Location: PHPKode > projects > Sphider Plus > sphider-plus_v.2.9/include/IDS/default_filter.xml
<filters>
    <filter>
        <id>1</id>
        <rule><![CDATA[(?:"[^"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>")]]></rule>
        <description>finds html breaking injections including whitespace attacks</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>2</id>
        <rule><![CDATA[(?:"+.*[<=]\s*"[^"]+")|(?:"\w+\s*=)|(?:>\w=\/)|(?:#.+\)["\s]*>)|(?:"\s*(?:src|style|on\w+)\s*=\s*")|(?:[^"]?"[,;\s]+\w*[\[\(])]]></rule>
        <description>finds attribute breaking injections including whitespace attacks</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>3</id>
        <rule><![CDATA[(?:^>[\w\s]*<\/?\w{2,}>)]]></rule>
        <description>finds unquoted attribute breaking injections</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>2</impact>
    </filter>
    <filter>
        <id>4</id>
        <rule><![CDATA[(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])]]></rule>
        <description>Detects url-, name-, JSON, and referrer-contained payload attacks</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>5</id>
        <rule><![CDATA[(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?"[^\s"]":)|(?:(?<!\/)__[a-z]+__)|(?:(?:^|[\s)\]\}])(?:s|g)etter\s*=)]]></rule>
        <description>Detects hash-contained xss payload attacks, setter usage and property overloading</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>6</id>
        <rule><![CDATA[(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)]]></rule>
        <description>Detects self contained xss via with(), common loops and regex to string conversion</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>7</id>
        <rule><![CDATA[(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)]]></rule>
        <description>Detects JavaScript with(), ternary operators and XML predicate attacks</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>8</id>
        <rule><![CDATA[(?:\/\w*\s*\)\s*\()|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule>
        <description>Detects self-executing JavaScript functions</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>9</id>
        <rule><![CDATA[(?:\\u00[a-f0-9]{2})|(?:\\x0*[a-f0-9]{2})|(?:\\\d{2,3})]]></rule>
        <description>Detects the IE octal, hex and unicode entities</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>2</impact>
    </filter>
    <filter>
        <id>10</id>
        <rule><![CDATA[(?:(?:\/|\\)?\.+(\/|\\)(?:\.+)?)|(?:\w+\.exe\??\s)|(?:;\s*\w+\s*\/[\w*-]+\/)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})]]></rule>
        <description>Detects basic directory traversal</description>
        <tags>
            <tag>dt</tag>
            <tag>id</tag>
            <tag>lfi</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>11</id>
        <rule><![CDATA[(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))|(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)]]></rule>
        <description>Detects specific directory and path traversal</description>
        <tags>
            <tag>dt</tag>
            <tag>id</tag>
            <tag>lfi</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>12</id>
        <rule><![CDATA[(?:etc\/\W*passwd)]]></rule>
        <description>Detects etc/passwd inclusion attempts</description>
        <tags>
            <tag>dt</tag>
            <tag>id</tag>
            <tag>lfi</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>13</id>
        <rule><![CDATA[(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)]]></rule>
        <description>Detects halfwidth/fullwidth encoded unicode HTML breaking attempts</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>3</impact>
    </filter>
    <filter>
        <id>14</id>
        <rule><![CDATA[(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))]]></rule>
        <description>Detects possible includes, VBSCript/JScript encodeed and packed functions</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
            <tag>rfe</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>15</id>
        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]></rule>
        <description>Detects JavaScript DOM/miscellaneous properties and methods</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
            <tag>rfe</tag>
        </tags>
        <impact>6</impact>
    </filter>
    <filter>
        <id>16</id>
        <rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|executeglobal|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule>
        <description>Detects possible includes and typical script methods</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
            <tag>rfe</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>17</id>
        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%.+\-]))]]></rule>
        <description>Detects JavaScript object properties and methods</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
            <tag>rfe</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>18</id>
        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule>
        <description>Detects JavaScript array properties and methods</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
            <tag>rfe</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>19</id>
        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule>
        <description>Detects JavaScript string properties and methods</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
            <tag>rfe</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>20</id>
        <rule><![CDATA[(?:\)\s*\[)|([^*":\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%".+\-\/]))]]></rule>
        <description>Detects JavaScript language constructs</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
            <tag>rfe</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>21</id>
