{
  "build_datetime": "2026-03-09T23:05:55Z",
  "owasp_top_10": {
    "version": "2025",
    "url": "https://owasp.org/Top10/2025/",
    "items": [
      {
        "id": "A01",
        "name": "Broken Access Control",
        "categories": [
          "lfi",
          "rfi",
          "open_redirect",
          "ssrf"
        ],
        "color": "red"
      },
      {
        "id": "A02",
        "name": "Security Misconfiguration",
        "categories": [
          "xxe",
          "protocol",
          "header_injection"
        ],
        "color": "orange"
      },
      {
        "id": "A03",
        "name": "Software Supply Chain Failures",
        "categories": [
          "log4shell",
          "rce",
          "cve",
          "deserialization"
        ],
        "color": "red"
      },
      {
        "id": "A04",
        "name": "Cryptographic Failures",
        "categories": [
          "protocol"
        ],
        "color": "orange"
      },
      {
        "id": "A05",
        "name": "Injection",
        "categories": [
          "sqli",
          "xss",
          "nosqli",
          "ldapi",
          "cmdi",
          "ssti",
          "log_injection"
        ],
        "color": "red"
      },
      {
        "id": "A06",
        "name": "Insecure Design",
        "categories": [
          "ssti",
          "prototype_pollution"
        ],
        "color": "yellow"
      },
      {
        "id": "A07",
        "name": "Authentication Failures",
        "categories": [
          "session_fixation"
        ],
        "color": "orange"
      },
      {
        "id": "A08",
        "name": "Software & Data Integrity Failures",
        "categories": [
          "deserialization"
        ],
        "color": "orange"
      },
      {
        "id": "A09",
        "name": "Security Logging & Alerting Failures",
        "categories": [
          "log_injection",
          "data_leakage"
        ],
        "color": "yellow"
      },
      {
        "id": "A10",
        "name": "Mishandling of Exceptional Conditions",
        "categories": [
          "protocol",
          "custom"
        ],
        "color": "yellow"
      }
    ]
  },
  "rulesets": [
    {
      "id": "crs-protocol-enforcement",
      "name": "CRS Protocol Enforcement",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS Protocol Enforcement (12 rules)",
      "author": "OWASP CRS Project",
      "priority": 15,
      "enabled": true,
      "rules": [
        {
          "id": "920100",
          "name": "Invalid HTTP Request Line",
          "pattern": "(?i)^(?:get /[^#\\?]*(?:\\?[^\\s\\x0b#]*)?(?:#[^\\s\\x0b]*)?|(?:connect (?:(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\\.?(?::[0-9]+)?|[\\--9A-Z_a-z]+:[0-9]+)|options \\*|[a-z]{3,10}[\\s\\x0b]+(?:[0-9A-Z_a-z]{3,7}?://[\\--9A-Z_a-z]*(?::[0-9]+)?)?/[^#\\?]*(?:\\?[^\\s\\x0b#]*)?(?:#[^\\s\\x0b]*)?)[\\s\\x0b]+[\\.-9A-Z_a-z]+)$",
          "targets": [
            "uri"
          ],
          "action": "block",
          "score": 5,
          "severity": "medium",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ENFORCEMENT",
            "capec/1000/210/272"
          ]
        },
        {
          "id": "920120",
          "name": "Attempted multipart/form-data bypass",
          "pattern": "(?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=\\x5c])*$",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ENFORCEMENT",
            "capec/1000/210/272"
          ]
        },
        {
          "id": "920160",
          "name": "Content-Length HTTP header is not numeric",
          "pattern": "^\\d+$",
          "targets": [
            "headers"
          ],
          "action": "score",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ENFORCEMENT",
            "capec/1000/210/272"
          ]
        },
        {
          "id": "920210",
          "name": "Multiple/Conflicting Connection Header Data Found",
          "pattern": "\\b(?:keep-alive|close),\\s?(?:keep-alive|close)\\b",
          "targets": [
            "headers"
          ],
          "action": "score",
          "score": 5,
          "severity": "medium",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ENFORCEMENT",
            "capec/1000/210/272"
          ]
        },
        {
          "id": "920260",
          "name": "Unicode Full/Half Width Abuse Attack Attempt",
          "pattern": "(?i)%uff[0-9a-f]{2}",
          "targets": [
            "body",
            "uri"
          ],
          "action": "block",
          "score": 5,
          "severity": "medium",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ENFORCEMENT",
            "capec/1000/255/153/267/72"
          ]
        },
        {
          "id": "920290",
          "name": "Empty Host Header",
          "pattern": "^$",
          "targets": [
            "headers"
          ],
          "action": "score",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ENFORCEMENT",
            "capec/1000/210/272"
          ]
        },
        {
          "id": "920330",
          "name": "Empty User Agent Header",
          "pattern": "^$",
          "targets": [
            "headers"
          ],
          "action": "score",
          "score": 3,
          "severity": "low",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ENFORCEMENT",
            "capec/1000/210/272"
          ]
        },
        {
          "id": "920350",
          "name": "Host header is a numeric IP address",
          "pattern": "(?:^([\\d.]+|\\[[\\da-f:]+\\]|[\\da-f:]+)(:[\\d]+)?$)",
          "targets": [
            "headers"
          ],
          "action": "score",
          "score": 5,
          "severity": "medium",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ENFORCEMENT",
            "capec/1000/210/272"
          ]
        },
        {
          "id": "920470",
          "name": "Illegal Content-Type header",
          "pattern": "^[\\w/.+*-]+(?:\\s?;\\s*(?:action|boundary|charset|component|start(?:-info)?|type|version)\\s?=\\s?['\"\\w.()+,/:=?<>@#*-]+)*$",
          "targets": [
            "headers"
          ],
          "action": "score",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ENFORCEMENT",
            "capec/1000/255/153"
          ]
        },
        {
          "id": "920530",
          "name": "Multiple charsets detected in content type header",
          "pattern": "charset.*?charset",
          "targets": [
            "headers"
          ],
          "action": "score",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ENFORCEMENT",
            "capec/1000/255/153"
          ]
        },
        {
          "id": "920500",
          "name": "Attempt to access a backup or working file",
          "pattern": "\\.[^.~]+~(?:/.*|)$",
          "targets": [
            "uri"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ENFORCEMENT",
            "capec/1000/210/272"
          ]
        },
        {
          "id": "920600",
          "name": "Illegal Accept header: charset parameter",
          "pattern": "^(?:(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\x0b]*;[\\s\\x0b]*(?:charset[\\s\\x0b]*=[\\s\\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\"?|(?:[^\\s\\x0b-\"\\(\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!\"\\(\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!\"\\(\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!\"\\(\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!\"\\(\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!\"\\(\\),/:-\\?\\[-\\]e\\{\\}]|e[^!\"\\(\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\x0b]*=[\\s\\x0b]*[^!\\(\\),/:-\\?\\[-\\]\\{\\}]+);?)*(?:[\\s\\x0b]*,[\\s\\x0b]*(?:(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\x0b]*;[\\s\\x0b]*(?:charset[\\s\\x0b]*=[\\s\\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\"?|(?:[^\\s\\x0b-\"\\(\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!\"\\(\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!\"\\(\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!\"\\(\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!\"\\(\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!\"\\(\\),/:-\\?\\[-\\]e\\{\\}]|e[^!\"\\(\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\x0b]*=[\\s\\x0b]*[^!\\(\\),/:-\\?\\[-\\]\\{\\}]+);?)*)*$",
          "targets": [
            "headers"
          ],
          "action": "score",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ENFORCEMENT"
          ]
        }
      ]
    },
    {
      "id": "crs-protocol-attack",
      "name": "CRS Protocol Attack (HTTP Smuggling)",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS Protocol Attack (HTTP Smuggling) (10 rules)",
      "author": "OWASP CRS Project",
      "priority": 5,
      "enabled": true,
      "rules": [
        {
          "id": "921110",
          "name": "HTTP Request Smuggling Attack",
          "pattern": "(?:get|p(?:(?:os|u)t|atch|rop(?:find|atch))|head|options|co(?:nnect|py)|delete|trac[ek]|m(?:kcol|ove)|(?:un)?lock)[\\s\\x0b]+[^\\s\\x0b]+[\\s\\x0b]+http/[0-9]",
          "targets": [
            "body",
            "query"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ATTACK",
            "capec/1000/210/272/220/33"
          ]
        },
        {
          "id": "921120",
          "name": "HTTP Response Splitting Attack",
          "pattern": "[\\n\\r][^0-9A-Z_a-z]*?(?:content-(?:type|length)|set-cookie|location):[\\s\\x0b]*[0-9A-Z_a-z]",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ATTACK",
            "capec/1000/210/272/220/34"
          ]
        },
        {
          "id": "921130",
          "name": "HTTP Response Splitting Attack",
          "pattern": "(?:\\bhttp/\\d|<(?:html|meta)\\b)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ATTACK",
            "capec/1000/210/272/220/34"
          ]
        },
        {
          "id": "921140",
          "name": "HTTP Header Injection Attack via headers",
          "pattern": "[\\n\\r]",
          "targets": [
            "headers"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ATTACK",
            "capec/1000/210/272/220/273"
          ]
        },
        {
          "id": "921150",
          "name": "HTTP Header Injection Attack via payload (CR/LF detected)",
          "pattern": "[\\n\\r]",
          "targets": [
            "query"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ATTACK",
            "capec/1000/210/272/220/33"
          ]
        },
        {
          "id": "921160",
          "name": "HTTP Header Injection Attack via payload (CR/LF and header-name detected)",
          "pattern": "[\\n\\r]+(?:[\\s\\x0b]|location|re(?:fresh|mote-(?:ip|addr))|(?:set-)?cookie|forwarded-(?:(?:fo|serve)r|host)|host|via|originating-IP|x-(?:forwarded-(?:(?:fo|serve)r|host)|host|via|remote-(?:ip|addr)|originating-IP))[\\s\\x0b]*:",
          "targets": [
            "query"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ATTACK",
            "capec/1000/210/272/220/33"
          ]
        },
        {
          "id": "921190",
          "name": "HTTP Splitting (CR/LF in request filename detected)",
          "pattern": "[\\n\\r]",
          "targets": [
            "uri"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ATTACK",
            "capec/1000/210/272/220/34"
          ]
        },
        {
          "id": "921200",
          "name": "LDAP Injection Attack",
          "pattern": "^[^!&\\(\\):<>\\|~]*\\)[\\s\\x0b]*(?:\\((?:[^!&\\(\\),<->\\|~]+[<>~]?=|[\\s\\x0b]*[!&\\|][\\s\\x0b]*[\\(\\)]?[\\s\\x0b]*)|\\)[\\s\\x0b]*\\([\\s\\x0b]*[!&\\|][\\s\\x0b]*|[!&\\|][\\s\\x0b]*\\([^!&\\(\\),<->\\|~]+[<>~]?=[^!&\\(\\):<>\\|~]*)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ATTACK",
            "capec/1000/152/248/136"
          ]
        },
        {
          "id": "921421",
          "name": "Content-Type header: Dangerous content type outside the mime type declaration",
          "pattern": "^[^\\s\\x0b,;]+[\\s\\x0b,;].*?(?:application/(?:.+\\+)?json|(?:application/(?:soap\\+)?|text/)xml)",
          "targets": [
            "headers"
          ],
          "action": "score",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ATTACK",
            "capec/1000/255/153"
          ]
        },
        {
          "id": "921240",
          "name": "mod_proxy attack attempt detected",
          "pattern": "unix:[^|]*\\|",
          "targets": [
            "uri"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "protocol",
          "enabled": true,
          "tags": [
            "attack-protocol",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/PROTOCOL-ATTACK",
            "capec/1000/210/272/220/33"
          ]
        }
      ]
    },
    {
      "id": "crs-lfi",
      "name": "CRS Local File Inclusion (LFI)",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS Local File Inclusion (LFI) (2 rules)",
