain
SecFilter "template=http"

# WEB-PHP pmachine remote command execution attempt
SecFilterSelective THE_REQUEST "lib\.inc\.php" chain
SecFilter "pm_path=http"

# WEB-PHP forum_details.php access
SecFilterSelective THE_REQUEST "forum_details\.php"

# WEB-PHP phpMyAdmin db_details_importdocsql.php access
SecFilterSelective THE_REQUEST "db_details_importdocsql\.php"

# WEB-PHP viewtopic.php access
SecFilterSelective THE_REQUEST "viewtopic\.php"

# WEB-PHP UpdateClasses.php access
SecFilterSelective THE_REQUEST "/UpdateClasses\.php" log,pass

# WEB-PHP Title.php access
SecFilterSelective THE_REQUEST "/Title\.php" log,pass

# WEB-PHP Setup.php access
SecFilterSelective THE_REQUEST "/Setup\.php" log,pass

# WEB-PHP GlobalFunctions.php access
SecFilterSelective THE_REQUEST "/GlobalFunctions\.php" log,pass

# WEB-PHP DatabaseFunctions.php access
SecFilterSelective THE_REQUEST "/DatabaseFunctions\.php" log,pass

# WEB-PHP rolis guestbook arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/insert\.inc\.php" chain
SecFilter "path="

# WEB-PHP rolis guestbook access
SecFilterSelective THE_REQUEST "/insert\.inc\.php" log,pass

# WEB-PHP friends.php access
SecFilterSelective THE_REQUEST "/friends\.php" log,pass

# WEB-PHP Advanced Poll admin_comment.php access
SecFilterSelective THE_REQUEST "/admin_comment\.php" log,pass

# WEB-PHP Advanced Poll admin_edit.php access
SecFilterSelective THE_REQUEST "/admin_edit\.php" log,pass

# WEB-PHP Advanced Poll admin_embed.php access
SecFilterSelective THE_REQUEST "/admin_embed\.php" log,pass

# WEB-PHP Advanced Poll admin_help.php access
SecFilterSelective THE_REQUEST "/admin_help\.php" log,pass

# WEB-PHP Advanced Poll admin_license.php access
SecFilterSelective THE_REQUEST "/admin_license\.php" log,pass

# WEB-PHP Advanced Poll admin_logout.php access
SecFilterSelective THE_REQUEST "/admin_logout\.php" log,pass

# WEB-PHP Advanced Poll admin_password.php access
SecFilterSelective THE_REQUEST "/admin_password\.php" log,pass

# WEB-PHP Advanced Poll admin_preview.php access
SecFilterSelective THE_REQUEST "/admin_preview\.php" log,pass

# WEB-PHP Advanced Poll admin_settings.php access
SecFilterSelective THE_REQUEST "/admin_settings\.php" log,pass

# WEB-PHP Advanced Poll admin_stats.php access
SecFilterSelective THE_REQUEST "/admin_stats\.php" log,pass

# WEB-PHP Advanced Poll admin_templates_misc.php access
SecFilterSelective THE_REQUEST "/admin_templates_misc\.php" log,pass

# WEB-PHP Advanced Poll admin_templates.php access
SecFilterSelective THE_REQUEST "/admin_templates\.php" log,pass

# WEB-PHP Advanced Poll admin_tpl_misc_new.php access
SecFilterSelective THE_REQUEST "/admin_tpl_misc_new\.php" log,pass

# WEB-PHP Advanced Poll admin_tpl_new.php access
SecFilterSelective THE_REQUEST "/admin_tpl_new\.php" log,pass

# WEB-PHP Advanced Poll booth.php access
SecFilterSelective THE_REQUEST "/booth\.php" log,pass

# WEB-PHP Advanced Poll poll_ssi.php access
SecFilterSelective THE_REQUEST "/poll_ssi\.php" log,pass

# WEB-PHP Advanced Poll popup.php access
SecFilterSelective THE_REQUEST "/popup\.php" log,pass

# WEB-PHP files.inc.php access
SecFilterSelective THE_REQUEST "/files\.inc\.php" log,pass

# WEB-PHP chatbox.php access
SecFilterSelective THE_REQUEST "/chatbox\.php" log,pass

# WEB-PHP gallery arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/setup/" chain
SecFilter "GALLERY_BASEDIR="

# WEB-PHP PayPal Storefront arbitrary command execution attempt
SecFilter "page="

# WEB-PHP authentication_index.php access
SecFilterSelective THE_REQUEST "/authentication_index\.php" log,pass

# WEB-PHP MatrikzGB privilege escalation attempt
SecFilter "new_rights=admin" log,pass

# WEB-PHP DCP-Portal remote file include attempt
SecFilterSelective THE_REQUEST "/library/editor/editor\.php" chain
SecFilter "root="

