# all.conf
# Check Content-Length and reject all non numeric ones
SecRule REQUEST_HEADERS:Content-Length "!^\d+$" \
    "deny,log,auditlog,severity:'2',id:'96029',status:406\
    msg:'Content-Length HTTP header is not numeric'"

# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \
    "chain,phase:2,t:none,deny,log,auditlog,status:406,severity:'2',\
    id:'96024',msg:'GET or HEAD requests with bodies',\
    tag:'PROTOCOL_VIOLATION/EVASION'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none

# Require Content-Length to be provided with every POST request.
SecRule REQUEST_METHOD "^POST$" \
    "chain,phase:2,t:none,deny,log,auditlog,status:406,id:'96025',\
    msg:'POST request must have a Content-Length header',\
    tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none

# Don't accept transfer encodings we know we don't know how to handle
SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" \
    "phase:2,t:none,deny,log,auditlog,status:406,id:'96026',severity:'3',\
    msg:'ModSecurity does not support transfer encodings',\
    tag:'PROTOCOL_VIOLATION/EVASION'"

# Proxy access attempt
SecRule REQUEST_URI_RAW ^\w+:/ \
    "phase:2,t:none,deny,log,auditlog,status:406,severity:'2',id:'96027',\
    msg:'Proxy access attempt',\
    tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'"

# Restrict type of characters sent
SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
    "@validateByteRange 1-255" \
    "log,auditlog,deny,status:406,severity:'2',id:'96028',t:urlDecodeUni,phase:1,\
    msg:'Request Missing an Accept Header'"

# Restricted HTTP headers 
SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \
    "deny,log,status:406,auditlog,id:'96030',severity:'4',\
    msg:'HTTP header is restricted by policy'"

SecRule HTTP_User-Agent \
    "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\.nasl)" \
    "deny,status:406,log,auditlog,id:'96031',severity:'2',\
    msg:'Request Indicates a Security Scanner Scanned the Site'"

SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
    "deny,status:406,log,auditlog,id:'96034',severity:'2',\
    msg:'Request Indicates a Security Scanner Scanned the Site'"

SecRule REQUEST_FILENAME "^/nessustest" \
    "deny,status:406,log,auditlog,id:'96035',severity:'2',\
    msg:'Request Indicates a Security Scanner Scanned the Site'"

SecRule REQUEST_HEADERS:User-Agent \
    "(?:m(?:ozilla\/(?:4\.0 \(compatible; advanced email extractor|2\.0 \(compatible; newt activex; win32\))|ailto:craftbot\@yahoo\.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)w|hhjhj@yahoo|rsync|shai|zeus)" \
    "deny,status:406,log,auditlog,id:'96033',severity:'2',\
    msg:'Rogue web site crawler'"

# Session fixation
SecRule REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \
    "@pm set-cookie .cookie" \
    "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
    t:lowercase,pass,nolog,skip:1,id:15000"
SecAction phase:2,pass,nolog,skipAfter:96017,id:15001

SecRule REQUEST_FILENAME "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
    "phase:2,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,\
    capture,ctl:auditLogParts=+E,log,auditlog,logdata:'%{TX.0}',severity:'2',\
    msg:'Session Fixation',id:'96007',\
    tag:'WEB_ATTACK/SESSION_FIXATION'"

SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
    "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,severity:'2',id:'96017',\
    t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,\
    msg:'Session Fixation',\
    tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}'"

# Blind SQL injection
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \
    "@pm sys.user_triggers sys.user_objects @@spid msysaces instr \
    sys.user_views sys.tab charindex sys.user_catalog constraint_type \
    locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns \
    sys.user_constraints waitfor mysql.user sys.all_tables \
    msysrelationships msyscolumns msysqueries" \
    "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
    t:replaceComments,t:compressWhiteSpace,pass,nolog,skip:1,id:15002"
SecAction phase:2,pass,nolog,skipAfter:96016,id:15003

SecRule REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
    "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \
    "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,\
    t:compressWhiteSpace,ctl:auditLogParts=+E,log,auditlog,id:'96006',\
    logdata:'%{TX.0}',severity:'2',\
    msg:'Blind SQL Injection Attack',\
    tag:'WEB_ATTACK/SQL_INJECTION'"