      "author": "OWASP CRS Project",
      "priority": 5,
      "enabled": true,
      "rules": [
        {
          "id": "930100",
          "name": "Path Traversal Attack (/../) or (/.../)",
          "pattern": "(?i)(?:[/\\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\\.(?:%0[01]|\\?)?|\\?\\.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:\\.|%[256aef]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/\\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "lfi",
          "enabled": true,
          "tags": [
            "attack-lfi",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-LFI",
            "capec/1000/255/153/126"
          ]
        },
        {
          "id": "930110",
          "name": "Path Traversal Attack (/../) or (/.../)",
          "pattern": "(?:^|[/;\\x5c])\\.{2,3}[/;\\x5c]",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "lfi",
          "enabled": true,
          "tags": [
            "attack-lfi",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-LFI",
            "capec/1000/255/153/126"
          ]
        }
      ]
    },
    {
      "id": "crs-rfi",
      "name": "CRS Remote File Inclusion (RFI)",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS Remote File Inclusion (RFI) (3 rules)",
      "author": "OWASP CRS Project",
      "priority": 5,
      "enabled": true,
      "rules": [
        {
          "id": "931100",
          "name": "Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address",
          "pattern": "(?i)^(file|ftps?|https?|ssh)://(?:\\[?[a-f0-9]+:[a-f0-9:]+\\]?|\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})",
          "targets": [
            "body",
            "query"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rfi",
          "enabled": true,
          "tags": [
            "attack-rfi",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RFI",
            "capec/1000/152/175/253"
          ]
        },
        {
          "id": "931110",
          "name": "Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload",
          "pattern": "(?i)(?:\\binclude\\s*\\([^)]*|mosConfig_absolute_path|_CONF\\[path\\]|_SERVER\\[DOCUMENT_ROOT\\]|GALLERY_BASEDIR|path\\[docroot\\]|appserv_root|config\\[root_dir\\])=(?:file|ftps?|https?)://",
          "targets": [
            "body",
            "query"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rfi",
          "enabled": true,
          "tags": [
            "attack-rfi",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RFI",
            "capec/1000/152/175/253"
          ]
        },
        {
          "id": "931120",
          "name": "Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)",
          "pattern": "^(?i:file|ftps?|https?).*?\\?+$",
          "targets": [
            "query"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rfi",
          "enabled": true,
          "tags": [
            "attack-rfi",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RFI",
            "capec/1000/152/175/253"
          ]
        }
      ]
    },
    {
      "id": "crs-rce",
      "name": "CRS Remote Code Execution (RCE)",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS Remote Code Execution (RCE) (16 rules)",
      "author": "OWASP CRS Project",
      "priority": 3,
      "enabled": true,
      "rules": [
        {
          "id": "932230",
          "name": "Remote Command Execution: Unix Command Injection (2-3 chars)",
          "pattern": "(?i)(?:b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:7[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[arx][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|(?:b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z|c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[89][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?9|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)|d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?f|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|q[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)|f[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:g|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s|q)|[kz][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|(?:k[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?g|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z)|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|(?:s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?h|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n)|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:3[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m|c)|x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|z)|y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|l[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:4[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?))[\\s\\x0b&\\),<>\\|].*|a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?-[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10})|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*)|g[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10})|(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|[hr][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?g)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*))\\b",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932235",
          "name": "Remote Command Execution: Unix Command Injection (command without evasion)",
          "pattern": "(?i)(?:b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[\\s\\x0b&\\),<>\\|]|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|tobm|xel)[\\s\\x0b&\\),<>\\|]|nsible|p(?:parmor_[^\\s\\x0b]{1,10}\\b|t(?:-get|itude[\\s\\x0b&\\),<>\\|]))|r(?:ch[\\s\\x0b&\\),<>\\|]|ia2c|j(?:-register|disp))|s(?:cii(?:-xfr|85)|pell)|u(?:ditctl|repot|search))|b(?:a(?:s(?:e(?:32|64|n(?:ame[\\s\\x0b&\\),<>\\|]|c))|h[\\s\\x0b&\\),<>\\|])|tch[\\s\\x0b&\\),<>\\|])|lkid[\\s\\x0b&\\),<>\\|]|pftrace|r(?:eaksw|(?:idge|wap)[\\s\\x0b&\\),<>\\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\\s\\x0b&\\),<>\\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[\\s\\x0b&\\),<>\\|])|z(?:c(?:at|mp)[\\s\\x0b&\\),<>\\|]|diff|e(?:grep|xe[\\s\\x0b&\\),<>\\|])|f?grep|ip2(?:[\\s\\x0b&\\),<>\\|]|recover)|less|more))|c(?:[89]9-gcc|a(?:ncel|psh)[\\s\\x0b&\\),<>\\|]|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[\\s\\x0b&\\),<>\\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\\s\\x0b&\\),\\-<>\\|])|(?:flag|pas)s|g(?:passwd|rp[\\s\\x0b&\\),<>\\|]))|lang(?:\\+\\+|[\\s\\x0b&\\),<>\\|])|o(?:bc(?:[\\s\\x0b&\\),<>\\|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\\s\\x0b&\\),<>\\|]|proc|w(?:say|think))|p(?:(?:an|io)[\\s\\x0b&\\),<>\\|]|ulimit)|r(?:ash[\\s\\x0b&\\),<>\\|]|on(?:[\\s\\x0b&\\),<>\\|]|tab))|s(?:cli[\\s\\x0b&\\),<>\\|]|plit|vtool)|u(?:psfilter|rl[\\s\\x0b&\\),<>\\|]))|d(?:(?:ash|i(?:alog|ff)|vips)[\\s\\x0b&\\),<>\\|]|hclient|m(?:esg[\\s\\x0b&\\),<>\\|]|idecode|setup)|o(?:(?:as|ne)[\\s\\x0b&\\),<>\\|]|cker[\\s\\x0b&\\),\\-<>\\|]|sbox)|pkg[\\s\\x0b&\\),\\-<>\\|])|e(?:2fsck|asy_install|(?:cho|fax|grep|macs|sac|val)[\\s\\x0b&\\),<>\\|]|n(?:d(?:if|sw)[\\s\\x0b&\\),<>\\|]|v-update)|x(?:(?:ec|p(?:and|(?:ec|or)t|r))[\\s\\x0b&\\),<>\\|]|iftool))|f(?:acter|d(?:(?:find|isk)[\\s\\x0b&\\),<>\\|]|u?mount)|(?:etch|grep|lock|unction)[\\s\\x0b&\\),<>\\|]|i(?:le(?:[\\s\\x0b&\\),<>\\|]|test)|(?:n(?:d|ger)|sh)[\\s\\x0b&\\),<>\\|])|o(?:ld[\\s\\x0b&\\),<>\\|]|reach)|ping[\\s\\x0b&\\),6<>\\|]|tp(?:stats|who))|g(?:(?:awk|core|i(?:mp|nsh)|z(?:cat|exe|ip))[\\s\\x0b&\\),<>\\|]|e(?:ni(?:e[\\s\\x0b&\\),<>\\|]|soimage)|t(?:cap|facl[\\s\\x0b&\\),<>\\|]))|hc(?:-[\\s\\x0b&\\),<>\\|]|i[\\s\\x0b&\\),\\-<>\\|])|r(?:(?:cat|ep)[\\s\\x0b&\\),<>\\|]|oupmod)|tester|unzip)|h(?:(?:ash|i(?:ghlight|story))[\\s\\x0b&\\),<>\\|]|e(?:ad[\\s\\x0b&\\),<>\\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[\\s\\x0b&\\),<>\\|]|passwd))|i(?:(?:conv|nstall)[\\s\\x0b&\\),<>\\|]|f(?:config|top[\\s\\x0b&\\),<>\\|])|onice|p(?:6?tables|config|p(?:eveprinter|find|tool))|spell)|j(?:(?:ava|exec)[\\s\\x0b&\\),<>\\|]|o(?:in[\\s\\x0b&\\),<>\\|]|urnalctl)|runscript)|k(?:ill(?:[\\s\\x0b&\\),<>\\|]|all)|nife[\\s\\x0b&\\),<>\\|]|sshell)|l(?:a(?:st(?:comm[\\s\\x0b&\\),<>\\|]|log(?:in)?)|tex[\\s\\x0b&\\),<>\\|])|dconfig|ess(?:echo|(?:fil|pip)e)|ftp(?:[\\s\\x0b&\\),<>\\|]|get)|o(?:(?:cate|ok)[\\s\\x0b&\\),<>\\|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:(?:-F|cpu|hw|mod|of|pci|usb)[\\s\\x0b&\\),<>\\|]|b_release)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|ynx[\\s\\x0b&\\),<>\\|]|z(?:4c(?:[\\s\\x0b&\\),<>\\|]|at)|c(?:at|mp)[\\s\\x0b&\\),<>\\|]|diff|[ef]?grep|less|m(?:a(?:[\\s\\x0b&\\),<>\\|]|dec|info)|ore)))|m(?:(?:a(?:il[qx]?|ke|wk)|utt)[\\s\\x0b&\\),<>\\|]|k(?:(?:dir|nod)[\\s\\x0b&\\),<>\\|]|fifo|temp)|locate|o(?:squitto|unt[\\s\\x0b&\\),<>\\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\\s\\x0b&\\),<>\\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:no|sm|wk)|ice|map|o(?:de|hup)|ping|roff)[\\s\\x0b&\\),<>\\|]|c(?:\\.(?:openbsd|traditional)|at[\\s\\x0b&\\),<>\\|])|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|s(?:enter|lookup|tat[\\s\\x0b&\\),<>\\|]))|o(?:ctave[\\s\\x0b&\\),<>\\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[\\s\\x0b&\\),<>\\|]))|p(?:a(?:(?:cman|rted|tch)[\\s\\x0b&\\),<>\\|]|s(?:swd|te[\\s\\x0b&\\),<>\\|]))|d(?:b(?:2mb|3[\\s\\x0b&\\),\\.<>\\|])|f(?:la)?tex|ksh[\\s\\x0b&\\),<>\\|])|er(?:(?:f|ms)[\\s\\x0b&\\),<>\\|]|l(?:5?[\\s\\x0b&\\),<>\\|]|sh))|(?:(?:ft|gre)p|opd|u(?:ppet|shd))[\\s\\x0b&\\),<>\\|]|hp(?:-cgi|[57][\\s\\x0b&\\),<>\\|])|i(?:(?:co|gz|ng6?)[\\s\\x0b&\\),<>\\|]|dstat)|k(?:exec|g_?info|ill[\\s\\x0b&\\),<>\\|])|rint(?:env|f[\\s\\x0b&\\),<>\\|])|s(?:(?:ed|ql)[\\s\\x0b&\\),<>\\|]|ftp)|tar(?:[\\s\\x0b&\\),<>\\|]|diff|grep)|y(?:3?versions|thon(?:[23]|[^\\s\\x0b]{1,10}\\b)))|r(?:(?:ak[eu]|bash|nano|oute|vi(?:ew|m))[\\s\\x0b&\\),<>\\|]|e(?:a(?:delf|lpath)|(?:(?:boo|dcarpe)t|name|p(?:eat|lace))[\\s\\x0b&\\),<>\\|]|stic)|l(?:ogin|wrap)|m(?:dir[\\s\\x0b&\\),<>\\|]|t-(?:dump|tar)|user)|pm(?:db[\\s\\x0b&\\),<>\\|]|(?:quer|verif)y)|sync(?:-ssl|[\\s\\x0b&\\),<>\\|])|u(?:by[^\\s\\x0b]{1,10}\\b|n(?:-(?:mailcap|parts)|c[\\s\\x0b&\\),<>\\|])))|s(?:(?:ash|c(?:hed|r(?:een|ipt))|diff|(?:ft|na)p|l(?:eep|sh)|plit)[\\s\\x0b&\\),<>\\|]|e(?:(?:ndmail|rvice)[\\s\\x0b&\\),<>\\|]|t(?:arch|cap|env|facl[\\s\\x0b&\\),<>\\|]|sid))|h(?:\\.distrib|u(?:f|tdown)[\\s\\x0b&\\),<>\\|])|mbclient|o(?:(?:ca|r)t[\\s\\x0b&\\),<>\\|]|elim)|qlite3|sh(?:-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass)|t(?:art-stop-daemon|dbuf|r(?:ace|ings[\\s\\x0b&\\),<>\\|]))|udo(?:-rs|[\\s\\x0b&\\),<>_\\|]|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:ilf?[\\s\\x0b&\\),<>\\|]|sk(?:[\\s\\x0b&\\),<>\\|]|set))|c(?:l?sh[\\s\\x0b&\\),<>\\|]|p(?:dump|ing|traceroute))|elnet|(?:ftp|mux|ouch)[\\s\\x0b&\\),<>\\|]|ime(?:datectl|out[\\s\\x0b&\\),<>\\|])|r(?:a(?:ceroute6?|p[\\s\\x0b&\\),<>\\|])|off[\\s\\x0b&\\),<>\\|])|shark)|u(?:limit[\\s\\x0b&\\),<>\\|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[\\s\\x0b&\\),<>\\|]|expand|l(?:ink[\\s\\x0b&\\),<>\\|]|z(?:4[\\s\\x0b&\\),<>\\|]|ma))|pigz|z(?:ip[\\s\\x0b&\\),<>\\|]|std))|p(?:2date[\\s\\x0b&\\),<>\\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:(?:[ep]w|gr|rsh)[\\s\\x0b&\\),<>\\|]|mdiff|sudo(?:-rs)?)|olatility[\\s\\x0b&\\),<>\\|])|w(?:(?:all|get)[\\s\\x0b&\\),<>\\|]|h(?:iptail[\\s\\x0b&\\),<>\\|]|o(?:ami|is[\\s\\x0b&\\),<>\\|]))|i(?:reshark|sh[\\s\\x0b&\\),<>\\|]))|x(?:(?:args|pad|term)[\\s\\x0b&\\),<>\\|]|e(?:latex|tex[\\s\\x0b&\\),<>\\|])|mo(?:dmap|re[\\s\\x0b&\\),<>\\|])|z(?:c(?:at|mp)[\\s\\x0b&\\),<>\\|]|d(?:ec[\\s\\x0b&\\),<>\\|]|iff)|[ef]?grep|less|more))|z(?:athura|(?:c(?:at|mp)|diff|grep|less|run)[\\s\\x0b&\\),<>\\|]|[ef]grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|mo(?:dload|re[\\s\\x0b&\\),<>\\|])|s(?:oelim|td(?:[\\s\\x0b&\\),<>\\|]|(?:ca|m)t|grep|less))|ypper))",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932125",
          "name": "Remote Command Execution: Windows Powershell Alias Command Injection",
