From 228ac0cde5d31038f333fc6ce8948e395065154d Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Mon, 25 Oct 2010 18:38:54 +0000
Subject: [PATCH] refactoring regarding --check-payload

---
 lib/core/common.py                          |   3 +-
 lib/request/connect.py                      |   2 +-
 lib/utils/{detection.py => checkpayload.py} |   2 +-
 xml/detection.xml                           | 740 --------------------
 xml/phpids_rules.xml                        | 199 ++++++
 5 files changed, 202 insertions(+), 744 deletions(-)
 rename lib/utils/{detection.py => checkpayload.py} (96%)
 delete mode 100644 xml/detection.xml
 create mode 100644 xml/phpids_rules.xml

diff --git a/lib/core/common.py b/lib/core/common.py
index 0eae435a5..86f6380b0 100644
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -642,8 +642,7 @@ def setPaths():
     paths.COMMON_OUTPUTS         = os.path.join(paths.SQLMAP_TXT_PATH, 'common-outputs.txt')
     paths.COMMON_TABLES          = os.path.join(paths.SQLMAP_TXT_PATH, "common-tables.txt")
     paths.SQL_KEYWORDS            = os.path.join(paths.SQLMAP_TXT_PATH, "keywords.txt")
-    paths.FUZZ_VECTORS           = os.path.join(paths.SQLMAP_TXT_PATH, "fuzz_vectors.txt")
-    paths.DETECTION_RULES_XML    = os.path.join(paths.SQLMAP_XML_PATH, "detection.xml")
+    paths.PHPIDS_RULES_XML    = os.path.join(paths.SQLMAP_XML_PATH, "phpids_rules.xml")
     paths.ERRORS_XML             = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml")
     paths.INJECTIONS_XML         = os.path.join(paths.SQLMAP_XML_PATH, "injections.xml")
     paths.LIVE_TESTS_XML         = os.path.join(paths.SQLMAP_XML_PATH, "livetests.xml")
diff --git a/lib/request/connect.py b/lib/request/connect.py
index d4271768e..a14618445 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -30,7 +30,7 @@ from lib.request.basic import parseResponse
 from lib.request.direct import direct
 from lib.request.comparison import comparison
 from lib.request.methodrequest import MethodRequest
-from lib.utils.detection import checkPayload
+from lib.utils.checkpayload import checkPayload
 
 
 class Connect:
diff --git a/lib/utils/detection.py b/lib/utils/checkpayload.py
similarity index 96%
rename from lib/utils/detection.py
rename to lib/utils/checkpayload.py
index 63a6cafc5..4b619ce5b 100644
--- a/lib/utils/detection.py
+++ b/lib/utils/checkpayload.py
@@ -40,7 +40,7 @@ def checkPayload(payload):
     payload = urldecode(payload)
 
     if not rules:
-        xmlrules = readXmlFile(paths.DETECTION_RULES_XML)
+        xmlrules = readXmlFile(paths.PHPIDS_RULES_XML)
         rules = []
 