# WEB-PHP DCP-Portal remote file include attempt
SecFilterSelective THE_REQUEST "/library/lib\.php" chain
SecFilter "root="

# WEB-PHP PhpGedView search.php access
SecFilterSelective THE_REQUEST "firstname=" log,pass

# WEB-PHP myPHPNuke chatheader.php access
SecFilterSelective THE_REQUEST "/chatheader\.php" log,pass

# WEB-PHP myPHPNuke partner.php access
SecFilterSelective THE_REQUEST "/partner\.php" log,pass

# WEB-PHP IdeaBox cord.php file include
SecFilterSelective THE_REQUEST "/index\.php" chain
SecFilter "cord\.php" log,pass

# WEB-PHP IdeaBox notification.php file include
SecFilterSelective THE_REQUEST "/index\.php" chain
SecFilter "notification\.php" log,pass

# WEB-PHP Invision Board emailer.php file include
SecFilterSelective THE_REQUEST "/ad_member\.php" chain
SecFilter "emailer\.php" log,pass

# WEB-PHP WebChat db_mysql.php file include
SecFilterSelective THE_REQUEST "/defines\.php" chain
SecFilter "db_mysql\.php"

# WEB-PHP WebChat english.php file include
SecFilterSelective THE_REQUEST "/defines\.php" chain
SecFilter "english\.php"

# WEB-PHP Typo3 translations.php file include
SecFilterSelective THE_REQUEST "/translations\.php" chain
SecFilter "ONLY"

# WEB-PHP Invision Board ipchat.php file include
SecFilterSelective THE_REQUEST "/ipchat\.php" chain
SecFilter "conf_global\.php"

# WEB-PHP myphpPagetool pt_config.inc file include
SecFilterSelective THE_REQUEST "/doc/admin" chain
SecFilter "pt_config\.inc"

# WEB-PHP news.php file include
SecFilterSelective THE_REQUEST "/news\.php" chain
SecFilter "template"

# WEB-PHP YaBB SE packages.php file include
SecFilterSelective THE_REQUEST "/packages\.php" chain
SecFilter "packer\.php"

# WEB-PHP Cyboards default_header.php access
SecFilterSelective THE_REQUEST "/default_header\.php" log,pass

# WEB-PHP Cyboards options_form.php access
SecFilterSelective THE_REQUEST "/options_form\.php" log,pass

# WEB-PHP newsPHP Language file include attempt
SecFilterSelective THE_REQUEST "/nphpd\.php" chain
SecFilter "LangFile" log,pass

# WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt
SecFilterSelective THE_REQUEST "/authentication_index\.php" chain
SecFilter "PGV_BASE_DIRECTORY"

# WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt
SecFilterSelective THE_REQUEST "/functions\.php" chain
SecFilter "PGV_BASE_DIRECTORY"

# WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt
SecFilterSelective THE_REQUEST "/config_gedcom\.php" chain
SecFilter "PGV_BASE_DIRECTORY"

# WEB-PHP Photopost PHP Pro showphoto.php access
SecFilterSelective THE_REQUEST "/showphoto\.php" log,pass

# WEB-PHP /_admin access
SecFilterSelective THE_REQUEST "/_admin/" log,pass

# WEB-PHP WAnewsletter newsletter.php file include attempt
SecFilterSelective THE_REQUEST "newsletter\.php" chain
SecFilter "start\.php"

# WEB-PHP WAnewsletter db_type.php access
SecFilterSelective THE_REQUEST "/sql/db_type\.php" log,pass

# WEB-PHP phptest.php access
SecFilterSelective THE_REQUEST "/phptest\.php" log,pass

# WEB-PHP IGeneric Free Shopping Cart page.php access
SecFilterSelective THE_REQUEST "/page\.php" chain
SecFilter "type_id=" log,pass

# X11 MIT Magic Cookie detected
SecFilter "MIT-MAGIC-COOKIE-1"