          "pattern": "(?i)(?:[\\n\\r;`\\{]|\\|\\|?|&&?)[\\s\\x0b]*[\\s\\x0b\"'\\(,@]*(?:[\"'\\.-9A-Z_a-z]+/|(?:[\"'\\x5c\\^]*[0-9A-Z_a-z][\"'\\x5c\\^]*:.*|[ \"'\\.-9A-Z\\x5c\\^_a-z]*)\\x5c)?[\"\\^]*(?:(?:a[\"\\^]*(?:c|s[\"\\^]*n[\"\\^]*p)|e[\"\\^]*(?:b[\"\\^]*p|p[\"\\^]*(?:a[\"\\^]*l|c[\"\\^]*s[\"\\^]*v|s[\"\\^]*n)|[tx][\"\\^]*s[\"\\^]*n)|f[\"\\^]*(?:[cltw]|o[\"\\^]*r[\"\\^]*e[\"\\^]*a[\"\\^]*c[\"\\^]*h)|i[\"\\^]*(?:[cr][\"\\^]*m|e[\"\\^]*x|h[\"\\^]*y|i|p[\"\\^]*(?:a[\"\\^]*l|c[\"\\^]*s[\"\\^]*v|m[\"\\^]*o|s[\"\\^]*n)|s[\"\\^]*e|w[\"\\^]*(?:m[\"\\^]*i|r))|m[\"\\^]*(?:[dpv]|o[\"\\^]*u[\"\\^]*n[\"\\^]*t)|o[\"\\^]*g[\"\\^]*v|p[\"\\^]*(?:o[\"\\^]*p|u[\"\\^]*s[\"\\^]*h)[\"\\^]*d|t[\"\\^]*r[\"\\^]*c[\"\\^]*m|w[\"\\^]*j[\"\\^]*b)[\"\\^]*[\\s\\x0b,\\./;<>].*|c[\"\\^]*(?:(?:(?:d|h[\"\\^]*d[\"\\^]*i[\"\\^]*r|v[\"\\^]*p[\"\\^]*a)[\"\\^]*|p[\"\\^]*(?:[ip][\"\\^]*)?)[\\s\\x0b,\\./;<>].*|l[\"\\^]*(?:(?:[cipv]|h[\"\\^]*y)[\"\\^]*[\\s\\x0b,\\./;<>].*|s)|n[\"\\^]*s[\"\\^]*n)|d[\"\\^]*(?:(?:b[\"\\^]*p|e[\"\\^]*l|i[\"\\^]*(?:f[\"\\^]*f|r))[\"\\^]*[\\s\\x0b,\\./;<>].*|n[\"\\^]*s[\"\\^]*n)|g[\"\\^]*(?:(?:(?:(?:a[\"\\^]*)?l|b[\"\\^]*p|d[\"\\^]*r|h[\"\\^]*y|(?:w[\"\\^]*m[\"\\^]*)?i|j[\"\\^]*b|[uv])[\"\\^]*|c[\"\\^]*(?:[ims][\"\\^]*)?|m[\"\\^]*(?:o[\"\\^]*)?|s[\"\\^]*(?:n[\"\\^]*(?:p[\"\\^]*)?|v[\"\\^]*))[\\s\\x0b,\\./;<>].*|e[\"\\^]*r[\"\\^]*r|p[\"\\^]*(?:(?:s[\"\\^]*)?[\\s\\x0b,\\./;<>].*|v))|l[\"\\^]*s|n[\"\\^]*(?:(?:a[\"\\^]*l|d[\"\\^]*r|[iv]|m[\"\\^]*o|s[\"\\^]*n)[\"\\^]*[\\s\\x0b,\\./;<>].*|p[\"\\^]*s[\"\\^]*s[\"\\^]*c)|r[\"\\^]*(?:(?:(?:(?:b[\"\\^]*)?p|e[\"\\^]*n|(?:w[\"\\^]*m[\"\\^]*)?i|j[\"\\^]*b|n[\"\\^]*[ip])[\"\\^]*|d[\"\\^]*(?:r[\"\\^]*)?|m[\"\\^]*(?:(?:d[\"\\^]*i[\"\\^]*r|o)[\"\\^]*)?|s[\"\\^]*n[\"\\^]*(?:p[\"\\^]*)?|v[\"\\^]*(?:p[\"\\^]*a[\"\\^]*)?)[\\s\\x0b,\\./;<>].*|c[\"\\^]*(?:j[\"\\^]*b[\"\\^]*[\\s\\x0b,\\./;<>].*|s[\"\\^]*n)|u[\"\\^]*j[\"\\^]*b)|s[\"\\^]*(?:(?:(?:a[\"\\^]*(?:j[\"\\^]*b|l|p[\"\\^]*s|s[\"\\^]*v)|b[\"\\^]*p|[cv]|w[\"\\^]*m[\"\\^]*i)[\"\\^]*|l[\"\\^]*(?:s[\"\\^]*)?|p[\"\\^]*(?:(?:j[\"\\^]*b|p[\"\\^]*s|s[\"\\^]*v)[\"\\^]*)?)[\\s\\x0b,\\./;<>].*|h[\"\\^]*c[\"\\^]*m|u[\"\\^]*j[\"\\^]*b))(?:\\.[\"\\^]*[0-9A-Z_a-z]+)?\\b",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932130",
          "name": "Remote Command Execution: Unix Shell Expression Found",
          "pattern": "\\$(?:\\((?:[^\\)]+|\\([^\\)]+\\))\\)|\\{[^\\}]+\\}|\\[[^\\]]*\\])|[<>]\\([^\\)]+\\)|/[0-9A-Z_a-z]*\\[[^\\]]+\\]",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932140",
          "name": "Remote Command Execution: Windows FOR/IF Command Found",
          "pattern": "\\b(?:for(?:/[dflr].*)? %+[^ ]+ in\\(.*\\)[\\s\\x0b]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)\\b|[ \\(].*(?:\\b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))\\b|==)))",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932270",
          "name": "Remote Command Execution: Unix Shell Expression Found",
          "pattern": "~[\\+\\-](?:$|[0-9]+)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932280",
          "name": "Remote Command Execution: Brace Expansion Found",
          "pattern": "\\{[0-9A-Z_a-z]*,[,\\-0-9A-Z_a-z]*\\}",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932250",
          "name": "Remote Command Execution: Direct Unix Command Execution",
          "pattern": "(?i)(?:^|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:7[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[arx][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|(?:b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z|c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[89][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?9|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)|d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?f|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|q[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)|f[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:g|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s|q)|[kz][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|(?:k[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?g|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z)|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|(?:s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?h|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n)|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:3[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m|c)|x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|z)|y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|l[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:4[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?))[\\s\\x0b&\\),<>\\|].*|a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?-[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10})|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*)|g[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10})|(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|[hr][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?g)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*))",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932260",
          "name": "Remote Command Execution: Direct Unix Command Execution",
          "pattern": "(?i)(?:^|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:a(?:ddgroup|nsible|pparmor_[^\\s\\x0b]{1,10}\\b|rj(?:-register|disp)|tobm[\\s\\x0b&\\),<>\\|]|u(?:ditctl|repot|search))|b(?:ase(?:32|64|nc)|(?:lkid|rwap|yobu)[\\s\\x0b&\\),<>\\|]|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|z(?:c(?:at|mp)[\\s\\x0b&\\),<>\\|]|diff|e(?:grep|xe[\\s\\x0b&\\),<>\\|])|f?grep|ip2(?:[\\s\\x0b&\\),<>\\|]|recover)|less|more))|c(?:[89]9-gcc|h(?:(?:attr|mod|o(?:om|wn)|sh)[\\s\\x0b&\\),<>\\|]|ef-|g(?:passwd|rp[\\s\\x0b&\\),<>\\|])|pass)|lang\\+\\+|o(?:bc(?:[\\s\\x0b&\\),<>\\|]|run)|mm[\\s\\x0b&\\),<>\\|]|proc)|(?:p(?:an|io)|scli)[\\s\\x0b&\\),<>\\|])|d(?:(?:iff|mesg|vips)[\\s\\x0b&\\),<>\\|]|o(?:as[\\s\\x0b&\\),<>\\|]|cker-)|pkg[\\s\\x0b&\\),\\-<>\\|])|e(?:2fsck|(?:fax|grep|macs|nd(?:if|sw)|sac|xpr)[\\s\\x0b&\\),<>\\|])|f(?:d(?:(?:find|isk)[\\s\\x0b&\\),<>\\|]|u?mount)|grep[\\s\\x0b&\\),<>\\|]|iletest|ping[\\s\\x0b&\\),6<>\\|]|tp(?:stats|who))|g(?:(?:core|insh|z(?:cat|exe|ip))[\\s\\x0b&\\),<>\\|]|(?:etca|unzi)p|hc(?:-[\\s\\x0b&\\),<>\\|]|i[\\s\\x0b&\\),\\-<>\\|])|r(?:(?:cat|ep)[\\s\\x0b&\\),<>\\|]|oupmod))|(?:htop|jexec)[\\s\\x0b&\\),<>\\|]|i(?:(?:conv|ftop)[\\s\\x0b&\\),<>\\|]|pp(?:eveprinter|find|tool))|l(?:ast(?:comm[\\s\\x0b&\\),<>\\|]|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:[\\s\\x0b&\\),<>\\|]|get)|osetup|s(?:(?:-F|cpu|hw|mod|of|pci|usb)[\\s\\x0b&\\),<>\\|]|b_release)|wp-download|z(?:4c(?:[\\s\\x0b&\\),<>\\|]|at)|c(?:at|mp)[\\s\\x0b&\\),<>\\|]|diff|[ef]?grep|less|m(?:a(?:[\\s\\x0b&\\),<>\\|]|dec|info)|ore)))|m(?:a(?:ilq|wk)[\\s\\x0b&\\),<>\\|]|k(?:fifo|nod[\\s\\x0b&\\),<>\\|]|temp)|locate|ysql(?:[\\s\\x0b&\\),<>\\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:sm|wk)|(?:ma|ohu)p|ping|roff|stat)[\\s\\x0b&\\),<>\\|]|c(?:\\.(?:openbsd|traditional)|at[\\s\\x0b&\\),<>\\|])|et(?:(?:c|st)at|kit-ftp|plan))|o(?:nintr|pkg[\\s\\x0b&\\),<>\\|])|p(?:d(?:b(?:2mb|3[\\s\\x0b&\\),\\.<>\\|])|ksh[\\s\\x0b&\\),<>\\|])|(?:er(?:f|l5?)|(?:ft|gre)p|i(?:gz|ng6)|(?:op|ush)d|s(?:ed|ql))[\\s\\x0b&\\),<>\\|]|hp(?:-cgi|[57][\\s\\x0b&\\),<>\\|])|k(?:exec|ill[\\s\\x0b&\\),<>\\|])|rint(?:env|f[\\s\\x0b&\\),<>\\|])|tar(?:[\\s\\x0b&\\),<>\\|]|diff|grep)|y(?:3?versions|thon[23]))|r(?:(?:aku|bash|nano|pmdb|unc|vi(?:ew|m))[\\s\\x0b&\\),<>\\|]|e(?:alpath|boot[\\s\\x0b&\\),<>\\|])|m(?:dir[\\s\\x0b&\\),<>\\|]|t-(?:dump|tar)|user)|sync(?:-ssl|[\\s\\x0b&\\),<>\\|]))|s(?:(?:diff|ftp|lsh|ocat)[\\s\\x0b&\\),<>\\|]|e(?:ndmail[\\s\\x0b&\\),<>\\|]|t(?:cap|env|sid))|h(?:\\.distrib|uf[\\s\\x0b&\\),<>\\|])|sh-(?:a(?:dd|gent)|copy-id)|udo(?:-rs|[\\s\\x0b&\\),<>_\\|]|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ysctl)|t(?:(?:ailf|ftp|imeout|mux)[\\s\\x0b&\\),<>\\|]|c(?:l?sh[\\s\\x0b&\\),<>\\|]|p(?:ing|traceroute))|elnet|r(?:a(?:ceroute6?|p[\\s\\x0b&\\),<>\\|])|off[\\s\\x0b&\\),<>\\|]))|u(?:n(?:(?:ame|iq|rar|xz)[\\s\\x0b&\\),<>\\|]|lz(?:4[\\s\\x0b&\\),<>\\|]|ma)|pigz|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:(?:gr|pw|rsh)[\\s\\x0b&\\),<>\\|]|sudo(?:-rs)?)|w(?:get[\\s\\x0b&\\),<>\\|]|ho(?:ami|is[\\s\\x0b&\\),<>\\|]))|x(?:(?:args|etex|more|pad|term)[\\s\\x0b&\\),<>\\|]|z(?:c(?:at|mp)[\\s\\x0b&\\),<>\\|]|d(?:ec[\\s\\x0b&\\),<>\\|]|iff)|[ef]?grep|less|more))|z(?:(?:c(?:at|mp)|diff|grep|less|run)[\\s\\x0b&\\),<>\\|]|[ef]grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|mo(?:dload|re[\\s\\x0b&\\),<>\\|])|std(?:[\\s\\x0b&\\),<>\\|]|(?:ca|m)t|grep|less)))",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932340",
          "name": "Remote Command Execution: Direct Unix Command Execution (No Arguments)",
          "pattern": "(?i)(?:b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:aptitude|d(?:f|mesg)|env|h(?:ostname|top)|(?:(?:io|vm)sta|reboo)t|l(?:ast|s)|mysql(?:[^\\s\\x0b]{1,10}\\b)?|ps(?:ql)?|s(?:et|hutdown|u)|w(?:ho(?:ami|is)?)?)$",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932330",
          "name": "Remote Command Execution: Unix shell history invocation",
          "pattern": "!-\\d",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932170",
          "name": "Remote Command Execution: Shellshock (CVE-2014-6271)",
          "pattern": "^\\(\\s*\\)\\s+\\{",
          "targets": [
            "headers",
            "uri"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932171",
          "name": "Remote Command Execution: Shellshock (CVE-2014-6271)",
          "pattern": "^\\(\\s*\\)\\s+\\{",
          "targets": [
            "query"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932175",
          "name": "Remote Command Execution: Unix shell alias invocation",
          "pattern": "\\ba[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s\\b[\\s\\x0b]+(?:[\\+\\-][a-z]+\\+?[\\s\\x0b]+)?[!\"%',-\\.0-9@-Z_a-z]+=[^\\s\\x0b]",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932370",
          "name": "Remote Command Execution: Windows Command Injection",
          "pattern": "(?i)(?:[\\n\\r;`\\{]|\\|\\|?|&&?)[\\s\\x0b]*[\\s\\x0b\"'\\(,@]*(?:[\"'\\.-9A-Z_a-z]+/|(?:[\"'\\x5c\\^]*[0-9A-Z_a-z][\"'\\x5c\\^]*:[^\\x5c]*|[ \"'\\.-9A-Z\\x5c\\^_a-z]*)\\x5c)?[\"\\^]*(?:a[\"\\^]*(?:c[\"\\^]*c[\"\\^]*c[\"\\^]*h[\"\\^]*e[\"\\^]*c[\"\\^]*k[\"\\^]*c[\"\\^]*o[\"\\^]*n[\"\\^]*s[\"\\^]*o[\"\\^]*l[\"\\^]*e|d[\"\\^]*(?:p[\"\\^]*l[\"\\^]*u[\"\\^]*s|v[\"\\^]*p[\"\\^]*a[\"\\^]*c[\"\\^]*k)|(?:g[\"\\^]*e[\"\\^]*n[\"\\^]*t[\"\\^]*e[\"\\^]*x[\"\\^]*e[\"\\^]*c[\"\\^]*u[\"\\^]*t[\"\\^]*o|(?:s[\"\\^]*p[\"\\^]*n[\"\\^]*e[\"\\^]*t[\"\\^]*_[\"\\^]*c[\"\\^]*o[\"\\^]*m[\"\\^]*p[\"\\^]*i[\"\\^]*l|t[\"\\^]*b[\"\\^]*r[\"\\^]*o[\"\\^]*k)[\"\\^]*e)[\"\\^]*r|p[\"\\^]*p[\"\\^]*(?:i[\"\\^]*n[\"\\^]*s[\"\\^]*t[\"\\^]*a[\"\\^]*l[\"\\^]*l[\"\\^]*e[\"\\^]*r|v[\"\\^]*l[\"\\^]*p))|b[\"\\^]*(?:a[\"\\^]*s[\"\\^]*h|g[\"\\^]*i[\"\\^]*n[\"\\^]*f[\"\\^]*o|i[\"\\^]*t[\"\\^]*s[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*i[\"\\^]*n)|c[\"\\^]*(?:d[\"\\^]*b|e[\"\\^]*r[\"\\^]*t[\"\\^]*(?:o[\"\\^]*c|r[\"\\^]*e[\"\\^]*q|u[\"\\^]*t[\"\\^]*i[\"\\^]*l)|l[\"\\^]*_[\"\\^]*(?:i[\"\\^]*n[\"\\^]*v[\"\\^]*o[\"\\^]*c[\"\\^]*a[\"\\^]*t[\"\\^]*i[\"\\^]*o[\"\\^]*n|l[\"\\^]*o[\"\\^]*a[\"\\^]*d[\"\\^]*a[\"\\^]*s[\"\\^]*s[\"\\^]*e[\"\\^]*m[\"\\^]*b[\"\\^]*l[\"\\^]*y|m[\"\\^]*u[\"\\^]*t[\"\\^]*e[\"\\^]*x[\"\\^]*v[\"\\^]*e[\"\\^]*r[\"\\^]*i[\"\\^]*f[\"\\^]*i[\"\\^]*e[\"\\^]*r[\"\\^]*s)|m[\"\\^]*(?:d(?:[\"\\^]*(?:k[\"\\^]*e[\"\\^]*y|l[\"\\^]*3[\"\\^]*2))?|s[\"\\^]*t[\"\\^]*p)|o[\"\\^]*(?:m[\"\\^]*s[\"\\^]*v[\"\\^]*c[\"\\^]*s|n[\"\\^]*(?:f[\"\\^]*i[\"\\^]*g[\"\\^]*s[\"\\^]*e[\"\\^]*c[\"\\^]*u[\"\\^]*r[\"\\^]*i[\"\\^]*t[\"\\^]*y[\"\\^]*p[\"\\^]*o[\"\\^]*l[\"\\^]*i[\"\\^]*c[\"\\^]*y|h[\"\\^]*o[\"\\^]*s[\"\\^]*t|t[\"\\^]*r[\"\\^]*o[\"\\^]*l)|r[\"\\^]*e[\"\\^]*g[\"\\^]*e[\"\\^]*n)|r[\"\\^]*e[\"\\^]*a[\"\\^]*t[\"\\^]*e[\"\\^]*d[\"\\^]*u[\"\\^]*m[\"\\^]*p|s[\"\\^]*(?:c(?:[\"\\^]*r[\"\\^]*i[\"\\^]*p[\"\\^]*t)?|i)|u[\"\\^]*s[\"\\^]*t[\"\\^]*o[\"\\^]*m[\"\\^]*s[\"\\^]*h[\"\\^]*e[\"\\^]*l[\"\\^]*l[\"\\^]*h[\"\\^]*o[\"\\^]*s[\"\\^]*t)|d[\"\\^]*(?:a[\"\\^]*t[\"\\^]*a[\"\\^]*s[\"\\^]*v[\"\\^]*c[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l|e[\"\\^]*(?:f[\"\\^]*a[\"\\^]*u[\"\\^]*l[\"\\^]*t[\"\\^]*p[\"\\^]*a[\"\\^]*c[\"\\^]*k|s[\"\\^]*k(?:[\"\\^]*t[\"\\^]*o[\"\\^]*p[\"\\^]*i[\"\\^]*m[\"\\^]*g[\"\\^]*d[\"\\^]*o[\"\\^]*w[\"\\^]*n[\"\\^]*l[\"\\^]*d[\"\\^]*r)?|v[\"\\^]*(?:i[\"\\^]*c[\"\\^]*e[\"\\^]*c[\"\\^]*r[\"\\^]*e[\"\\^]*d[\"\\^]*e[\"\\^]*n[\"\\^]*t[\"\\^]*i[\"\\^]*a[\"\\^]*l[\"\\^]*d[\"\\^]*e[\"\\^]*p[\"\\^]*l[\"\\^]*o[\"\\^]*y[\"\\^]*m[\"\\^]*e[\"\\^]*n[\"\\^]*t|t[\"\\^]*o[\"\\^]*o[\"\\^]*l[\"\\^]*s[\"\\^]*l[\"\\^]*a[\"\\^]*u[\"\\^]*n[\"\\^]*c[\"\\^]*h[\"\\^]*e[\"\\^]*r))|f[\"\\^]*s[\"\\^]*(?:h[\"\\^]*i[\"\\^]*m|v[\"\\^]*c)|i[\"\\^]*(?:a[\"\\^]*n[\"\\^]*t[\"\\^]*z|s[\"\\^]*k[\"\\^]*s[\"\\^]*h[\"\\^]*a[\"\\^]*d[\"\\^]*o[\"\\^]*w)|n[\"\\^]*(?:s[\"\\^]*c[\"\\^]*m[\"\\^]*d|x)|o[\"\\^]*t[\"\\^]*n[\"\\^]*e[\"\\^]*t|u[\"\\^]*m[\"\\^]*p[\"\\^]*6[\"\\^]*4|x[\"\\^]*c[\"\\^]*a[\"\\^]*p)|e[\"\\^]*(?:s[\"\\^]*e[\"\\^]*n[\"\\^]*t[\"\\^]*u[\"\\^]*t[\"\\^]*l|v[\"\\^]*e[\"\\^]*n[\"\\^]*t[\"\\^]*v[\"\\^]*w[\"\\^]*r|x[\"\\^]*(?:c[\"\\^]*e[\"\\^]*l|p[\"\\^]*(?:a[\"\\^]*n[\"\\^]*d|l[\"\\^]*o[\"\\^]*r[\"\\^]*e[\"\\^]*r)|t[\"\\^]*(?:e[\"\\^]*x[\"\\^]*p[\"\\^]*o[\"\\^]*r[\"\\^]*t|r[\"\\^]*a[\"\\^]*c[\"\\^]*3[\"\\^]*2)))|f[\"\\^]*(?:i[\"\\^]*n[\"\\^]*(?:d[\"\\^]*s[\"\\^]*t|g[\"\\^]*e)[\"\\^]*r|l[\"\\^]*t[\"\\^]*m[\"\\^]*c|o[\"\\^]*r[\"\\^]*f[\"\\^]*i[\"\\^]*l[\"\\^]*e[\"\\^]*s|s[\"\\^]*(?:i(?:[\"\\^]*a[\"\\^]*n[\"\\^]*y[\"\\^]*c[\"\\^]*p[\"\\^]*u)?