SecRule REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
    "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \
    "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
    id:'96016',t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,\
    log,auditlog,logdata:'%{TX.0}',severity:'2',\
    msg:'Blind SQL Injection Attack',\
    tag:'WEB_ATTACK/SQL_INJECTION'"

SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \
    "@pm substr xtype textpos all_objects rownum sysfilegroups sysprocesses \
    user_group sysobjects user_tables systables pg_attribute user_users \
    user_password column_id attrelid user_tab_columns table_name pg_class \
    user_constraints user_objects object_type dba_users sysconstraints \
    mb_users column_name atttypid object_id substring syscat user_ind_columns \
    sysibm syscolumns sysdba object_name" \
    "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,\
    t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,id:15004"
SecAction phase:2,pass,nolog,id:15005

SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \
    "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \
    "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,\
    t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,\
    log,auditlog,id:'96020',logdata:'%{TX.0}',severity:'2',\
    msg:'Blind SQL Injection Attack',\
    tag:'WEB_ATTACK/SQL_INJECTION'"

# XSS
SecRule REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \
    "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown \
    onchange onkeyup activexobject expression onmouseup ecmascript onmouseover \
    vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown \
    onkeypress asfunction: onclick .fromcharcode background-image: .cookie \
    ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder \
    lowsrc onresize @import alert onselect script onmouseout onmousemove \
    background application .execscript livescript: getspecialfolder vbscript \
    iframe .addimport onunload createtextrange onload <input" \
    "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,id:15009"
SecAction phase:2,pass,nolog,skipAfter:96039,id:15010

SecRule REQUEST_FILENAME \
    "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|fromcharcode|innerhtml)|\@import)\b)" \
    "phase:2,deny,status:406,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,\
    t:lowercase,ctl:auditLogParts=+E,log,auditlog,logdata:'%{TX.0}',\
    id:'96003',severity:'2',\
    msg:'Cross-site Scripting (XSS) Attack',\
    tag:'WEB_ATTACK/XSS'"

SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
    "phase:2,deny,status:406,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'96039',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"

# file injection
SecRule REQUEST_FILENAME|REQUEST_HEADERS|XML:/* "@pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl" \
    "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1,id:15011"
SecAction phase:2,pass,nolog,skipAfter:96040,id:15012

SecRule REQUEST_FILENAME "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
    "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:406,msg:'Remote File Access Attempt',id:'96004',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"

SecRule REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
    "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:406,msg:'Remote File Access Attempt',id:'96040',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
 
# SSI injection
SecRule REQUEST_FILENAME "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
    "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:406,msg:'SSI injection Attack',id:'96008',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2'"

SecRule REQUEST_HEADERS|XML:/* \
    "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
    "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
    ctl:auditLogParts=+E,deny,log,auditlog,status:406,id:'95911',\
    logdata:'%{TX.0}',severity:'2',\
    msg:'SSI injection Attack',\
    tag:'WEB_ATTACK/SSI_INJECTION'"

# PHP injection
SecRule REQUEST_FILENAME|REQUEST_HEADERS|XML:/* \
    "@pm <?fgets move_uploaded_file $_session readfile ftp_put ftp_fget \
    gzencode ftp_nb_put bzopen readdir $_post fopen gzread ftp_nb_fput \
    ftp_nb_fget ftp_get $_get scandir fscanf readgzfile fread proc_open \
    fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite \
    gzopen gzcompress" \
    "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
    pass,nolog,skip:1,id:15017"
SecAction pass,nolog,skipAfter:96018,id:15018

SecRule REQUEST_FILENAME "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \
    "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:406,msg:'PHP Injection Attack',id:'96009',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2'"

SecRule REQUEST_HEADERS|XML:/* "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \
    "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:406,msg:'PHP Injection Attack',id:'96018',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2'"

# /index.php?main_page=conditions//admin/record_company.php/password_forgotten.php?action=insert
SecRule REQUEST_URI "/password_forgotten\.php" \
    "chain,log,deny,status:406,auditlog,t:none,t:urlDecodeUni,t:replaceNulls,\
    t:replaceComments,t:compressWhiteSpace,t:lowercase,t:compressWhiteSpace,\
    t:lowercase,id:13638,rev:1,severity:2,\
    msg:'Atomicorp.com UNSUPPORTED DELAYED Rules - Virtual Patch: Zencart PHP code injection attack'"
SecRule ARGS:admin_email "(union select|php|;+|shell_exec|wget|system\()"