        <rule><![CDATA[(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^.a-z\s\-]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)]]></rule>
        <description>Detects very basic XSS probings</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
            <tag>rfe</tag>
        </tags>
        <impact>3</impact>
    </filter>
    <filter>
        <id>22</id>
        <rule><![CDATA[(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*[gimx]*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule>
        <description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
            <tag>rfe</tag>
        </tags>
        <impact>5</impact>
    </filter>	
    <filter>
        <id>23</id>
        <rule><![CDATA[(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)]]></rule>
        <description>Detects JavaScript location/document property access and window access obfuscation</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>5</impact>
    </filter>    
    <filter>
        <id>24</id>
        <rule><![CDATA[(?:[".]script\s*\()|(?:\$\$?\s*\(\s*[\w"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])]]></rule>
        <description>Detects basic obfuscated JavaScript script injections</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>25</id>
        <rule><![CDATA[(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[("\w+"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*")]]></rule>
        <description>Detects obfuscated JavaScript script injections</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>26</id>
        <rule><![CDATA[(?:[^:\s\w]+\s*[^\w\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\w])]]></rule>
        <description>Detects JavaScript cookie stealing and redirection attempts</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>27</id>
        <rule><![CDATA[(?:(?:vbs|vbscript|data):.*[,+])|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*"?\s*vbs(?:ript)?:)|(language\s*=\s?"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-"?]]></rule>
        <description>Detects data: URL injections, VBS injections and common URI schemes</description>
        <tags>
            <tag>xss</tag>
            <tag>rfe</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>28</id>
        <rule><![CDATA[(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)]]></rule>
        <description>Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution</description>
        <tags>
            <tag>xss</tag>
            <tag>rfe</tag>
            <tag>lfi</tag>
            <tag>csrf</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>29</id>    
        <rule><![CDATA[(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\])]]></rule>
        <description>Detects bindings and behavior injections</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>rfe</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>30</id>
        <rule><![CDATA[(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)]]></rule>
        <description>Detects common XSS concatenation patterns 1/2</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
            <tag>rfe</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>31</id>
        <rule><![CDATA[(?:=\s*\d*\.\d*\?\d*\.\d*)|(?:[|&]{2,}\s*")|(?:!\d+\.\d*\?")|(?:\/:[\w.]+,)|(?:=[\d\W\s]*\[[^]]+\])|(?:\?\w+:\w+)]]></rule>
        <description>Detects common XSS concatenation patterns 2/2</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
            <tag>rfe</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>32</id>
        <rule><![CDATA[(?:[^\w\s=]on(?!g\&gt;)\w+[^=_+-]*=[^$]+(?:\W|\&gt;)?)]]></rule>
        <description>Detects possible event handlers</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>33</id>
        <rule><![CDATA[(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)|(<\w+:\w+)]]></rule>
        <description>Detects obfuscated script tags and XML wrapped HTML</description>
        <tags>
            <tag>xss</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>34</id>
        <rule><![CDATA[(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,"=])]]></rule>
        <description>Detects attributes in closing tags and conditional compilation tokens</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>35</id>
        <rule><![CDATA[(?:--[^\n]*$)|(?:\<!-|-->)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:<!\[\W)|(?:\]!>)]]></rule>
        <description>Detects common comment types</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
        </tags>
        <impact>3</impact>
    </filter>
    <filter>
        <id>37</id>
        <rule><![CDATA[(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))]]></rule>
        <description>Detects base href injections and XML entity injections</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>38</id>
        <rule><![CDATA[(?:\<[\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\w+|image|im(?:g|port)))]]></rule>
        <description>Detects possibly malicious html elements including some attributes</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
            <tag>rfe</tag>
            <tag>lfi</tag>
        </tags>
        <impact>4</impact>
    </filter>   
    <filter>
        <id>39</id>
        <rule><![CDATA[(?:\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])]]></rule>
        <description>Detects nullbytes and other dangerous characters</description>
        <tags>
            <tag>id</tag>
            <tag>rfe</tag>
            <tag>xss</tag>
        </tags>
        <impact>5</impact>
    </filter>   
    <filter>
        <id>40</id>
        <rule><![CDATA[(?:\)\s*when\s*\d+\s*then)|(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule>
        <description>Detects MySQL comments, conditions and ch(a)r injections</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
            <tag>lfi</tag>
        </tags>
        <impact>6</impact>
    </filter>   
    <filter>
        <id>41</id>
        <rule><![CDATA[(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule>