|u[\"\\^]*t[\"\\^]*i[\"\\^]*l)|t[\"\\^]*p)|g[\"\\^]*(?:f[\"\\^]*x[\"\\^]*d[\"\\^]*o[\"\\^]*w[\"\\^]*n[\"\\^]*l[\"\\^]*o[\"\\^]*a[\"\\^]*d[\"\\^]*w[\"\\^]*r[\"\\^]*a[\"\\^]*p[\"\\^]*p[\"\\^]*e[\"\\^]*r|p[\"\\^]*s[\"\\^]*c[\"\\^]*r[\"\\^]*i[\"\\^]*p[\"\\^]*t)|h[\"\\^]*h|i[\"\\^]*(?:e[\"\\^]*(?:4[\"\\^]*u[\"\\^]*i[\"\\^]*n[\"\\^]*i[\"\\^]*t|a[\"\\^]*d[\"\\^]*v[\"\\^]*p[\"\\^]*a[\"\\^]*c[\"\\^]*k|e[\"\\^]*x[\"\\^]*e[\"\\^]*c|f[\"\\^]*r[\"\\^]*a[\"\\^]*m[\"\\^]*e)|l[\"\\^]*a[\"\\^]*s[\"\\^]*m|m[\"\\^]*e[\"\\^]*w[\"\\^]*d[\"\\^]*b[\"\\^]*l[\"\\^]*d|n[\"\\^]*(?:f[\"\\^]*d[\"\\^]*e[\"\\^]*f[\"\\^]*a[\"\\^]*u[\"\\^]*l[\"\\^]*t[\"\\^]*i[\"\\^]*n[\"\\^]*s[\"\\^]*t[\"\\^]*a[\"\\^]*l|s[\"\\^]*t[\"\\^]*a[\"\\^]*l[\"\\^]*l[\"\\^]*u[\"\\^]*t[\"\\^]*i)[\"\\^]*l)|j[\"\\^]*s[\"\\^]*c|l[\"\\^]*(?:a[\"\\^]*u[\"\\^]*n[\"\\^]*c[\"\\^]*h[\"\\^]*-[\"\\^]*v[\"\\^]*s[\"\\^]*d[\"\\^]*e[\"\\^]*v[\"\\^]*s[\"\\^]*h[\"\\^]*e[\"\\^]*l[\"\\^]*l|d[\"\\^]*i[\"\\^]*f[\"\\^]*d[\"\\^]*e)|m[\"\\^]*(?:a[\"\\^]*(?:k[\"\\^]*e[\"\\^]*c[\"\\^]*a[\"\\^]*b|n[\"\\^]*a[\"\\^]*g[\"\\^]*e[\"\\^]*-[\"\\^]*b[\"\\^]*d[\"\\^]*e|v[\"\\^]*i[\"\\^]*n[\"\\^]*j[\"\\^]*e[\"\\^]*c[\"\\^]*t)|f[\"\\^]*t[\"\\^]*r[\"\\^]*a[\"\\^]*c[\"\\^]*e|i[\"\\^]*c[\"\\^]*r[\"\\^]*o[\"\\^]*s[\"\\^]*o[\"\\^]*f[\"\\^]*t|m[\"\\^]*c|p[\"\\^]*c[\"\\^]*m[\"\\^]*d[\"\\^]*r[\"\\^]*u[\"\\^]*n|s[\"\\^]*(?:(?:b[\"\\^]*u[\"\\^]*i[\"\\^]*l|o[\"\\^]*h[\"\\^]*t[\"\\^]*m[\"\\^]*e)[\"\\^]*d|c[\"\\^]*o[\"\\^]*n[\"\\^]*f[\"\\^]*i[\"\\^]*g|d[\"\\^]*(?:e[\"\\^]*p[\"\\^]*l[\"\\^]*o[\"\\^]*y|t)|h[\"\\^]*t[\"\\^]*(?:a|m[\"\\^]*l)|i[\"\\^]*e[\"\\^]*x[\"\\^]*e[\"\\^]*c|p[\"\\^]*u[\"\\^]*b|x[\"\\^]*s[\"\\^]*l))|n[\"\\^]*(?:e[\"\\^]*t[\"\\^]*s[\"\\^]*h|t[\"\\^]*d[\"\\^]*s[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l)|o[\"\\^]*(?:d[\"\\^]*b[\"\\^]*c[\"\\^]*c[\"\\^]*o[\"\\^]*n[\"\\^]*f|f[\"\\^]*f[\"\\^]*l[\"\\^]*i[\"\\^]*n[\"\\^]*e[\"\\^]*s[\"\\^]*c[\"\\^]*a[\"\\^]*n[\"\\^]*n[\"\\^]*e[\"\\^]*r[\"\\^]*s[\"\\^]*h[\"\\^]*e[\"\\^]*l[\"\\^]*l|n[\"\\^]*e[\"\\^]*d[\"\\^]*r[\"\\^]*i[\"\\^]*v[\"\\^]*e[\"\\^]*s[\"\\^]*t[\"\\^]*a[\"\\^]*n[\"\\^]*d[\"\\^]*a[\"\\^]*l[\"\\^]*o[\"\\^]*n[\"\\^]*e[\"\\^]*u[\"\\^]*p[\"\\^]*d[\"\\^]*a[\"\\^]*t[\"\\^]*e[\"\\^]*r|p[\"\\^]*e[\"\\^]*n[\"\\^]*c[\"\\^]*o[\"\\^]*n[\"\\^]*s[\"\\^]*o[\"\\^]*l[\"\\^]*e)|p[\"\\^]*(?:c[\"\\^]*(?:a[\"\\^]*l[\"\\^]*u[\"\\^]*a|w[\"\\^]*(?:r[\"\\^]*u[\"\\^]*n|u[\"\\^]*t[\"\\^]*l))|(?:e[\"\\^]*s[\"\\^]*t[\"\\^]*e|s)[\"\\^]*r|(?:k[\"\\^]*t[\"\\^]*m[\"\\^]*o|u[\"\\^]*b[\"\\^]*p[\"\\^]*r)[\"\\^]*n|n[\"\\^]*p[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l|o[\"\\^]*w[\"\\^]*e[\"\\^]*r[\"\\^]*p[\"\\^]*n[\"\\^]*t|r[\"\\^]*(?:e[\"\\^]*s[\"\\^]*e[\"\\^]*n[\"\\^]*t[\"\\^]*a[\"\\^]*t[\"\\^]*i[\"\\^]*o[\"\\^]*n[\"\\^]*h[\"\\^]*o[\"\\^]*s[\"\\^]*t|i[\"\\^]*n[\"\\^]*t(?:[\"\\^]*b[\"\\^]*r[\"\\^]*m)?|o[\"\\^]*(?:c[\"\\^]*d[\"\\^]*u[\"\\^]*m[\"\\^]*p|t[\"\\^]*o[\"\\^]*c[\"\\^]*o[\"\\^]*l[\"\\^]*h[\"\\^]*a[\"\\^]*n[\"\\^]*d[\"\\^]*l[\"\\^]*e[\"\\^]*r)))|r[\"\\^]*(?:a[\"\\^]*s[\"\\^]*a[\"\\^]*u[\"\\^]*t[\"\\^]*o[\"\\^]*u|c[\"\\^]*s[\"\\^]*i|(?:d[\"\\^]*r[\"\\^]*l[\"\\^]*e[\"\\^]*a[\"\\^]*k[\"\\^]*d[\"\\^]*i[\"\\^]*a|p[\"\\^]*c[\"\\^]*p[\"\\^]*i[\"\\^]*n)[\"\\^]*g|e[\"\\^]*(?:g(?:[\"\\^]*(?:a[\"\\^]*s[\"\\^]*m|e[\"\\^]*d[\"\\^]*i[\"\\^]*t|i[\"\\^]*(?:n[\"\\^]*i|s[\"\\^]*t[\"\\^]*e[\"\\^]*r[\"\\^]*-[\"\\^]*c[\"\\^]*i[\"\\^]*m[\"\\^]*p[\"\\^]*r[\"\\^]*o[\"\\^]*v[\"\\^]*i[\"\\^]*d[\"\\^]*e[\"\\^]*r)|s[\"\\^]*v[\"\\^]*(?:c[\"\\^]*s|r[\"\\^]*3[\"\\^]*2)))?|(?:m[\"\\^]*o[\"\\^]*t|p[\"\\^]*l[\"\\^]*a[\"\\^]*c)[\"\\^]*e)|u[\"\\^]*n[\"\\^]*(?:d[\"\\^]*l[\"\\^]*l[\"\\^]*3[\"\\^]*2|(?:e[\"\\^]*x[\"\\^]*e|s[\"\\^]*c[\"\\^]*r[\"\\^]*i[\"\\^]*p[\"\\^]*t)[\"\\^]*h[\"\\^]*e[\"\\^]*l[\"\\^]*p[\"\\^]*e[\"\\^]*r|o[\"\\^]*n[\"\\^]*c[\"\\^]*e))|s[\"\\^]*(?:c[\"\\^]*(?:[\\s\\x0b,\\./;<>].*|h[\"\\^]*t[\"\\^]*a[\"\\^]*s[\"\\^]*k[\"\\^]*s|r[\"\\^]*i[\"\\^]*p[\"\\^]*t[\"\\^]*r[\"\\^]*u[\"\\^]*n[\"\\^]*n[\"\\^]*e[\"\\^]*r)|e[\"\\^]*t[\"\\^]*(?:r[\"\\^]*e[\"\\^]*s|t[\"\\^]*i[\"\\^]*n[\"\\^]*g[\"\\^]*s[\"\\^]*y[\"\\^]*n[\"\\^]*c[\"\\^]*h[\"\\^]*o[\"\\^]*s[\"\\^]*t|u[\"\\^]*p[\"\\^]*a[\"\\^]*p[\"\\^]*i)|h[\"\\^]*(?:d[\"\\^]*o[\"\\^]*c[\"\\^]*v[\"\\^]*w|e[\"\\^]*l[\"\\^]*l[\"\\^]*3[\"\\^]*2)|q[\"\\^]*(?:l[\"\\^]*(?:d[\"\\^]*u[\"\\^]*m[\"\\^]*p[\"\\^]*e[\"\\^]*r|(?:t[\"\\^]*o[\"\\^]*o[\"\\^]*l[\"\\^]*s[\"\\^]*)?p[\"\\^]*s)|u[\"\\^]*i[\"\\^]*r[\"\\^]*r[\"\\^]*e[\"\\^]*l)|s[\"\\^]*h|t[\"\\^]*o[\"\\^]*r[\"\\^]*d[\"\\^]*i[\"\\^]*a[\"\\^]*g|y[\"\\^]*(?:n[\"\\^]*c[\"\\^]*a[\"\\^]*p[\"\\^]*p[\"\\^]*v[\"\\^]*p[\"\\^]*u[\"\\^]*b[\"\\^]*l[\"\\^]*i[\"\\^]*s[\"\\^]*h[\"\\^]*i[\"\\^]*n[\"\\^]*g[\"\\^]*s[\"\\^]*e[\"\\^]*r[\"\\^]*v[\"\\^]*e[\"\\^]*r|s[\"\\^]*s[\"\\^]*e[\"\\^]*t[\"\\^]*u[\"\\^]*p))|t[\"\\^]*(?:e[\"\\^]*[\\s\\x0b,\\./;<>].*|r[\"\\^]*a[\"\\^]*c[\"\\^]*k[\"\\^]*e[\"\\^]*r|t[\"\\^]*(?:d[\"\\^]*i[\"\\^]*n[\"\\^]*j[\"\\^]*e[\"\\^]*c[\"\\^]*t|t[\"\\^]*r[\"\\^]*a[\"\\^]*c[\"\\^]*e[\"\\^]*r))|u[\"\\^]*(?:n[\"\\^]*r[\"\\^]*e[\"\\^]*g[\"\\^]*m[\"\\^]*p[\"\\^]*2|p[\"\\^]*d[\"\\^]*a[\"\\^]*t[\"\\^]*e|r[\"\\^]*l|t[\"\\^]*i[\"\\^]*l[\"\\^]*i[\"\\^]*t[\"\\^]*y[\"\\^]*f[\"\\^]*u[\"\\^]*n[\"\\^]*c[\"\\^]*t[\"\\^]*i[\"\\^]*o[\"\\^]*n[\"\\^]*s)|v[\"\\^]*(?:b[\"\\^]*c|e[\"\\^]*r[\"\\^]*c[\"\\^]*l[\"\\^]*s[\"\\^]*i[\"\\^]*d|i[\"\\^]*s[\"\\^]*u[\"\\^]*a[\"\\^]*l[\"\\^]*u[\"\\^]*i[\"\\^]*a[\"\\^]*v[\"\\^]*e[\"\\^]*r[\"\\^]*i[\"\\^]*f[\"\\^]*y[\"\\^]*n[\"\\^]*a[\"\\^]*t[\"\\^]*i[\"\\^]*v[\"\\^]*e|s[\"\\^]*(?:i[\"\\^]*i[\"\\^]*s[\"\\^]*e[\"\\^]*x[\"\\^]*e[\"\\^]*l[\"\\^]*a[\"\\^]*u[\"\\^]*n[\"\\^]*c[\"\\^]*h|j[\"\\^]*i[\"\\^]*t[\"\\^]*d[\"\\^]*e[\"\\^]*b[\"\\^]*u[\"\\^]*g[\"\\^]*g)[\"\\^]*e[\"\\^]*r)|w[\"\\^]*(?:a[\"\\^]*b|(?:f|m[\"\\^]*i)[\"\\^]*c|i[\"\\^]*n[\"\\^]*(?:g[\"\\^]*e[\"\\^]*t|r[\"\\^]*m|w[\"\\^]*o[\"\\^]*r[\"\\^]*d)|l[\"\\^]*r[\"\\^]*m[\"\\^]*d[\"\\^]*r|o[\"\\^]*r[\"\\^]*k[\"\\^]*f[\"\\^]*o[\"\\^]*l[\"\\^]*d[\"\\^]*e[\"\\^]*r[\"\\^]*s|s[\"\\^]*(?:(?:c[\"\\^]*r[\"\\^]*i[\"\\^]*p|r[\"\\^]*e[\"\\^]*s[\"\\^]*e)[\"\\^]*t|l)|t[\"\\^]*[\\s\\x0b,\\./;<>].*|u[\"\\^]*a[\"\\^]*u[\"\\^]*c[\"\\^]*l[\"\\^]*t)|x[\"\\^]*w[\"\\^]*i[\"\\^]*z[\"\\^]*a[\"\\^]*r[\"\\^]*d|z[\"\\^]*i[\"\\^]*p[\"\\^]*f[\"\\^]*l[\"\\^]*d[\"\\^]*r)(?:\\.[\"\\^]*[0-9A-Z_a-z]+)?\\b",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        },
        {
          "id": "932380",
          "name": "Remote Command Execution: Windows Command Injection",
          "pattern": "(?i)(?:[\\n\\r;`\\{]|\\|\\|?|&&?)[\\s\\x0b]*[\\s\\x0b\"'\\(,@]*(?:[\"'\\.-9A-Z_a-z]+/|(?:[\"'\\x5c\\^]*[0-9A-Z_a-z][\"'\\x5c\\^]*:[^\\x5c]*|[ \"'\\.-9A-Z\\x5c\\^_a-z]*)\\x5c)?[\"\\^]*(?:a[\"\\^]*(?:s[\"\\^]*s[\"\\^]*o[\"\\^]*c|t[\"\\^]*(?:m[\"\\^]*a[\"\\^]*d[\"\\^]*m|t[\"\\^]*r[\"\\^]*i[\"\\^]*b)|u[\"\\^]*(?:d[\"\\^]*i[\"\\^]*t[\"\\^]*p[\"\\^]*o[\"\\^]*l|t[\"\\^]*o[\"\\^]*(?:c[\"\\^]*(?:h[\"\\^]*k|o[\"\\^]*n[\"\\^]*v)|(?:f[\"\\^]*m|m[\"\\^]*o[\"\\^]*u[\"\\^]*n)[\"\\^]*t)))|b[\"\\^]*(?:c[\"\\^]*d[\"\\^]*(?:b[\"\\^]*o[\"\\^]*o|e[\"\\^]*d[\"\\^]*i)[\"\\^]*t|(?:d[\"\\^]*e[\"\\^]*h[\"\\^]*d|o[\"\\^]*o[\"\\^]*t)[\"\\^]*c[\"\\^]*f[\"\\^]*g|i[\"\\^]*t[\"\\^]*s[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*i[\"\\^]*n)|c[\"\\^]*(?:a[\"\\^]*c[\"\\^]*l[\"\\^]*s|e[\"\\^]*r[\"\\^]*t[\"\\^]*(?:r[\"\\^]*e[\"\\^]*q|u[\"\\^]*t[\"\\^]*i[\"\\^]*l)|h[\"\\^]*(?:c[\"\\^]*p|d[\"\\^]*i[\"\\^]*r|g[\"\\^]*(?:l[\"\\^]*o[\"\\^]*g[\"\\^]*o[\"\\^]*n|p[\"\\^]*o[\"\\^]*r[\"\\^]*t|u[\"\\^]*s[\"\\^]*r)|k[\"\\^]*(?:d[\"\\^]*s[\"\\^]*k|n[\"\\^]*t[\"\\^]*f[\"\\^]*s))|l[\"\\^]*e[\"\\^]*a[\"\\^]*n[\"\\^]*m[\"\\^]*g[\"\\^]*r|m[\"\\^]*(?:d(?:[\"\\^]*k[\"\\^]*e[\"\\^]*y)?|s[\"\\^]*t[\"\\^]*p)|s[\"\\^]*c[\"\\^]*r[\"\\^]*i[\"\\^]*p[\"\\^]*t)|d[\"\\^]*(?:c[\"\\^]*(?:d[\"\\^]*i[\"\\^]*a[\"\\^]*g|g[\"\\^]*p[\"\\^]*o[\"\\^]*f[\"\\^]*i[\"\\^]*x)|e[\"\\^]*(?:f[\"\\^]*r[\"\\^]*a[\"\\^]*g|l)|f[\"\\^]*s[\"\\^]*(?:d[\"\\^]*i[\"\\^]*a|r[\"\\^]*m[\"\\^]*i)[\"\\^]*g|i[\"\\^]*(?:a[\"\\^]*n[\"\\^]*t[\"\\^]*z|r|s[\"\\^]*(?:k[\"\\^]*(?:c[\"\\^]*o[\"\\^]*(?:m[\"\\^]*p|p[\"\\^]*y)|p[\"\\^]*(?:a[\"\\^]*r[\"\\^]*t|e[\"\\^]*r[\"\\^]*f)|r[\"\\^]*a[\"\\^]*i[\"\\^]*d|s[\"\\^]*h[\"\\^]*a[\"\\^]*d[\"\\^]*o[\"\\^]*w)|p[\"\\^]*d[\"\\^]*i[\"\\^]*a[\"\\^]*g))|n[\"\\^]*s[\"\\^]*c[\"\\^]*m[\"\\^]*d|(?:o[\"\\^]*s[\"\\^]*k[\"\\^]*e|r[\"\\^]*i[\"\\^]*v[\"\\^]*e[\"\\^]*r[\"\\^]*q[\"\\^]*u[\"\\^]*e[\"\\^]*r)[\"\\^]*y)|e[\"\\^]*(?:n[\"\\^]*d[\"\\^]*l[\"\\^]*o[\"\\^]*c[\"\\^]*a[\"\\^]*l|v[\"\\^]*e[\"\\^]*n[\"\\^]*t[\"\\^]*c[\"\\^]*r[\"\\^]*e[\"\\^]*a[\"\\^]*t[\"\\^]*e)|E[\"\\^]*v[\"\\^]*n[\"\\^]*t[\"\\^]*c[\"\\^]*m[\"\\^]*d|f[\"\\^]*(?:c|i[\"\\^]*(?:l[\"\\^]*e[\"\\^]*s[\"\\^]*y[\"\\^]*s[\"\\^]*t[\"\\^]*e[\"\\^]*m[\"\\^]*s|n[\"\\^]*d[\"\\^]*s[\"\\^]*t[\"\\^]*r)|l[\"\\^]*a[\"\\^]*t[\"\\^]*t[\"\\^]*e[\"\\^]*m[\"\\^]*p|o[\"\\^]*r[\"\\^]*f[\"\\^]*i[\"\\^]*l[\"\\^]*e[\"\\^]*s|r[\"\\^]*e[\"\\^]*e[\"\\^]*d[\"\\^]*i[\"\\^]*s[\"\\^]*k|s[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l|(?:t[\"\\^]*y[\"\\^]*p|v[\"\\^]*e[\"\\^]*u[\"\\^]*p[\"\\^]*d[\"\\^]*a[\"\\^]*t)[\"\\^]*e)|g[\"\\^]*(?:e[\"\\^]*t[\"\\^]*(?:m[\"\\^]*a[\"\\^]*c|t[\"\\^]*y[\"\\^]*p[\"\\^]*e)|o[\"\\^]*t[\"\\^]*o|p[\"\\^]*(?:f[\"\\^]*i[\"\\^]*x[\"\\^]*u[\"\\^]*p|(?:r[\"\\^]*e[\"\\^]*s[\"\\^]*u[\"\\^]*l[\"\\^]*)?t|u[\"\\^]*p[\"\\^]*d[\"\\^]*a[\"\\^]*t[\"\\^]*e)|r[\"\\^]*a[\"\\^]*f[\"\\^]*t[\"\\^]*a[\"\\^]*b[\"\\^]*l)|h[\"\\^]*(?:e[\"\\^]*l[\"\\^]*p[\"\\^]*c[\"\\^]*t[\"\\^]*r|o[\"\\^]*s[\"\\^]*t[\"\\^]*n[\"\\^]*a[\"\\^]*m[\"\\^]*e)|i[\"\\^]*(?:c[\"\\^]*a[\"\\^]*c[\"\\^]*l[\"\\^]*s|p[\"\\^]*(?:c[\"\\^]*o[\"\\^]*n[\"\\^]*f[\"\\^]*i[\"\\^]*g|x[\"\\^]*r[\"\\^]*o[\"\\^]*u[\"\\^]*t[\"\\^]*e)|r[\"\\^]*f[\"\\^]*t[\"\\^]*p)|j[\"\\^]*e[\"\\^]*t[\"\\^]*p[\"\\^]*a[\"\\^]*c[\"\\^]*k|k[\"\\^]*(?:l[\"\\^]*i[\"\\^]*s[\"\\^]*t|s[\"\\^]*e[\"\\^]*t[\"\\^]*u[\"\\^]*p|t[\"\\^]*(?:m[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l|p[\"\\^]*a[\"\\^]*s[\"\\^]*s))|l[\"\\^]*(?:o[\"\\^]*(?:d[\"\\^]*c[\"\\^]*t[\"\\^]*r|g[\"\\^]*(?:m[\"\\^]*a[\"\\^]*n|o[\"\\^]*f[\"\\^]*f))|p[\"\\^]*[qr])|m[\"\\^]*(?:a[\"\\^]*(?:c[\"\\^]*f[\"\\^]*i[\"\\^]*l[\"\\^]*e|k[\"\\^]*e[\"\\^]*c[\"\\^]*a[\"\\^]*b|p[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*i[\"\\^]*n)|k[\"\\^]*(?:d[\"\\^]*i[\"\\^]*r|l[\"\\^]*i[\"\\^]*n[\"\\^]*k)|m[\"\\^]*c|o[\"\\^]*u[\"\\^]*n[\"\\^]*t[\"\\^]*v[\"\\^]*o[\"\\^]*l|q[\"\\^]*(?:b[\"\\^]*k[\"\\^]*u[\"\\^]*p|(?:t[\"\\^]*g[\"\\^]*)?s[\"\\^]*v[\"\\^]*c)|s[\"\\^]*(?:d[\"\\^]*t|i[\"\\^]*(?:e[\"\\^]*x[\"\\^]*e[\"\\^]*c|n[\"\\^]*f[\"\\^]*o[\"\\^]*3[\"\\^]*2)|t[\"\\^]*s[\"\\^]*c))|n[\"\\^]*(?:b[\"\\^]*t[\"\\^]*s[\"\\^]*t[\"\\^]*a[\"\\^]*t|e[\"\\^]*t[\"\\^]*(?:c[\"\\^]*f[\"\\^]*g|d[\"\\^]*o[\"\\^]*m|s[\"\\^]*(?:h|t[\"\\^]*a[\"\\^]*t))|f[\"\\^]*s[\"\\^]*(?:a[\"\\^]*d[\"\\^]*m[\"\\^]*i[\"\\^]*n|s[\"\\^]*(?:h[\"\\^]*a[\"\\^]*r[\"\\^]*e|t[\"\\^]*a[\"\\^]*t))|l[\"\\^]*(?:b[\"\\^]*m[\"\\^]*g[\"\\^]*r|t[\"\\^]*e[\"\\^]*s[\"\\^]*t)|s[\"\\^]*l[\"\\^]*o[\"\\^]*o[\"\\^]*k[\"\\^]*u[\"\\^]*p|t[\"\\^]*(?:b[\"\\^]*a[\"\\^]*c[\"\\^]*k[\"\\^]*u[\"\\^]*p|c[\"\\^]*m[\"\\^]*d[\"\\^]*p[\"\\^]*r[\"\\^]*o[\"\\^]*m[\"\\^]*p[\"\\^]*t|f[\"\\^]*r[\"\\^]*s[\"\\^]*u[\"\\^]*t[\"\\^]*l))|o[\"\\^]*(?:f[\"\\^]*f[\"\\^]*l[\"\\^]*i[\"\\^]*n[\"\\^]*e|p[\"\\^]*e[\"\\^]*n[\"\\^]*f[\"\\^]*i[\"\\^]*l[\"\\^]*e[\"\\^]*s)|p[\"\\^]*(?:a[\"\\^]*(?:g[\"\\^]*e[\"\\^]*f[\"\\^]*i[\"\\^]*l[\"\\^]*e[\"\\^]*c[\"\\^]*o[\"\\^]*n[\"\\^]*f[\"\\^]*i|t[\"\\^]*h[\"\\^]*p[\"\\^]*i[\"\\^]*n)[\"\\^]*g|(?:b[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*i|k[\"\\^]*t[\"\\^]*m[\"\\^]*o)[\"\\^]*n|e[\"\\^]*(?:n[\"\\^]*t[\"\\^]*n[\"\\^]*t|r[\"\\^]*f[\"\\^]*m[\"\\^]*o[\"\\^]*n)|n[\"\\^]*p[\"\\^]*u[\"\\^]*(?:n[\"\\^]*a[\"\\^]*t[\"\\^]*t[\"\\^]*e[\"\\^]*n[\"\\^]*d|t[\"\\^]*i[\"\\^]*l)|o[\"\\^]*(?:p[\"\\^]*d|w[\"\\^]*e[\"\\^]*r[\"\\^]*s[\"\\^]*h[\"\\^]*e[\"\\^]*l[\"\\^]*l)|r[\"\\^]*n[\"\\^]*(?:c[\"\\^]*n[\"\\^]*f[\"\\^]*g|(?:d[\"\\^]*r[\"\\^]*v|m[\"\\^]*n[\"\\^]*g)[\"\\^]*r|j[\"\\^]*o[\"\\^]*b[\"\\^]*s|p[\"\\^]*o[\"\\^]*r[\"\\^]*t|q[\"\\^]*c[\"\\^]*t[\"\\^]*l)|u[\"\\^]*(?:b[\"\\^]*p[\"\\^]*r[\"\\^]*n|s[\"\\^]*h[\"\\^]*(?:d|p[\"\\^]*r[\"\\^]*i[\"\\^]*n[\"\\^]*t[\"\\^]*e[\"\\^]*r[\"\\^]*c[\"\\^]*o[\"\\^]*n[\"\\^]*n[\"\\^]*e[\"\\^]*c[\"\\^]*t[\"\\^]*i[\"\\^]*o[\"\\^]*n[\"\\^]*s))|w[\"\\^]*(?:l[\"\\^]*a[\"\\^]*u[\"\\^]*n[\"\\^]*c[\"\\^]*h[\"\\^]*e[\"\\^]*r|s[\"\\^]*h))|q[\"\\^]*(?:a[\"\\^]*p[\"\\^]*p[\"\\^]*s[\"\\^]*r[\"\\^]*v|p[\"\\^]*r[\"\\^]*o[\"\\^]*c[\"\\^]*e[\"\\^]*s[\"\\^]*s|u[\"\\^]*s[\"\\^]*e[\"\\^]*r|w[\"\\^]*i[\"\\^]*n[\"\\^]*s[\"\\^]*t[\"\\^]*a)|r[\"\\^]*(?:d(?:[\"\\^]*p[\"\\^]*s[\"\\^]*i[\"\\^]*g[\"\\^]*n)?|e[\"\\^]*(?:f[\"\\^]*s[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l|g(?:[\"\\^]*(?:i[\"\\^]*n[\"\\^]*i|s[\"\\^]*v[\"\\^]*r[\"\\^]*3[\"\\^]*2))?