# No requests to any .php files with an md5 name in /cache/ folders 
SecRule REQUEST_METHOD "^GET|POST$" \
    "chain,deny,log,auditlog,status:406,severity:'4',id:'13423',\
    msg:'POST request to cache folder',\
    tag:'WEB_ATTACK/SHELL ACCESS'" 
SecRule REQUEST_URI "/cache/[0-9a-f]{32}\.php"

# No requests to any .php files with an external_md5 name in /cache/ folders 
SecRule REQUEST_METHOD "^GET|POST$" \
    "chain,deny,log,auditlog,status:406,id:'13426',severity:'4',\
    msg:'POST request to cache folder',\
    tag:'WEB_ATTACK/SHELL ACCESS'" 
SecRule REQUEST_URI "/cache/external_[0-9a-f]{32}\.php"

# Block requests from SQLMap
SecRule HTTP_User-Agent "^sqlmap" \
    "deny,log,auditlog,status:406,id:'13424',severity:'4',\
    msg:'Request from SQLMap blocked',\
    tag:'WEB_ATTACK/SHELL ACCESS'"
# both.conf
# Zen Cart/OSC Vuln. Ruleset (from http://updates.atomicorp.com/channels/rules/delayed/)
# Added by T3/ErikS 7/10/11

# Rule 310019: Zen Cart Input Validation Hole in 'password_forgotten.php' sql injection
SecRule REQUEST_URI "admin/password_forgotten\.php" \
    "chain,deny,status:406,id:13019"
SecRule ARGS:admin_email "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*into)"

#Zen Cart SQL injection
SecRule REQUEST_URI "/admin/sqlpatch\.php" \
    "chain,deny,status:406,t:urlDecodeUni,t:lowercase,id:13628,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules - Virtual Patch: Zen Cart SQL injection exploit'"
SecRule ARGS "sql@jah"

#/index.php?main_page=conditions//admin/record_company.php/password_forgotten.php?action=insert
SecRule REQUEST_URI "/password_forgotten\.php" \
    "chain,log,deny,status:406,auditlog,t:urlDecodeUni,t:lowercase,id:13637,rev:1,severity:2,\
    msg:'Atomicorp.com UNSUPPORTED DELAYED Rules - Virtual Patch: Zencart PHP code injection attack'"
SecRule ARGS:action "^insert$" chain
SecRule ARGS|REQUEST_BODY "(php|;+|shell_exec|wget|system\()"


#zencart sql injection
SecRule REQUEST_URI "/sqlpatch\.php/password_forgotten\.php" \
    "log,deny,status:406,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,\
    t:compressWhiteSpace,capture,id:13757,rev:4,severity:2,logdata:'%{TX.0}',\
    msg:'Atomicorp.com UNSUPPORTED DELAYED Rules - Virtual Patch: ZenCart Sql Injection Exploit'"

#OS Commerce banner_manager.php file upload exploit
SecRule REQUEST_URI "/admin/banner_manager\.php/login.php\?action\=insert" \
    "log,deny,status:406,auditlog,id:13535,rev:1,severity:2,\
    msg:'OS Commerce banner_manager.php file upload exploit'"

#OS Commerce categories.php file upload exploit
SecRule REQUEST_URI "/admin/categories\.php/login\.php\?cPath\=\&action\=new_product_preview" \
    "log,deny,status:406,auditlog,id:13536,rev:1,severity:2,\
    msg:'OS Commerce categories.php file upload exploit'"
# ded.conf
SecRule REQUEST_HEADERS:User-Agent \
    "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \
    "chain,deny,status:406,log,auditlog,id:'96032',severity:'5',\
    msg:'Request Indicates an automated program explored the site'"
SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl"

# Command access
# Note: These were copied from the CRS which replaced them
SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \
    "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:406,msg:'System Command Access',id:'96002',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"

SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \
    "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++" \
    "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1,id:15015"
SecAction pass,nolog,skipAfter:96015,id:15016

# SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \
#     "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo)(?:[\'\"\|\;\`\-\s]|$))" \
#     "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:406,msg:'System Command Injection',id:'96015',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"