        <description>Detects conditional SQL injection attempts</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
            <tag>lfi</tag>
        </tags>
        <impact>6</impact>
    </filter>   
    <filter>
        <id>42</id>
        <rule><![CDATA[(?:"\s*or\s*"?\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)|(?:\Winformation_schema|table_name\W)]]></rule>
        <description>Detects classic SQL injection probings 1/2</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
            <tag>lfi</tag>
        </tags>
        <impact>6</impact>
    </filter>  
    <filter>
        <id>43</id>
        <rule><![CDATA[(?:"\s*\*.+(?:or|id)\W*"\d)|(?:\^")|(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:"[\s\d]*[^\w\s]+\W*\d\W*.*["\d])|(?:"\s*[^\w\s?]+\s*[^\w\s]+\s*")|(?:"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:".*\*\s*\d)|(?:"\s*or\s[^\d]+[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+"[^,])]]></rule>
        <description>Detects classic SQL injection probings 2/2</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
            <tag>lfi</tag>
        </tags>
        <impact>6</impact>
    </filter> 
    <filter>
        <id>44</id>
        <rule><![CDATA[(?:\d"\s+"\s+\d)|(?:^admin\s*"|(\/\*)+"+\s?(?:--|#|\/\*|{)?)|(?:"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*like\W+[\w"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:"[<>~]+")]]></rule>
        <description>Detects basic SQL authentication bypass attempts 1/3</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
            <tag>lfi</tag>
        </tags>
        <impact>7</impact>
    </filter> 
    <filter>
        <id>45</id>
        <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,"-]+from)|(?:find_in_set\s*\()]]></rule>
        <description>Detects basic SQL authentication bypass attempts 2/3</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
            <tag>lfi</tag>
        </tags>
        <impact>7</impact>
    </filter>
     <filter>
        <id>46</id>
        <rule><![CDATA[(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule>
        <description>Detects basic SQL authentication bypass attempts 3/3</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
            <tag>lfi</tag>
        </tags>
        <impact>7</impact>
    </filter> 
    <filter>
        <id>47</id>
        <rule><![CDATA[(?:[\d\W]\s+as\s*["\w]+\s*from)|(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule>
        <description>Detects concatenated basic SQL injection and SQLLFI attempts</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
            <tag>lfi</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>48</id>
        <rule><![CDATA[(?:@.+=\s*\(\s*select)|(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select)\W)|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule>
        <description>Detects chained SQL injection attempts 1/2</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
        </tags>
        <impact>6</impact>
    </filter>
    <filter>
        <id>49</id>
        <rule><![CDATA[(?:"\s+and\s*=\W)|(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])]]></rule>
        <description>Detects chained SQL injection attempts 2/2</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
        </tags>
        <impact>6</impact>
    </filter>
    <filter>
        <id>50</id>
        <rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)]]></rule>
        <description>Detects SQL benchmark and sleep injection attempts including conditional queries</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>51</id>
        <rule><![CDATA[(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})]]></rule>
        <description>Detects MySQL UDF injection and other data/structure manipulation attempts</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
        </tags>
        <impact>6</impact>
    </filter>
    <filter>
        <id>52</id>
        <rule><![CDATA[(?:alter\s*\w+.*character\s+set\s+\w+)|(";\s*waitfor\s+time\s+")|(?:";.*:\s*goto)]]></rule>
        <description>Detects MySQL charset switch and MSSQL DoS attempts</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
        </tags>
        <impact>6</impact>
    </filter>
    <filter>
        <id>53</id>
        <rule><![CDATA[(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)]]></rule>
        <description>Detects MySQL and PostgreSQL stored procedure/function injections</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
        </tags>
        <impact>7</impact>
    </filter>
    <filter>
        <id>54</id>
        <rule><![CDATA[(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))]]></rule>
        <description>Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>55</id>
        <rule><![CDATA[(?:\sexec\s+xp_cmdshell)|(?:"\s*!\s*["\w])|(?:from\W+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule>
        <description>Detects MSSQL code execution and information gathering attempts</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>56</id>
        <rule><![CDATA[(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s\-])|(?:match\s*[\w(),+-]+\s*against\s*\()]]></rule>
        <description>Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>57</id>
        <rule><![CDATA[(?:,.*[)\da-f"]"(?:".*"|\Z|[^"]+))|(?:\Wselect.+\W*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()]]></rule>
        <description>Detects MySQL comment-/space-obfuscated injections and backtick termination</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
        </tags>
        <impact>5</impact>
    </filter>   
    <filter>
        <id>58</id>
        <rule><![CDATA[(?:@[\w-]+\s*\()|(?:]\s*\(\s*["!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*".*"))|(?:;\s*\{\W*\w+\s*\()]]></rule>
        <description>Detects code injection attempts 1/3</description>
        <tags>
            <tag>id</tag>
            <tag>rfe</tag>
            <tag>lfi</tag>
        </tags>