|l[\"\\^]*o[\"\\^]*g|(?:(?:p[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*i|s[\"\\^]*c[\"\\^]*a)[\"\\^]*)?n|x[\"\\^]*e[\"\\^]*c)|i[\"\\^]*s[\"\\^]*e[\"\\^]*t[\"\\^]*u[\"\\^]*p|m[\"\\^]*d[\"\\^]*i[\"\\^]*r|o[\"\\^]*b[\"\\^]*o[\"\\^]*c[\"\\^]*o[\"\\^]*p[\"\\^]*y|p[\"\\^]*c[\"\\^]*(?:i[\"\\^]*n[\"\\^]*f[\"\\^]*o|p[\"\\^]*i[\"\\^]*n[\"\\^]*g)|s[\"\\^]*h|u[\"\\^]*n[\"\\^]*d[\"\\^]*l[\"\\^]*l[\"\\^]*3[\"\\^]*2|w[\"\\^]*i[\"\\^]*n[\"\\^]*s[\"\\^]*t[\"\\^]*a)|s[\"\\^]*(?:a[\"\\^]*n|c[\"\\^]*(?:h[\"\\^]*t[\"\\^]*a[\"\\^]*s[\"\\^]*k[\"\\^]*s|w[\"\\^]*c[\"\\^]*m[\"\\^]*d)|e[\"\\^]*(?:c[\"\\^]*e[\"\\^]*d[\"\\^]*i[\"\\^]*t|r[\"\\^]*v[\"\\^]*e[\"\\^]*r[\"\\^]*(?:(?:c[\"\\^]*e[\"\\^]*i[\"\\^]*p|w[\"\\^]*e[\"\\^]*r)[\"\\^]*o[\"\\^]*p[\"\\^]*t[\"\\^]*i[\"\\^]*n|m[\"\\^]*a[\"\\^]*n[\"\\^]*a[\"\\^]*g[\"\\^]*e[\"\\^]*r[\"\\^]*c[\"\\^]*m[\"\\^]*d)|t[\"\\^]*x)|f[\"\\^]*c|(?:h[\"\\^]*o[\"\\^]*w[\"\\^]*m[\"\\^]*o[\"\\^]*u[\"\\^]*n|u[\"\\^]*b[\"\\^]*s)[\"\\^]*t|x[\"\\^]*s[\"\\^]*t[\"\\^]*r[\"\\^]*a[\"\\^]*c[\"\\^]*e|y[\"\\^]*s[\"\\^]*(?:o[\"\\^]*c[\"\\^]*m[\"\\^]*g[\"\\^]*r|t[\"\\^]*e[\"\\^]*m[\"\\^]*i[\"\\^]*n[\"\\^]*f[\"\\^]*o))|t[\"\\^]*(?:a[\"\\^]*(?:k[\"\\^]*e[\"\\^]*o[\"\\^]*w[\"\\^]*n|p[\"\\^]*i[\"\\^]*c[\"\\^]*f[\"\\^]*g|s[\"\\^]*k[\"\\^]*(?:k[\"\\^]*i[\"\\^]*l[\"\\^]*l|l[\"\\^]*i[\"\\^]*s[\"\\^]*t))|(?:c[\"\\^]*m[\"\\^]*s[\"\\^]*e[\"\\^]*t[\"\\^]*u|f[\"\\^]*t)[\"\\^]*p|(?:(?:e[\"\\^]*l[\"\\^]*n[\"\\^]*e|i[\"\\^]*m[\"\\^]*e[\"\\^]*o[\"\\^]*u)[\"\\^]*|r[\"\\^]*a[\"\\^]*c[\"\\^]*e[\"\\^]*r[\"\\^]*(?:p[\"\\^]*)?)t|l[\"\\^]*n[\"\\^]*t[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*n|p[\"\\^]*m[\"\\^]*(?:t[\"\\^]*o[\"\\^]*o[\"\\^]*l|v[\"\\^]*s[\"\\^]*c[\"\\^]*m[\"\\^]*g[\"\\^]*r)|s[\"\\^]*(?:(?:d[\"\\^]*i[\"\\^]*s[\"\\^]*)?c[\"\\^]*o[\"\\^]*n|e[\"\\^]*c[\"\\^]*i[\"\\^]*m[\"\\^]*p|k[\"\\^]*i[\"\\^]*l[\"\\^]*l|p[\"\\^]*r[\"\\^]*o[\"\\^]*f)|y[\"\\^]*p[\"\\^]*e[\"\\^]*p[\"\\^]*e[\"\\^]*r[\"\\^]*f|z[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l)|u[\"\\^]*n[\"\\^]*(?:e[\"\\^]*x[\"\\^]*p[\"\\^]*o[\"\\^]*s[\"\\^]*e|i[\"\\^]*q[\"\\^]*u[\"\\^]*e[\"\\^]*i[\"\\^]*d|l[\"\\^]*o[\"\\^]*d[\"\\^]*c[\"\\^]*t[\"\\^]*r)|v[\"\\^]*s[\"\\^]*s[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*i[\"\\^]*n|w[\"\\^]*(?:a[\"\\^]*i[\"\\^]*t[\"\\^]*f[\"\\^]*o[\"\\^]*r|b[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*i[\"\\^]*n|(?:d[\"\\^]*s|e[\"\\^]*(?:c|v[\"\\^]*t))[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l|h[\"\\^]*o[\"\\^]*a[\"\\^]*m[\"\\^]*i|i[\"\\^]*n[\"\\^]*(?:n[\"\\^]*t(?:[\"\\^]*3[\"\\^]*2)?|r[\"\\^]*s)|m[\"\\^]*i[\"\\^]*c|s[\"\\^]*c[\"\\^]*r[\"\\^]*i[\"\\^]*p[\"\\^]*t)|x[\"\\^]*c[\"\\^]*o[\"\\^]*p[\"\\^]*y)(?:\\.[\"\\^]*[0-9A-Z_a-z]+)?\\b",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-RCE",
            "capec/1000/152/248/88"
          ]
        }
      ]
    },
    {
      "id": "crs-php",
      "name": "CRS PHP Injection",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS PHP Injection (11 rules)",
      "author": "OWASP CRS Project",
      "priority": 5,
      "enabled": true,
      "rules": [
        {
          "id": "933100",
          "name": "PHP Injection Attack: PHP Open Tag Found",
          "pattern": "(?i)<\\?(?:php[\\s\\x0b]|[\\s\\x0b=]|xml(?:[\\s\\x0b]+[^a-z]|:)|$)|\\[[/\\x5c]?php\\]|\\{/?php\\}",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-injection-php",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-PHP",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "933110",
          "name": "PHP Injection Attack: PHP Script File Upload Found",
          "pattern": ".*\\.ph(?:p\\d*|tml|ar|ps|t|pt)\\.*$",
          "targets": [
            "headers"
          ],
          "action": "score",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-injection-php",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-PHP",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "933120",
          "name": "PHP Injection Attack: Configuration Directive Found",
          "pattern": "(?i)\\b(?:a(?:llow_url_(?:fopen|include)|pc.(?:coredump_unmap|en(?:able(?:_cli|d)|tries_hint)|(?:gc_)?ttl|mmap_file_mask|preload_path|s(?:erializer|hm_s(?:egments|ize)|lam_defense)|use_request_time)|rg_separator.(?:in|out)put|ssert.(?:active|(?:bai|quiet_eva)l|callback|exception|warning)|uto_(?:(?:ap|pre)pend_file|detect_line_endings|globals_jit))|b(?:cmath.scale|rowscap)|c(?:gi.(?:check_shebang_line|(?:discard_pat|np)h|f(?:ix_pathinfo|orce_redirect)|r(?:edirect_status_env|fc2616_headers))|hild_terminate|li(?:_server.color|.p(?:ager|rompt))|om.(?:a(?:llow_dcom|utoregister_(?:(?:casesensitiv|verbos)e|typelib))|(?:code_pag|typelib_fil)e|dotnet_version)|url.cainfo)|d(?:ate.(?:(?:default_l(?:at|ong)itud|timezon)e|sun(?:rise|set)_zenith)|ba.default_handler|efault_(?:(?:charse|socket_timeou)t|mimetype)|is(?:able_(?:classe|function)|play_(?:startup_)?error)s|oc(?:_roo|ref_(?:ex|roo))t)|e(?:n(?:able_(?:dl|post_data_reading)|gine)|rror_(?:(?:(?:ap|pre)pend_str|report)in|lo)g|x(?:i(?:f.(?:decode_(?:jis|unicode)_(?:intel|motorola)|encode_(?:jis|unicode))|t_on_timeout)|tension(?:_dir)?|p(?:ect.(?:log(?:file|user)|match_max|timeout)|ose_php)))|f(?:astcgi.(?:impersonate|logging)|fi.(?:enable|preload)|il(?:e_uploads|ter.default(?:_flags)?))|g(?:d.jpeg_ignore_warning|eoip.custom_directory)|h(?:ard_timeout|ighlight.(?:(?:commen|defaul)t|html|keyword|string)|tml_errors)|i(?:b(?:ase.(?:(?:allow_persisten|time(?:stamp)?forma)t|d(?:ateformat|efault_(?:charset|db|password|user))|max_(?:links|persistent))|m_db2.(?:binmode|i(?:5_(?:all(?:_pconnec|ow_commi)t|dbcs_alloc|ignore_userid)|nstance_name)))|conv.(?:in(?:put|ternal)|output)_encoding|g(?:binary.compact_strings|nore_(?:repeated_(?:errors|source)|user_abort))|m(?:a(?:gick.(?:locale_fix|progress_monitor|skip_version_check)|p.enable_insecure_rsh)|plicit_flush)|n(?:clude_path|put_encoding|t(?:ernal_encoding|l.(?:default_locale|error_level|use_exceptions))))|l(?:dap.max_links|og_errors(?:_max_len)?)|m(?:a(?:gic_quotes_(?:gpc|runtime)|il(?:.(?:add_x_header|force_extra_parameters|log)|parse.def_charset)|x_(?:execution_time|file_uploads|input_(?:nesting_level|time|vars)))|bstring.(?:detect_order|encoding_translation|func_overload|http_(?:input|output(?:_conv_mimetypes)?)|internal_encoding|language|regex_(?:retry|stack)_limit|s(?:trict_detection|ubstitute_character))|crypt.(?:algorithm|mode)s_dir|em(?:cache(?:.(?:allow_failover|c(?:hunk_size|ompress_threshold)|(?:default_por|lock_timeou)t|hash_(?:function|strategy)|max_failover_attempts|protocol|(?:session_)?redundancy)|d.(?:compression_(?:factor|t(?:hreshold|ype))|default_(?:binary_protocol|con(?:nect_timeout|sistent_hash))|s(?:e(?:rializer|ss_(?:binary(?:_protocol)?|con(?:nect_timeout|sistent_hash(?:_type)?)|lock(?:_(?:expire|retries|wait(?:_m(?:ax|in))?)|ing)|number_of_replicas|p(?:ersistent|refix)|r(?:andomize_replica_read|emove_failed(?:_servers)?)|s(?:asl_(?:password|username)|erver_failure_limit)))|tore_retry_count)|use_sasl))|ory_limit)|ysql(?:.(?:allow_(?:local_infile|persistent)|connect_timeout|default_(?:(?:hos|socke)t|p(?:assword|ort)|user)|max_(?:links|persistent)|trace_mode)|i.(?:allow_(?:local_infile|persistent)|default_(?:(?:hos|socke)t|p(?:ort|w)|user)|local_infile_directory|max_(?:links|persistent)|r(?:econnect|ollback_on_cached_plink))|nd.(?:collect_(?:memory_)?statistics|debug|(?:fetch_data_cop|sha256_server_public_ke)y|log_mask|mempool_default_size|net_(?:cmd_buffer_size|read_(?:buffer_size|timeout))|trace_alloc)))|o(?:ci8.(?:(?:connection_clas|event|old_oci_close_semantic)s|default_prefetch|max_persistent|p(?:ersistent_timeout|ing_interval|r(?:efetch_lob_size|ivileged_connect))|statement_cache_size)|dbc.(?:(?:allow|check)_persistent|default(?:_(?:cursortype|db|pw|user)|binmode|lrl)|max_(?:links|persistent))|p(?:cache.(?:blacklist_filename|c(?:ache_id|onsistency_checks)|dups_fix|e(?:nable(?:_(?:cli|file_override))?|rror_log)|f(?:ast_shutdown|ile_(?:cache(?:_(?:consistency_checks|fallback|only))?|update_protection)|orce_restart_timeout)|(?:huge_code_page|save_comment)s|in(?:herited_hack|terned_strings_buffer)|jit(?:_(?:b(?:isect_limit|(?:lacklist_(?:root|side)_trac|uffer_siz)e)|debug|hot_(?:func|loop|return|side_exit)|max_(?:exit_counter|(?:loop_unro|polymorphic_ca)ll|r(?:ecursive_(?:call|return)|oot_trace)|side_trace)s|prof_threshold))?|lo(?:ckfile_path|g_verbosity_level)|m(?:ax_(?:accelerated_files|(?:file_siz|wasted_percentag)e)|emory_consumption|map_base)|opt(?:_debug|imization)_level|pr(?:e(?:ferred_memory_model|load(?:_user)?)|otect_memory)|re(?:cord_warnings|strict_api|validate_(?:freq|path))|use_cwd|validate_(?:permission|root|timestamps))|en(?:_basedir|ssl.ca(?:file|path)))|utput_(?:(?:buffer|encod)ing|handler))|p(?:cre.(?:(?:backtrack|recursion)_lim|j)it|do(?:_odbc.(?:connection_pooling|db2_instance_name)|.dsn)|gsql.(?:a(?:llow|uto_reset)_persistent|(?:ignore|log)_notice|max_(?:links|persistent))|h(?:ar.(?:cache_list|re(?:adonly|quire_hash))|pdbg.(?:eol|path))|recision|ost_max_size)|r(?:e(?:alpath_cache_(?:size|ttl)|gister_argc_argv|port_(?:memleaks|zend_debug)|quest_order)|unkit.(?:internal_override|superglobal))|s(?:e(?:aslog.(?:appender(?:_retry)?|buffer_(?:disabled_in_cli|size)|d(?:efault_(?:basepath|datetime_format|logger|template)|isting_(?:(?:by_hou|folde)r|type))|ignore_warning|level|re(?:call_depth|mote_(?:hos|por|timeou)t)|t(?:hrow_exception|r(?:ace_(?:e(?:rror|xception)|notice|warning)|im_wrap))|use_buffer)|ndmail_(?:from|path)|rialize_precision|ssion.(?:auto_start|c(?:ache_(?:expire|limiter)|ookie_(?:domain|httponly|(?:lifetim|s(?:amesit|ecur))e|path))|entropy_(?:file|length)|gc_(?:divisor|maxlifetime|probability)|hash_(?:bits_per_character|function)|(?:lazy_writ|nam)e|referer_check|s(?:ave_(?:handler|path)|erialize_handler|id_(?:bits_per_character|length))|trans_sid_(?:host|tag)s|u(?:pload_progress.(?:cleanup|enabled|(?:min_)?freq|name|prefix)|se_(?:(?:only_)?cookies|strict_mode|trans_sid))))|hort_open_tag|mtp(?:_port)?|oap.wsdl_cache(?:_(?:dir|enabled|limit|ttl))?|ql(?:.safe_mode|ite3.(?:defensive|extension_dir))|tomp.default_(?:broker|(?:connection|read)_timeout_u?sec)|woole.(?:aio_thread_num|display_errors|enable_(?:coroutine|library|preemptive_scheduler)|(?:fast_serializ|u(?:nixsock_buffer_siz|se_(?:namespac|shortnam)))e)|ys(?:_temp_dir|log.(?:f(?:acility|ilter)|ident)|vshm.init_mem))|t(?:aint.e(?:nable|rror_level)|idy.(?:clean_output|default_config)|ra(?:ck_errors|der.real_(?:precision|round_mode)))|u(?:nserialize_(?:callback_func|max_depth)|opz.(?:disable|exit|overloads)|pload(?:_(?:max_filesize|tmp_dir)|progress.file.filename_template)|rl_rewriter.(?:host|tag)s|ser_(?:agent|dir|ini.(?:cache_ttl|filename)))|v(?:8js.(?:flag|max_disposed_context)s|ariables_order|ld.(?:(?:activ|execut)e|skip_(?:ap|pre)pend))|w(?:in(?:cache.(?:chkinterval|enablecli|f(?:c(?:achesize|enabled(?:filter)?|ndetect)|ile(?:count|mapdir))|(?:ignorelis|namesal)t|maxfilesize|oc(?:achesize|enabled(?:filter)?)|reroute(?:_enabled|ini)|s(?:cachesize|rwlocks)|ttlmax|uc(?:achesize|enabled))|dows.show_crt_warning)|khtmltox.graphics)|x(?:bithack|hprof.output_dir|mlrpc_error(?:_number|s))|ya(?:c(?:.(?:compress_threshold|debug|enable(?:_cli)?|(?:key|value)s_memory_size|serializer)|onf.(?:check_dela|director)y)|f.(?:action_prefer|cache_config|environ|forward_limit|l(?:ibrary|owcase_path)|name_s(?:eparator|uffix)|use_(?:namespace|spl_autoload))|ml.(?:decode_(?:binary|(?:ph|timestam)p)|output_(?:canonical|indent|width))|r.(?:(?:connect_)?timeout|debug|expose_info|packager)|z.(?:keepalive|log_mask))|z(?:end(?:_extension|.(?:assertions|(?:detect_unicod|multibyt)e|e(?:nable_gc|xception_(?:ignore_args|string_param_max_len))|s(?:cript_encoding|ignal_check)))|lib.output_(?:compression(?:_level)?|handler)|ookeeper.(?:recv_timeout|sess(?:_lock_wait|ion_lock))))[\\s\\x0b]*=[^=]",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-injection-php",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-PHP",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "933135",
          "name": "PHP Injection Attack: Variable Access Found",
          "pattern": "\\$\\s*\\{\\s*\\S[^\\{\\}]*\\}",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-injection-php",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-PHP",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "933140",
          "name": "PHP Injection Attack: I/O Stream Found",
          "pattern": "(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-injection-php",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-PHP",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "933200",
          "name": "PHP Injection Attack: Wrapper scheme detected",
          "pattern": "(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-injection-php",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-PHP",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "933160",
          "name": "PHP Injection Attack: High-Risk PHP Function Call Found",
