var %req% "none" var %res% "none" id=GID1 revision=1 name=ScanProxy type=requestUri pattern=^/ condition=not match case_sensitive=no log=yes action=block command=%req% id=GID2 revision=1 name=ExecDefaultPlugins(request) type=requestLine pattern=^ condition=match case_sensitive=no log=no action=none command=none plugin=net.jumperz.app.MGuardian.plugin.MIllegalEncodingDetector plugin=net.jumperz.app.MGuardian.plugin.MIllegalBodyEncodingDetector plugin=net.jumperz.app.MGuardian.plugin.MUriNormalizer plugin=net.jumperz.app.MGuardian.plugin.MHRSDetector id=GID3 revision=1 name=ExecDefaultPlugins(response) type=statusLine pattern=^ condition=match case_sensitive=no log=no action=none command=none id=GID14 revision=1 name=PhatBot type=requestLine pattern=^SEARCH /\x90(\x02\xB1){1000,} condition=match case_sensitive=yes log=yes action=block command=%req% id=GID19 revision=1 name=Nimda type=requestHeader pattern=^Host: www$ condition=match case_sensitive=yes log=yes action=block command=%req% id=GID4 revision=1 name=NopSled(requestLine) type=requestLine pattern=\x90{4} condition=match case_sensitive=no log=yes action=block command=%req% id=GID5 revision=1 name=NopSled(requestHeader) type=requestHeader pattern=\x90{4} condition=match case_sensitive=no log=yes action=block command=%req% id=GID6 revision=1 name=NopSled(requestBody) type=requestBody pattern=\x90{4} condition=match case_sensitive=no log=yes action=block command=%req% id=GID7 revision=1 name=BinaryResponse type=responseBodyHead pattern=[\x00-\x08\x0B\x0E-\x1A\x1C-\x1F] condition=match case_sensitive=no log=no action=none command=none id=GID59 revision=1 name=NotBinaryResponse type=ruleGroup pattern=GID7 condition=not match case_sensitive=no log=no action=none command=none id=GID60 revision=1 name=PDFResponse type=responseBodyHead pattern=^%PDF condition=match case_sensitive=no log=no action=none command=none id=GID61 revision=1 name=NotPDFResponse type=ruleGroup pattern=GID60 condition=not match case_sensitive=no log=no action=none command=none id=GID8 revision=2 name=TextResponse type=ruleGroup pattern=GID59 + GID61 condition=match case_sensitive=no log=no action=none command=none plugin=net.jumperz.app.MGuardian.plugin.MMailFileDetector id=GID9 revision=1 name=BufferOverflow(URI) type=requestUri pattern=.{300} condition=match case_sensitive=no log=yes action=none command=%req% id=GID10 revision=1 name=BufferOverflow(requestLine) type=requestLine pattern=.{300} condition=match case_sensitive=no log=yes action=none command=%req% id=GID58 revision=1 name=BufferOverflow(requestHeader) type=requestHeader pattern=.{300} condition=match case_sensitive=no log=yes action=none command=%req% id=GID11 revision=1 name=NullByte(requestLine) type=requestLine pattern=\x00 condition=match case_sensitive=no log=yes action=block command=%req% id=GID37 revision=2 name=%00(requestLine) type=requestLine pattern=%00 condition=match case_sensitive=no log=yes action=block command=%req% id=GID12 revision=1 name=NullByte(requestHeader) type=requestHeader pattern=\x00 condition=match case_sensitive=no log=yes action=block command=%req% id=GID13 revision=2 name=NullByte(requestBody) type=requestBody pattern=\x00 condition=match case_sensitive=no log=yes action=none command=%req% id=GID15 revision=1 name=PHPErrorMessage type=responseBodyLine pattern=(Warning|Fatal error): condition=match case_sensitive=no log=yes action=none command=%res% id=GID16 revision=1 name=Exploit(requestLine) type=requestLine pattern=[\x00-\x1F\x7F-\xFF] condition=match case_sensitive=no log=yes action=block command=%req% id=GID36 revision=1 name=Exploit(requestUri) type=requestUri pattern=[\x00-\x1F&&[^\x09\x0A\x0D\x1B]] condition=match case_sensitive=no log=yes action=none command=%req% id=GID17 revision=1 name=Exploit(requestHeader) type=requestHeader pattern=[\x00-\x1F\x7F-\xFF] condition=match case_sensitive=no log=yes action=none command=%req% id=GID18 revision=1 name=DirectoryTraversal(requestUri) type=requestUri pattern=\.\./ condition=match case_sensitive=no log=yes action=block command=%req% id=GID41 revision=1 name=DirectoryTraversal(requestHeader) type=requestHeader pattern=\.\./ condition=match case_sensitive=no log=yes action=none command=%req% id=GID42 revision=1 name=DirectoryTraversal(requestBody) type=decodedRequestBody pattern=\.\./ condition=match case_sensitive=no log=yes action=none command=%req% id=GID21 revision=2 name=ChunkedEncoding type=requestHeader pattern=^Transfer-Encoding: {0,}chunked$ condition=match case_sensitive=no log=yes action=block command=%req% id=GID22 revision=1 name=AbnormalMethod type=requestLine pattern=^(GET|POST|HEAD) condition=not match case_sensitive=yes log=yes action=block command=%req% id=GID23 revision=1 name=Sumthin type=requestUri pattern=^/sumthin$ condition=match case_sensitive=no log=yes action=block command=%req% id=GID33 revision=1 name=FrontPage type=requestUri pattern=^/_vti_bin/ condition=match case_sensitive=no log=no action=block command=none id=GID24 revision=1 name=WindowsExtension type=requestUriPath pattern=\.