        <impact>7</impact>
    </filter>   
    <filter>
        <id>59</id>
        <rule><![CDATA[(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*["(@])]]></rule>
        <description>Detects code injection attempts 2/3</description>
        <tags>
            <tag>id</tag>
            <tag>rfe</tag>
            <tag>lfi</tag>
        </tags>
        <impact>7</impact>
    </filter>
    <filter>
        <id>60</id>
        <rule><![CDATA[(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)]]></rule>
        <description>Detects code injection attempts 3/3</description>
        <tags>
            <tag>id</tag>
            <tag>rfe</tag>
            <tag>lfi</tag>
        </tags>
        <impact>7</impact>
    </filter>
    <filter>
        <id>61</id>
        <rule><![CDATA[(?:\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\{\s*\$\s*\{)]]></rule>
        <description>Detects url injections and RFE attempts</description>
        <tags>
            <tag>id</tag>
            <tag>rfe</tag>
            <tag>lfi</tag>
        </tags>
        <impact>5</impact>
    </filter>   
    <filter>
        <id>62</id>
        <rule><![CDATA[(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)[^\w.]+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)]]></rule>
        <description>Detects common function declarations and special JS operators</description>
        <tags>
            <tag>id</tag>
            <tag>rfe</tag>
            <tag>lfi</tag>
        </tags>
        <impact>5</impact>
    </filter>  
    <filter>
        <id>63</id>
        <rule><![CDATA[(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)]]></rule>
        <description>Detects common mail header injections</description>
        <tags>
            <tag>id</tag>
            <tag>spam</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>64</id>
        <rule><![CDATA[(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)]]></rule>
        <description>Detects perl echo shellcode injection and LDAP vectors</description>
        <tags>
            <tag>lfi</tag>
            <tag>rfe</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>65</id>
        <rule><![CDATA[(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})]]></rule>
        <description>Detects basic XSS DoS attempts</description>
        <tags>
            <tag>rfe</tag>
            <tag>dos</tag>
        </tags>
        <impact>5</impact>
    </filter>
    <filter>
        <id>67</id>
        <rule><![CDATA[(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])]]></rule>
        <description>Detects unknown attack vectors based on PHPIDS Centrifuge detection</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
            <tag>id</tag>
            <tag>rfe</tag>
            <tag>lfi</tag>
        </tags>
        <impact>7</impact>
    </filter>
    <filter>
        <id>68</id>
        <rule><![CDATA[(?:[\s\/"]+[-\w\/\\\*]+\s*=.+(?:\/\s*>))]]></rule>
        <description>Finds attribute breaking injections including obfuscated attributes</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>4</impact>
    </filter> 
    <filter>
        <id>69</id>
        <rule><![CDATA[(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))]]></rule>
        <description>Finds basic VBScript injection attempts</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>70</id>
        <rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule>
        <description>Finds basic MongoDB SQL injection attempts</description>
        <tags>
            <tag>sqli</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>71</id>
        <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])|(?:-type\s*:\s*multipart)]]></rule>
        <description>finds malicious attribute injection attempts and MHTML attacks</description>
        <tags>
            <tag>xss</tag>
            <tag>csrf</tag>
        </tags>
        <impact>6</impact>
    </filter>
  <filter>
        <id>72</id>
        <rule><![CDATA[(?:(sleep\((\s*)(\d*)(\s*)\)|benchmark\((.*)\,(.*)\)))]]></rule>
        <description>Detects blind sqli tests using sleep() or benchmark().</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
        </tags>
        <impact>4</impact>
    </filter>
    <filter>
        <id>73</id>
        <rule><![CDATA[(?i:(\%SYSTEMROOT\%))]]></rule>
        <description>An attacker is trying to locate a file to read or write.</description>
        <tags>
            <tag>files</tag>
            <tag>id</tag>
        </tags>
        <impact>4</impact>
    </filter>   
    <filter>
        <id>74</id>
        <rule><![CDATA[(?i:(ping(.*)[\-(.*)\w|\w(.*)\-]))]]></rule>
        <description>Detects remote code exectuion tests. Will match "ping -n 3 localhost" and "ping localhost -n 3" </description>
        <tags>
            <tag>Command Execution</tag>
            <tag>id</tag>
        </tags>
        <impact>5</impact>
    </filter>       
    <filter>
        <id>75</id>
        <rule><![CDATA[(?:(((.*)\%[c|d|i|e|f|g|o|s|u|x|p|n]){8}))]]></rule>
        <description>Looking for a format string attack</description>
        <tags>
            <tag>format string</tag>
        </tags>
        <impact>4</impact>
    </filter> 
    <filter>
        <id>76</id>
        <rule><![CDATA[(?:(union(.*)select(.*)from))]]></rule>
        <description>Looking for basic sql injection. Common attack string for mysql, oracle and others.</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
        </tags>
        <impact>3</impact>
    </filter>
    <filter>
        <id>77</id>
        <rule><![CDATA[(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|1e309)$)]]></rule>
        <description>Looking for intiger overflow attacks, these are taken from skipfish, except 2.2250738585072007e-308 is the "magic number" crash</description>
        <tags>
            <tag>sqli</tag>
            <tag>id</tag>
        </tags>
        <impact>3</impact>
    </filter>        
</filters>
Return current item: Sphider Plus