          "pattern": "(?i)\\b\\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|f(?:ile(?:group)?|open|puts)|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a|ntval)|m(?:d5|kdir)|o(?:pendir|rd)|p(?:assthru|hpinfo|open|r(?:intf|ev))|r(?:eadfile|trim)|s(?:t(?:rip_tags|at)|ubstr|ystem)|tmpfile|u(?:n(?:(?:pac|lin)k|serialize)|sort))(?:/(?:\\*.*?\\*/|/[^\\n\\r]*)|#[^\\n\\r]*|[\\s\\x0b\"])*[\"']*\\)?[\\s\\x0b]*\\([^\\)]*\\)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-injection-php",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-PHP",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "933170",
          "name": "PHP Injection Attack: Serialized Object Injection",
          "pattern": "[oOcC]:\\d+:\".+?\":\\d+:\\{.*}",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-injection-php",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-PHP",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "933180",
          "name": "PHP Injection Attack: Variable Function Call Found",
          "pattern": "\\$+(?:[a-zA-Z_\\x7f-\\xff][a-zA-Z0-9_\\x7f-\\xff]*|\\s*\\{.+})(?:\\s|\\[.+\\]|\\{.+}|/\\*.*\\*/|//.*|#.*)*\\(.*\\)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-injection-php",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-PHP",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "933210",
          "name": "PHP Injection Attack: Variable Function Call Found",
          "pattern": "(?:\\((?:.+\\)(?:[\"'][\\-0-9A-Z_a-z]+[\"'])?\\(.+|[^\\)]*string[^\\)]*\\)[\\s\\x0b\"'\\-\\.0-9A-\\[\\]_a-\\{\\}]+\\([^\\)]*)|(?:\\[[0-9]+\\]|\\{[0-9]+\\}|\\$[^\\(\\),\\./;\\x5c]+|[\"'][\\-0-9A-Z\\x5c_a-z]+[\"'])\\(.+)\\);",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-injection-php",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-PHP",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "933220",
          "name": "PHP Injection Attack: PHP Session File Upload Attempt",
          "pattern": "(?:^|[/\\x5c])sess_[,\\-0-9a-z]{20,256}$",
          "targets": [
            "headers"
          ],
          "action": "score",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-injection-php",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-PHP",
            "capec/1000/152/242"
          ]
        }
      ]
    },
    {
      "id": "crs-generic-attack",
      "name": "CRS Generic Application Attack",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS Generic Application Attack (5 rules)",
      "author": "OWASP CRS Project",
      "priority": 5,
      "enabled": true,
      "rules": [
        {
          "id": "934100",
          "name": "Node.js Injection Attack 1/2",
          "pattern": "_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|(?:\\beval|new[\\s\\x0b]+Function[\\s\\x0b]*)\\(|(?:String\\.fromCharCod|Module:prototyp)e|function\\(\\)\\{|this\\.constructor|module\\.exports=|\\([\\s\\x0b]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][\\s\\x0b]*\\)|cons(?:tructor:constructor|ole(?:\\.(?:(?:debu|lo)g|error|info|trace|warn)(?:\\.call)?\\(|\\[[\"'`](?:(?:debu|lo)g|error|info|trace|warn)[\"'`]\\]))|process(?:\\.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:\\.call)?\\(|binding|constructor|env|global|main(?:Module)?|process|require)|\\[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]\\])|(?:binding|constructor|env|global|main(?:Module)?|process|require)\\[|require(?:\\.(?:resolve(?:\\.call)?\\(|main|extensions|cache)|\\[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]\\])",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "attack-injection-generic",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-GENERIC",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "934130",
          "name": "JavaScript Prototype Pollution",
          "pattern": "__proto__|constructor[\\s\\x0b]*(?:\\.|\\]?\\[)[\\s\\x0b]*prototype",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "attack-injection-generic",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-GENERIC",
            "capec/1/180/77"
          ]
        },
        {
          "id": "934150",
          "name": "Ruby Injection Attack",
          "pattern": "Process[\\s\\x0b]*\\.[\\s\\x0b]*spawn[\\s\\x0b]*\\(",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "attack-injection-generic",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-GENERIC",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "934160",
          "name": "Node.js DoS attack",
          "pattern": "while[\\s\\x0b]*\\([\\s\\x0b\\(]*(?:!+(?:false|null|undefined|NaN|[\\+\\-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[\\+\\-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)\\b|\\{[^\\}]*\\}|\\[[^\\]]*\\]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*\\)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "attack-injection-generic",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-GENERIC",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "934170",
          "name": "PHP data scheme attack",
          "pattern": "^data:(?:(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\x0b]*;[\\s\\x0b]*(?:charset[\\s\\x0b]*=[\\s\\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\"?|(?:[^\\s\\x0b-\"\\(\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!\"\\(\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!\"\\(\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!\"\\(\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!\"\\(\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!\"\\(\\),/:-\\?\\[-\\]e\\{\\}]|e[^!\"\\(\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\x0b]*=[\\s\\x0b]*[^!\\(\\),/:-\\?\\[-\\]\\{\\}]+);?)*(?:[\\s\\x0b]*,[\\s\\x0b]*(?:(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\x0b]*;[\\s\\x0b]*(?:charset[\\s\\x0b]*=[\\s\\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\"?|(?:[^\\s\\x0b-\"\\(\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!\"\\(\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!\"\\(\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!\"\\(\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!\"\\(\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!\"\\(\\),/:-\\?\\[-\\]e\\{\\}]|e[^!\"\\(\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\x0b]*=[\\s\\x0b]*[^!\\(\\),/:-\\?\\[-\\]\\{\\}]+);?)*)*",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-ssrf",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-GENERIC",
            "capec/1000/152/242"
          ]
        }
      ]
    },
    {
      "id": "crs-xss",
      "name": "CRS Cross-Site Scripting (XSS)",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS Cross-Site Scripting (XSS) (24 rules)",
      "author": "OWASP CRS Project",
      "priority": 5,
      "enabled": true,
      "rules": [
        {
          "id": "941100",
          "name": "XSS Attack Detected via libinjection",
          "pattern": "@detectXSS",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941110",
          "name": "XSS Filter - Category 1: Script Tag Vector",
          "pattern": "(?i)<script[^>]*>[\\s\\S]*?",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941120",
          "name": "XSS Filter - Category 2: Event Handler Vector",
          "pattern": "(?i)[\\s\"'`;/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on[a-zA-Z]{3,50}[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941130",
          "name": "XSS Filter - Category 3: Attribute Vector",
          "pattern": "(?i).(?:\\b(?:(?:x(?:link:href|html|mlns)|data:text/html|formaction)\\b|pattern[\\s\\x0b]*=)|(?:!ENTITY[\\s\\x0b]+(?:%[\\s\\x0b]+)?[^\\s\\x0b]+[\\s\\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\\b)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941140",
          "name": "XSS Filter - Category 4: Javascript URI Vector",
          "pattern": "(?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\\(javascript",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941160",
          "name": "NoScript XSS InjectionChecker: HTML Injection",
          "pattern": "(?i)<[^0-9<>A-Z_a-z]*(?:[^\\s\\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z][^\\s\\x0b/]*[\\s\\x0b/]|[\"'](?:[^\\s\\x0b/]*[\\s\\x0b/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|(?:playbacktargetavailabilitychange|transitionen)d)|heel)|zoom)|ping|s(?:rc|tyle))[\\x08-\\n\\f\\r ]*?=",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941170",
          "name": "NoScript XSS InjectionChecker: Attribute Injection",
          "pattern": "(?i)(?:\\W|^)(?:javascript:(?:[\\s\\S]+[=\\x5c\\(\\[\\.<]|[\\s\\S]*?(?:\\bname\\b|\\x5c[ux]\\d))|data:(?:(?:[a-z]\\w+/\\w[\\w+-]+\\w)?[;,]|[\\s\\S]*?;[\\s\\S]*?\\b(?:base64|charset=)|[\\s\\S]*?,[\\s\\S]*?<[\\s\\S]*?\\w[\\s\\S]*?>))|@\\W*?i\\W*?m\\W*?p\\W*?o\\W*?r\\W*?t\\W*?(?:/\\*[\\s\\S]*?)?(?:[\"']|\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\()|[^-]*?-\\W*?m\\W*?o\\W*?z\\W*?-\\W*?b\\W*?i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g[^:]*?:\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\(",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941190",
          "name": "IE XSS Filters - Attack Detected",
          "pattern": "(?i)<style.*?>.*?(?:@[\\x5ci]|(?:[:=]|&#x?0*(?:58|3[AD]|61);?).*?(?:[\\(\\x5c]|&#x?0*(?:40|28|92|5C);?))",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941200",
          "name": "IE XSS Filters - Attack Detected",
          "pattern": "(?i:<.*[:]?vmlframe.*?[\\s/+]*?src[\\s/+]*=)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941210",
          "name": "Javascript Word Detected",
          "pattern": "(?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941220",
          "name": "IE XSS Filters - Attack Detected",
          "pattern": "(?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941230",
          "name": "IE XSS Filters - Attack Detected",
          "pattern": "(?i)<EMBED[\\s/+].*?(?:src|type).*?=",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941240",
          "name": "IE XSS Filters - Attack Detected",
          "pattern": "<[?]?import[\\s/+\\S]*?implementation[\\s/+]*?=",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941250",
          "name": "IE XSS Filters - Attack Detected",
          "pattern": "(?i:<META[\\s/+].*?http-equiv[\\s/+]*=[\\s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941260",
          "name": "IE XSS Filters - Attack Detected",
          "pattern": "(?i:<META[\\s/+].*?charset[\\s/+]*=)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941270",
          "name": "IE XSS Filters - Attack Detected",
          "pattern": "(?i)<LINK[\\s/+].*?href[\\s/+]*=",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941280",
          "name": "IE XSS Filters - Attack Detected",
          "pattern": "(?i)<BASE[\\s/+].*?href[\\s/+]*=",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941290",
          "name": "IE XSS Filters - Attack Detected",
          "pattern": "(?i)<APPLET[\\s/+>]",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941300",
          "name": "IE XSS Filters - Attack Detected",
          "pattern": "(?i)<OBJECT[\\s\\x0b\\+/].*?(?:type|c(?:ode(?:type)?|lassid)|data)[\\s\\x0b\\+/]*=",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941350",
          "name": "UTF-7 Encoding IE XSS - Attack Detected",
          "pattern": "\\+ADw-.*(?:\\+AD4-|>)|<.*\\+AD4-",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941360",
          "name": "JSFuck / Hieroglyphy obfuscation detected",
          "pattern": "![!+ ]\\[\\]",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242/63"
          ]
        },
        {
          "id": "941370",
          "name": "JavaScript global variable found",
          "pattern": "(?:self|document|t(?:his|op)|window)[\\s\\x0b]*(?:/\\*|[\\)\\[]).+?(?:\\]|\\*/)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242/63"
          ]
        },
        {
          "id": "941390",
          "name": "Javascript method detected",
          "pattern": "(?i)\\b(?:eval|set(?:timeout|interval)|new[\\s\\x0b]+Function|a(?:lert|tob)|btoa|(?:promp|impor)t|con(?:firm|sole\\.(?:log|dir))|fetch)[\\s\\x0b]*[\\(\\{]",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "941400",
          "name": "XSS JavaScript function without parentheses",
          "pattern": "((?:\\[[^\\]]*\\]|Reflect)[^\\.]*\\.).*(?:map|sort|apply)[^\\.]*\\..*call[^`]*`.*`",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "xss",
          "enabled": true,
          "tags": [
            "attack-xss",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-XSS",
            "capec/1000/152/242"
          ]
        }
      ]
    },
    {
      "id": "crs-sqli",
      "name": "CRS SQL Injection (SQLi)",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS SQL Injection (SQLi) (20 rules)",
      "author": "OWASP CRS Project",
      "priority": 3,