(com|exe|dll|ida)$ condition=match case_sensitive=no log=yes action=block command=%req% id=GID25 revision=1 name=AbnormalHTTPVersion type=requestLine pattern= HTTP/1\.(0|1)$ condition=not match case_sensitive=yes log=yes action=block command=%req% id=GID26 revision=1 name=Exploit(requestBody) type=requestBody pattern=[^-/~=&+*._@%0-9a-zA-Z] condition=match case_sensitive=no log=yes action=block command=%req% id=GID27 revision=1 name=HTTP1.1 type=requestLine pattern= HTTP/1\.1$ condition=match case_sensitive=yes log=no action=none command=none id=GID28 revision=1 name=NoHost type=requestHeader pattern=^Host: condition=not match case_sensitive=no log=yes action=none command=%req% id=GID29 revision=1 name=NoHostHTTP1.1 type=ruleGroup pattern=GID27 + GID28 condition=match case_sensitive=no log=yes action=block command=%req% id=GID30 revision=2 name=basicAuthenticationRequest type=requestHeader pattern=^Authorization: {0,}Basic condition=match case_sensitive=no log=no action=none command=none plugin=net.jumperz.app.MGuardian.plugin.MBasicAuthenticationManager id=GID31 revision=1 name=401Response type=statusLine pattern= 401 condition=match case_sensitive=yes log=no action=none command=none id=GID32 revision=1 name=LoginFailure type=ruleGroup pattern=GID30 + GID31 condition=match case_sensitive=yes log=yes action=none command=%res% plugin=net.jumperz.app.MGuardian.plugin.MBasicAuthenticationManager id=GID34 revision=1 name=UnixFileAccess(requestUri) type=requestUri pattern=/(bin|usr|etc|proc|opt|sbin|local|dev|tmp|kern|boot|root|sys)/ condition=match case_sensitive=yes log=yes action=none command=%req% id=GID35 revision=1 name=UnixFileAccess(requestBody) type=decodedRequestBody pattern=/(bin|usr|etc|proc|opt|sbin|local|dev|tmp|kern|boot|root|sys)/ condition=match case_sensitive=yes log=yes action=none command=%req% id=GID38 revision=1 name=XSS type=paramValue pattern=(script|\.cookie) condition=match case_sensitive=no log=yes action=none command=%req% id=GID20 revision=1 name=SQLInjection type=paramValue pattern=^'$ condition=match case_sensitive=yes log=yes action=block command=%req% id=GID43 revision=1 name=SQLInjection(UNION) type=paramValue pattern=UNION condition=match case_sensitive=no log=yes action=none command=%req% id=GID44 revision=1 name=SQLInjection(GROUP_BY) type=paramValue pattern=GROUP\W{1,}BY condition=match case_sensitive=no log=yes action=none command=%req% id=GID45 revision=1 name=SQLInjection(ORDER_BY) type=paramValue pattern=ORDER\W{1,}BY condition=match case_sensitive=no log=yes action=none command=%req% id=GID46 revision=1 name=SQLInjection(--) type=paramValue pattern=-- condition=match case_sensitive=yes log=yes action=none command=%req% id=GID47 revision=1 name=SQLInjection(1=1) type=paramValue pattern=[0-9]{1,}\W{0,}=\W{0,}[0-9]{1,} condition=match case_sensitive=yes log=yes action=none command=%req% id=GID48 revision=1 name=SQLInjection(HAVING) type=paramValue pattern=HAVING condition=match case_sensitive=no log=yes action=none command=%req% id=GID49 revision=1 name=SQLInjection(SELECT_FROM) type=paramValue pattern=SELECT.*FROM condition=match case_sensitive=no log=yes action=none command=%req% id=GID50 revision=1 name=SQLInjection(INSERT_INTO) type=paramValue pattern=INSERT\W{1,}INTO condition=match case_sensitive=no log=yes action=none command=%req% id=GID51 revision=1 name=SQLInjection(CREATE_TABLE) type=paramValue pattern=CREATE\W{1,}TABLE condition=match case_sensitive=no log=yes action=none command=%req% id=GID52 revision=1 name=SQLInjection(SELECT_COUNT) type=paramValue pattern=SELECT\W{1,}COUNT condition=match case_sensitive=no log=yes action=none command=%req% id=GID53 revision=1 name=Semicolon type=paramValue pattern=; condition=match case_sensitive=no log=yes action=none command=%req% id=GID54 revision=1 name=AbnormalStatusCode type=statusLine pattern= (2|3)[0-9]{2}|404|401 condition=not match case_sensitive=yes log=yes action=none command=%res% id=GID55 revision=1 name=SQLInjection(ODBC_Error) type=responseBodyLine pattern=Microsoft OLE DB Provider for ODBC Drivers condition=match case_sensitive=yes log=yes action=none command=%res% id=GID56 revision=1 name=SQLInjection(WHERE_LIKE) type=paramValue pattern=WHERE.*LIKE condition=match case_sensitive=no log=yes action=none command=%req% id=GID57 revision=1 name=SQLInjection(DELETE_FROM) type=paramValue pattern=DELETE\W{1,}FROM condition=match case_sensitive=no log=yes action=none command=%req% id=GID62 revision=1 name=%00(requestBody) type=requestBody pattern=%00 condition=match case_sensitive=no log=yes action=none command=%req% id=GID63 revision=1 name=SQLInjection(UPDATE_SET) type=paramValue pattern=UPDATE.*\W+SET\W+ condition=match case_sensitive=no log=yes action=none command=%req%