      "enabled": true,
      "rules": [
        {
          "id": "942100",
          "name": "SQL Injection Attack Detected via libinjection",
          "pattern": "@detectSQLi",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942140",
          "name": "SQL Injection Attack: Common DB Names Detected",
          "pattern": "(?i)\\b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*\\(|(?:information_schema|m(?:aster\\.\\.sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql\\.db)|northwind|pg_(?:catalog|toast)|tempdb)\\b|s(?:chema(?:_name\\b|[^0-9A-Z_a-z]*\\()|(?:qlite_(?:temp_)?master|ys(?:aux|\\.database_name))\\b))",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942151",
          "name": "SQL Injection Attack: SQL function name detected",
          "pattern": "(?i)\\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|eil(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert_tz)?)|t)|rc32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|s_(?:de|en)crypt)|ump)|e(?:n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|insert|object(?:_(?:agg|keys))?|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|insert_id)|case|east|i(?:kely|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2))|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:lygon|w)|rocedure_analyse)|qu(?:ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp))|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\\(",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942160",
          "name": "Detects blind sqli tests using sleep() or benchmark()",
          "pattern": "(?i:sleep\\s*?\\(.*?\\)|benchmark\\s*?\\(.*?\\,.*?\\))",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942170",
          "name": "Detects SQL benchmark and sleep injection attempts including conditional queries",
          "pattern": "(?i)(?:select|;)[\\s\\x0b]+(?:benchmark|if|sleep)[\\s\\x0b]*?\\([\\s\\x0b]*?\\(?[\\s\\x0b]*?[0-9A-Z_a-z]+",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942190",
          "name": "Detects MSSQL code execution and information gathering attempts",
          "pattern": "(?i)[\"'`](?:[\\s\\x0b]*![\\s\\x0b]*[\"'0-9A-Z_-z]|;?[\\s\\x0b]*(?:having|select|union\\b[\\s\\x0b]*(?:all|(?:distin|sele)ct))\\b[\\s\\x0b]*[^\\s\\x0b])|\\b(?:(?:(?:c(?:onnection_id|urrent_user)|database|schema|user)[\\s\\x0b]*?|select.*?[0-9A-Z_a-z]?user)\\(|exec(?:ute)?[\\s\\x0b]+master\\.|from[^0-9A-Z_a-z]+information_schema[^0-9A-Z_a-z]|into[\\s\\x0b\\+]+(?:dump|out)file[\\s\\x0b]*?[\"'`]|union(?:[\\s\\x0b]select[\\s\\x0b]@|[\\s\\x0b\\(0-9A-Z_a-z]*?select))|[\\s\\x0b]*?exec(?:ute)?.*?[^0-9A-Z_a-z]xp_cmdshell|[^0-9A-Z_a-z]iif[\\s\\x0b]*?\\(",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942220",
          "name": "Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the \\\"magic number\\\" crash",
          "pattern": "^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942230",
          "name": "Detects conditional SQL injection attempts",
          "pattern": "(?i)[\\s\\x0b\\(\\)]case[\\s\\x0b]+when.*?then|\\)[\\s\\x0b]*?like[\\s\\x0b]*?\\(|select.*?having[\\s\\x0b]*?[^\\s\\x0b]+[\\s\\x0b]*?[^\\s\\x0b0-9A-Z_a-z]|if[\\s\\x0b]?\\([0-9A-Z_a-z]+[\\s\\x0b]*?[<->~]",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942240",
          "name": "Detects MySQL charset switch and MSSQL DoS attempts",
          "pattern": "(?i)alter[\\s\\x0b]*?[0-9A-Z_a-z]+.*?char(?:acter)?[\\s\\x0b]+set[\\s\\x0b]+[0-9A-Z_a-z]+|[\"'`](?:;*?[\\s\\x0b]*?waitfor[\\s\\x0b]+(?:time|delay)[\\s\\x0b]+[\"'`]|;.*?:[\\s\\x0b]*?goto)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942250",
          "name": "Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections",
          "pattern": "(?i)m(?:erge.*?using|atch[\\s\\x0b]*?[\\(\\)\\+-\\-0-9A-Z_a-z]+[\\s\\x0b]*?against)[\\s\\x0b]*?\\(|execute[\\s\\x0b]*?immediate[\\s\\x0b]*?[\"'`]",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942270",
          "name": "Looking for basic sql injection. Common attack string for mysql, oracle and others",
          "pattern": "(?i)union.*?select.*?from",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942280",
          "name": "Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts",
          "pattern": "(?i)select[\\s\\x0b]*?pg_sleep|waitfor[\\s\\x0b]*?delay[\\s\\x0b]?[\"'`]+[\\s\\x0b]?[0-9]|;[\\s\\x0b]*?shutdown[\\s\\x0b]*?(?:[#;\\{]|/\\*|--)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942290",
          "name": "Finds basic MongoDB SQL injection attempts",
          "pattern": "(?i)\\[?\\$(?:a(?:bs|c(?:cumulator|osh?)|dd(?:ToSet)?|ll(?:ElementsTrue)?|n(?:d|yElementTrue)|rray(?:ElemA|ToObjec)t|sinh?|tan[2h]?|vg)|b(?:etween|i(?:narySize|t(?:And|Not|(?:O|Xo)r)?)|ottomN?|sonSize|ucket(?:Auto)?)|c(?:eil|mp|o(?:n(?:cat(?:Arrays)?|d|vert)|sh?|unt|variance(?:Po|Sam)p)|urrentDate)|d(?:a(?:te(?:Add|Diff|From(?:Parts|String)|Subtract|T(?:o(?:Parts|String)|runc))|yOf(?:Month|Week|Year))|e(?:greesToRadians|nseRank|rivative)|iv(?:ide)?|ocumentNumber)|e(?:(?:a|lemMat)ch|q|x(?:ists|p(?:MovingAvg|r)?))|f(?:i(?:lter|rstN?)|loor|unction)|g(?:etField|roup|te?)|(?:hou|xo|yea)r|i(?:fNull|n(?:c|dexOf(?:Array|Bytes|CP)|tegral)?|s(?:Array|Number|o(?:DayOfWeek|Week(?:Year)?)))|jsonSchema|l(?:astN?|et|i(?:ke|(?:nearFil|tera)l)|n|o(?:cf|g(?:10)?)|t(?:e|rim)?)|m(?:a(?:p|xN?)|e(?:dian|rgeObjects|ta)|i(?:llisecond|n(?:N|ute)?)|o(?:d|nth)|ul(?:tiply)?)|n(?:atural|e|in|o[rt])|o(?:bjectToArray|r)|p(?:ercentile|o(?:[pw]|sition)|roject|u(?:ll(?:All)?|sh))|r(?:a(?:diansToDegrees|n(?:[dk]|ge))|e(?:(?:duc|nam)e|gex(?:Find(?:All)?|Match)?|place(?:All|One)|verseArray)|ound|trim)|s(?:(?:ampleRat|lic)e|e(?:cond|t(?:Difference|(?:Equal|WindowField)s|Field|I(?:ntersection|sSubset)|OnInsert|Union)?)|(?:hif|pli|qr)t|i(?:nh?|ze)|ort(?:Array)?|t(?:dDev(?:Po|Sam)p|r(?:Len(?:Bytes|CP)|casecmp))|u(?:b(?:str(?:Bytes|CP)?|tract)|m)|witch)|t(?:anh?|ext|o(?:Bool|D(?:(?:at|oubl)e|ecimal)|HashedIndexKey|Int|Lo(?:ng|wer)|ObjectId|String|U(?:UID|pper)|pN?)|r(?:im|unc)|s(?:Increment|Second)|ype)|unset|w(?:eek|here)|zip)\\]?",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942320",
          "name": "Detects MySQL and PostgreSQL stored procedure/function injections",
          "pattern": "(?i)create[\\s\\x0b]+(?:function|procedure)[\\s\\x0b]*?[0-9A-Z_a-z]+[\\s\\x0b]*?\\([\\s\\x0b]*?\\)[\\s\\x0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\\s\\x0b]*?[0-9A-Z_a-z]+|iv[\\s\\x0b]*?\\([\\+\\-]*[\\s\\x0b\\.0-9]+,[\\+\\-]*[\\s\\x0b\\.0-9]+\\))|exec[\\s\\x0b]*?\\([\\s\\x0b]*?@|(?:lo_(?:impor|ge)t|procedure[\\s\\x0b]+analyse)[\\s\\x0b]*?\\(|;[\\s\\x0b]*?(?:declare|open)[\\s\\x0b]+[\\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\\s\\x0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942350",
          "name": "Detects MySQL UDF injection and other data/structure manipulation attempts",
          "pattern": "(?i)create[\\s\\x0b]+function[\\s\\x0b].+[\\s\\x0b]returns|;[\\s\\x0b]*?(?:alter|(?:(?:cre|trunc|upd)at|re(?:nam|plac))e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\\b[\\s\\x0b]*?[\\(\\[]?[0-9A-Z_a-z]{2,}",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942360",
          "name": "Detects concatenated basic SQL injection and SQLLFI attempts",
          "pattern": "(?i)\\b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\\s\\x0b]+(?:char|group_concat|load_file)\\b[\\s\\x0b]*\\(?|end[\\s\\x0b]*?\\);)|[\\s\\x0b\\(]load_file[\\s\\x0b]*?\\(|[\"'`][\\s\\x0b]+regexp[^0-9A-Z_a-z]|[\"'0-9A-Z_-z][\\s\\x0b]+as\\b[\\s\\x0b]*[\"'0-9A-Z_-z]+[\\s\\x0b]*\\bfrom|^[^A-Z_a-z]+[\\s\\x0b]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\\s\\x0b]+[0-9A-Z_a-z]+|u(?:pdate[\\s\\x0b]+[0-9A-Z_a-z]+|nion[\\s\\x0b]*(?:all|(?:sele|distin)ct)\\b)|alter[\\s\\x0b]*(?:a(?:(?:ggregat|pplication[\\s\\x0b]*rol)e|s(?:sembl|ymmetric[\\s\\x0b]*ke)y|u(?:dit|thorization)|vailability[\\s\\x0b]*group)|b(?:roker[\\s\\x0b]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\\s\\x0b]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\\s\\x0b]*group|in)))|m(?:a(?:s(?:k|ter[\\s\\x0b]*key)|terialized)|e(?:ssage[\\s\\x0b]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\\s\\x0b]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\\s\\x0b]*schema|srobject))\\b)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942500",
          "name": "MySQL in-line comment detected",
          "pattern": "(?i)/\\*[\\s\\x0b]*?[!\\+](?:[\\s\\x0b\\(\\)\\-0-9=A-Z_a-z]+)?\\*/",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942540",
          "name": "SQL Authentication bypass (split query)",
          "pattern": "^(?:[^']*'|[^\"]*\"|[^`]*`)[\\s\\x0b]*;",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "paranoia-level/1",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942560",
          "name": "MySQL Scientific Notation payload detected",
          "pattern": "(?i)1\\.e(?:[\\(\\),]|\\.[\\$0-9A-Z_a-z])",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        },
        {
          "id": "942550",
          "name": "JSON-Based SQL Injection",
          "pattern": "(?i)[\"'`][\\[\\{][^#\\]\\}]*[\\]\\}]+[\"'`]|(?:[\\-@]>?|<@|@[\\?@]|\\?(?:(?:)|&|\\|#>)|#(?:>>|-)|->>|[<>])[\"'`](?:[\\[\\{][^#\\]\\}]*[\\]\\}]+[\"'`]|\\$[\\.\\[])|\\bjson_extract\\b[^\\(]*\\([^\\)]*\\)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "sqli",
          "enabled": true,
          "tags": [
            "attack-sqli",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SQLI",
            "capec/1000/152/248/66"
          ]
        }
      ]
    },
    {
      "id": "crs-session-fixation",
      "name": "CRS Session Fixation",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS Session Fixation (1 rules)",
      "author": "OWASP CRS Project",
      "priority": 10,
      "enabled": true,
      "rules": [
        {
          "id": "943100",
          "name": "Possible Session Fixation Attack: Setting Cookie Values in HTML",
          "pattern": "(?i)\\.cookie\\b.*?;[^0-9A-Z_a-z]*?(?:expires|domain)[^0-9A-Z_a-z]*?=|\\bhttp-equiv[^0-9A-Z_a-z]+set-cookie\\b",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "session_fixation",
          "enabled": true,
          "tags": [
            "attack-fixation",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-SESSION-FIXATION",
            "capec/1000/225/21/593/61"
          ]
        }
      ]
    },
    {
      "id": "crs-java-attack",
      "name": "CRS Java / Deserialization Attack",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS Java / Deserialization Attack (3 rules)",
      "author": "OWASP CRS Project",
      "priority": 3,
      "enabled": true,
      "rules": [
        {
          "id": "944100",
          "name": "Remote Command Execution: Suspicious Java class detected",
          "pattern": "java\\.lang\\.(?:runtime|processbuilder)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "deserialization",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-JAVA",
            "capec/1000/152/137/6"
          ]
        },
        {
          "id": "944140",
          "name": "Java Injection Attack: Java Script File Upload Found",
          "pattern": ".*\\.(?:jsp|jspx)\\.*$",
          "targets": [
            "headers"
          ],
          "action": "score",
          "score": 10,
          "severity": "critical",
          "category": "deserialization",
          "enabled": true,
          "tags": [
            "attack-injection-java",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-JAVA",
            "capec/1000/152/242"
          ]
        },
        {
          "id": "944150",
          "name": "Potential Remote Command Execution: Log4j / Log4shell",
          "pattern": "(?i)(?:\\$|&dollar;?)(?:\\{|&l(?:brace|cub);?)(?:[^\\}]{0,15}(?:\\$|&dollar;?)(?:\\{|&l(?:brace|cub);?)|jndi|ctx)",
          "targets": [
            "all"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "deserialization",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/ATTACK-JAVA",
            "capec/1000/152/137/6"
          ]
        }
      ]
    },
    {
      "id": "crs-data-leakage",
      "name": "CRS Data Leakage Detection",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS Data Leakage Detection (2 rules)",
      "author": "OWASP CRS Project",
      "priority": 15,
      "enabled": true,
      "rules": [
        {
          "id": "950130",
          "name": "Directory Listing",
          "pattern": "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\\[To Parent Directory\\]</[Aa]><br>)",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 8,
          "severity": "high",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES",
            "capec/1000/118/116/54/127"
          ]
        },
        {
          "id": "950140",
          "name": "CGI source code leakage",
          "pattern": "^#\\!\\s?/",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 8,
          "severity": "high",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES",
            "capec/1000/118/116"
          ]
        }
      ]
    },
    {
      "id": "crs-data-leakage-sql",
      "name": "CRS SQL Data Leakage",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS SQL Data Leakage (16 rules)",
      "author": "OWASP CRS Project",
      "priority": 15,
      "enabled": true,
      "rules": [
        {
          "id": "951110",
          "name": "Microsoft Access SQL Information Leakage",
          "pattern": "(?i)(?:JET|Access) Database Engine|\\[Microsoft\\]\\[ODBC Microsoft Access Driver\\]",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951120",
          "name": "Oracle SQL Information Leakage",
          "pattern": "(?i)\\bORA-[0-9][0-9][0-9][0-9][0-9]:|java\\.sql\\.SQLException|Oracle(?: erro|[^\\(\\)]{0,20}Drive)r|Warning.{1,10}o(?:ci_.{1,30}|ra_.{1,20})",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951130",
          "name": "DB2 SQL Information Leakage",
          "pattern": "(?i)DB2 SQL error|\\[IBM\\]\\[CLI Driver\\]\\[DB2/6000\\]|CLI Driver.*DB2|db2_[0-9A-Z_a-z]+\\(\\)",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951140",
          "name": "EMC SQL Information Leakage",
          "pattern": "(?i)\\[DM_QUERY_E_SYNTAX\\]|has occurred in the vicinity of:",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951150",
          "name": "firebird SQL Information Leakage",
          "pattern": "(?i)Dynamic SQL Error",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951160",
          "name": "Frontbase SQL Information Leakage",
          "pattern": "(?i)Exception (?:condition )?\\d+\\. Transaction rollback\\.",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951170",
          "name": "hsqldb SQL Information Leakage",
          "pattern": "(?i)org\\.hsqldb\\.jdbc",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951180",
          "name": "informix SQL Information Leakage",
          "pattern": "(?i)An illegal character has been found in the statement|com\\.informix\\.jdbc|Exception.*Informix",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951190",
          "name": "ingres SQL Information Leakage",
          "pattern": "(?i)Warning.*ingres_|Ingres(?: SQLSTATE|[^0-9A-Z_a-z].*Driver)",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951200",
          "name": "interbase SQL Information Leakage",
          "pattern": "(?i)<b>Warning</b>: ibase_|Unexpected end of command in statement",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951210",
          "name": "maxDB SQL Information Leakage",
          "pattern": "(?i)Warning.{1,10}maxdb[\\(\\):_a-z]{1,26}:",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951220",
          "name": "mssql SQL Information Leakage",
          "pattern": "(?i)S(?:y(?:stem\\.Data\\.(?:OleDb\\.OleDb|SqlClient\\.Sql)Except|ntax error (?:in string|.*) in query express)ion|intaxis incorrecta cerca de)|\\[(?:SqlException|M(?:icrosoft\\]\\[ODBC SQL Server|acromedia\\]\\[SQLServer JDBC) Driver\\])|(?:Exception.*[^0-9A-Z_a-z]System\\.Data\\.SqlClie|Conversion failed when converting the varchar value .*? to data type i)nt\\.|D(?:river.*SQL[ \\-_]*Server|ata type mismatch in criteria expression\\.)|Microsoft OLE DB Provider for (?:ODBC Drivers|SQL Server)|(?:(?:OLE DB.*SQL Serv|Procedure or function '.{1,128}' expects paramet)e|Incorrect syntax nea)r|Unclosed quotation mark (?:after|before) the character string|'80040e14'|(?:ADODB\\.Field \\(0x800A0BCD|mssql_query\\()\\)|the used select statements have different number of columns|Warning.*mssql_.*",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951230",
          "name": "mysql SQL Information Leakage",
          "pattern": "(?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\\(\\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\\.)|\\[MySQL\\]\\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\\(\\)_a-z]{1,26})?|(?:ERROR [0-9]{4} \\([0-9a-z]{5}\\)|XPATH syntax error):",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951240",
          "name": "postgres SQL Information Leakage",
          "pattern": "(?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|(?:pg_(?:query|exec)\\(\\) \\[|org\\.postgresql\\.util\\.PSQLException):|Warning.{1,20}\\bpg_.*|valid PostgreSQL result|Npgsql\\.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951250",
          "name": "sqlite SQL Information Leakage",
          "pattern": "(?i)Warning.*(?:sqlite_|SQLite3::)|S(?:QLite(?:/JDBCDriver|\\.Exception)|ystem\\.Data\\.SQLite\\.SQLiteException)",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        },
        {
          "id": "951260",
          "name": "Sybase SQL Information Leakage",
          "pattern": "(?i)Sybase(?: message:|.*Server message)|Warning.{2,20}sybase",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-SQL",
            "capec/1000/118/116/54"
          ]
        }
      ]
    },
    {
      "id": "crs-data-leakage-java",
      "name": "CRS Java Data Leakage",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS Java Data Leakage (1 rules)",
      "author": "OWASP CRS Project",
      "priority": 15,
      "enabled": true,
      "rules": [
        {
          "id": "952110",
          "name": "Java Errors",
          "pattern": "(?i)\\b(?:java[\\.a-z]+E(?:xception|rror)|(?:org|com)\\.[\\.a-z]+Exception|Exception in thread \"[^\"]*\"|at[\\s\\x0b]+(?:ja(?:vax?|karta)|org|com))\\b",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 8,
          "severity": "high",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-JAVA",
            "capec/1000/118/116"
          ]
        }
      ]
    },
    {
      "id": "crs-data-leakage-php",
      "name": "CRS PHP Data Leakage",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS PHP Data Leakage (2 rules)",
      "author": "OWASP CRS Project",
      "priority": 15,
      "enabled": true,
      "rules": [
        {
          "id": "953110",
          "name": "PHP source code leakage",
          "pattern": "(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 8,
          "severity": "high",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-PHP",
            "capec/1000/118/116"
          ]
        },
        {
          "id": "953120",
          "name": "PHP source code leakage",
          "pattern": "(?i)<\\?(?:=|php)?\\s+",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 8,
          "severity": "high",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-PHP",
            "capec/1000/118/116"
          ]
        }
      ]
    },
    {
      "id": "crs-data-leakage-iis",
      "name": "CRS IIS Data Leakage",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS IIS Data Leakage (2 rules)",
      "author": "OWASP CRS Project",
      "priority": 15,
      "enabled": true,
      "rules": [
        {
          "id": "954100",
          "name": "Disclosure of IIS install location",
          "pattern": "(?i)[a-z]:[\\x5c/]inetpub\\b",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 8,
          "severity": "high",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-IIS",
            "capec/1000/118/116"
          ]
        },
        {
          "id": "954110",
          "name": "Application Availability Error",
          "pattern": "(?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \\(0x80040e31\\)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error\\.</h2>|cannot connect to the server: timed out)",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 8,
          "severity": "high",
          "category": "data_leakage",
          "enabled": true,
          "tags": [
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/DATA-LEAKAGES-IIS",
            "capec/1000/118/116"
          ]
        }
      ]
    },
    {
      "id": "crs-web-shells",
      "name": "CRS Web Shell Detection",
      "version": "4.24.1",
      "source": "owasp-crs",
      "description": "OWASP CRS v4.24.1 — CRS Web Shell Detection (23 rules)",
      "author": "OWASP CRS Project",
      "priority": 3,
      "enabled": true,
      "rules": [
        {
          "id": "955110",
          "name": "r57 web shell",
          "pattern": "<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955120",
          "name": "WSO web shell",
          "pattern": "^<html><head><meta http-equiv='Content-Type' content='text/html; charset=(?:Windows-1251|UTF-8)?'><title>.*?(?: -)? W[Ss][Oo] [0-9.]+</title>",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955130",
          "name": "b4tm4n web shell",
          "pattern": "B4TM4N SH3LL</title>[^<]*<meta name='author' content='k4mpr3t'/>",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955140",
          "name": "Mini Shell web shell",
          "pattern": "<title>Mini Shell</title>[^D]*Developed By LameHacker",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955150",
          "name": "Ashiyane web shell",
          "pattern": "<title>\\.:: [^~]*~ Ashiyane V [0-9.]+ ::\\.</title>",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955160",
          "name": "Symlink_Sa web shell",
          "pattern": "<title>Symlink_Sa [0-9.]+</title>",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955170",
          "name": "CasuS web shell",
          "pattern": "<title>CasuS [0-9.]+ by MafiABoY</title>",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955180",
          "name": "GRP WebShell",
          "pattern": "^<html>\\r\\n<head>\\r\\n<title>GRP WebShell [0-9.]+ ",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955190",
          "name": "NGHshell web shell",
          "pattern": "<small>NGHshell [0-9.]+ by Cr4sh</body></html>\\n$",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955200",
          "name": "SimAttacker web shell",
          "pattern": "<title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - ",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955210",
          "name": "Unknown web shell",
          "pattern": "^<!DOCTYPE html>\\n<html>\\n<!-- By Artyum [^<]*<title>Web Shell</title>",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955220",
          "name": "lama\\",
          "pattern": "<title>lama's'hell v. [0-9.]+</title>",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955230",
          "name": "lostDC web shell",
          "pattern": "^ *<html>\\n[ ]+<head>\\n[ ]+<title>lostDC - ",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955240",
          "name": "Unknown web shell",
          "pattern": "^<title>PHP Web Shell</title>\\r\\n<html>\\r\\n<body>\\r\\n    <!-- Replaces command with Base64-encoded Data -->",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955250",
          "name": "Unknown web shell",
          "pattern": "^<html>\\n<head>\\n<div align=\"left\"><font size=\"1\">Input command :</font></div>\\n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955260",
          "name": "Ru24PostWebShell web shell",
          "pattern": "^<html>\\n<head>\\n<title>Ru24PostWebShell ",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955270",
          "name": "s72 Shell web shell",
          "pattern": "<title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955280",
          "name": "PhpSpy web shell",
          "pattern": "^<html>\\r\\n<head>\\r\\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">\\r\\n<title>PhpSpy Ver [0-9]+</title>",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955290",
          "name": "g00nshell web shell",
          "pattern": "^ <html>\\n\\n<head>\\n\\n<title>g00nshell v[0-9.]+ ",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955310",
          "name": "azrail web shell",
          "pattern": "^<html>\\n      <head>\\n             <title>azrail [0-9.]+ by C-W-M</title>",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955320",
          "name": "SmEvK_PaThAn Shell web shell",
          "pattern": ">SmEvK_PaThAn Shell v[0-9]+ coded by <a href=",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955330",
          "name": "Shell I web shell",
          "pattern": "^<html>\\n<title>[^~]*~ Shell I</title>\\n<head>\\n<style>",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        },
        {
          "id": "955340",
          "name": "b374k m1n1 web shell",
          "pattern": "^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>",
          "targets": [
            "body"
          ],
          "action": "block",
          "score": 10,
          "severity": "critical",
          "category": "rce",
          "enabled": true,
          "tags": [
            "attack-rce",
            "paranoia-level/1",
            "OWASP_CRS",
            "OWASP_CRS/WEB-SHELLS",
            "capec/1000/225/122/17/650"
          ]
        }
      ]
    }
  ]
}