         for xmlrule in xmlrules.getElementsByTagName("filter"):
diff --git a/xml/detection.xml b/xml/detection.xml
deleted file mode 100644
index cd803fcaf..000000000
--- a/xml/detection.xml
+++ /dev/null
@@ -1,740 +0,0 @@
-<filters>
-    <filter>
-        <id>1</id>
-        <rule><![CDATA[(?:"[^"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>")]]></rule>
-        <description>finds html breaking injections including whitespace attacks</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>2</id>
-        <rule><![CDATA[(?:"+.*[<=]\s*"[^"]+")|(?:"\w+\s*=)|(?:>\w=\/)|(?:#.+\)["\s]*>)|(?:"\s*(?:src|style|on\w+)\s*=\s*")|(?:[^"]?"[,;\s]+\w*[\[\(])]]></rule>
-        <description>finds attribute breaking injections including whitespace attacks</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>69</id>
-        <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style|poster|background)=[$"\w])]]></rule>
-        <description>finds malicious attribute injection attempts</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>	
-    <filter>
-        <id>3</id>
-        <rule><![CDATA[(?:^>[\w\s]*<\/?\w{2,}>)]]></rule>
-        <description>finds unquoted attribute breaking injections</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>2</impact>
-    </filter>
-    <filter>
-        <id>4</id>
-        <rule><![CDATA[(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])]]></rule>
-        <description>Detects url-, name-, JSON, and referrer-contained payload attacks</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>5</id>
-        <rule><![CDATA[(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?"[^\s"]":)|(?:(?<!\/)__[a-z]+__)|(?:(?:^|[\s)\]\}])(?:s|g)etter\s*=)]]></rule>
-        <description>Detects hash-contained xss payload attacks, setter usage and property overloading</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>6</id>
-        <rule><![CDATA[(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)]]></rule>
-        <description>Detects self contained xss via with(), common loops and regex to string conversion</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>7</id>
-        <rule><![CDATA[(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)]]></rule>
-        <description>Detects JavaScript with(), ternary operators and XML predicate attacks</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>8</id>
-        <rule><![CDATA[(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule>
-        <description>Detects self-executing JavaScript functions</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>9</id>
-        <rule><![CDATA[(?:\\u00[a-f0-9]{2})|(?:\\x0*[a-f0-9]{2})|(?:\\\d{2,3})]]></rule>
-        <description>Detects the IE octal, hex and unicode entities</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>2</impact>
-    </filter>
-    <filter>
-        <id>10</id>
-        <rule><![CDATA[(?:(?:\/|\\)?\.+(\/|\\)(?:\.+)?)|(?:\w+\.exe\??\s)|(?:;\s*\w+\s*\/[\w*-]+\/)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})]]></rule>
-        <description>Detects basic directory traversal</description>
-        <tags>
-            <tag>dt</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>11</id>
-        <rule><![CDATA[(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))|(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)]]></rule>
-        <description>Detects specific directory and path traversal</description>
-        <tags>
-            <tag>dt</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>12</id>
-        <rule><![CDATA[(?:etc\/\W*passwd)]]></rule>
-        <description>Detects etc/passwd inclusion attempts</description>
-        <tags>
-            <tag>dt</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>13</id>
-        <rule><![CDATA[(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)]]></rule>
-        <description>Detects halfwidth/fullwidth encoded unicode HTML breaking attempts</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>3</impact>
-    </filter>
-    <filter>
-        <id>14</id>
-        <rule><![CDATA[(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))]]></rule>
-        <description>Detects possible includes, VBSCript/JScript encodeed and packed functions</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-            <tag>rfe</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>15</id>
-        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]></rule>
-        <description>Detects JavaScript DOM/miscellaneous properties and methods</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-            <tag>rfe</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>
-    <filter>
-        <id>16</id>
-        <rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule>
-        <description>Detects possible includes and typical script methods</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-            <tag>rfe</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>17</id>
-        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%.+\-]))]]></rule>
-        <description>Detects JavaScript object properties and methods</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-            <tag>rfe</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>18</id>
-        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule>
-        <description>Detects JavaScript array properties and methods</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-            <tag>rfe</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>19</id>
-        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule>
-        <description>Detects JavaScript string properties and methods</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-            <tag>rfe</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>20</id>
-        <rule><![CDATA[(?:\)\s*\[)|(?:\/\w*\s*\)\s*\W)|([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%".+\-]))]]></rule>
-        <description>Detects JavaScript language constructs</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-            <tag>rfe</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>21</id>
-        <rule><![CDATA[(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)]]></rule>
-        <description>Detects very basic XSS probings</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-            <tag>rfe</tag>
-        </tags>
-        <impact>3</impact>
-    </filter>
-    <filter>
-        <id>22</id>
-        <rule><![CDATA[(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule>
-        <description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-            <tag>rfe</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>	
-    <filter>
-        <id>23</id>
-        <rule><![CDATA[(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)]]></rule>
-        <description>Detects JavaScript location/document property access and window access obfuscation</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>    
-    <filter>
-        <id>24</id>
-        <rule><![CDATA[(?:[".]script\s*\()|(?:\$\$?\s*\(\s*[\w"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])]]></rule>
-        <description>Detects basic obfuscated JavaScript script injections</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>25</id>
-        <rule><![CDATA[(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[("\w+"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*")]]></rule>
-        <description>Detects obfuscated JavaScript script injections</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>26</id>
-        <rule><![CDATA[(?:[^:\s\w]+\s*[^\w\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\w])]]></rule>
-        <description>Detects JavaScript cookie stealing and redirection attempts</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>27</id>
-        <rule><![CDATA[(?:data:.*,)|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*"?\s*vbs(?:ript)?:)|(language\s*=\s?"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-"?]]></rule>
-        <description>Detects data: URL injections, VBS injections and common URI schemes</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>rfe</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>28</id>
-        <rule><![CDATA[(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)]]></rule>
-        <description>Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>rfe</tag>
-            <tag>lfi</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>29</id>    
-        <rule><![CDATA[(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\])]]></rule>
-        <description>Detects bindings and behavior injections</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>rfe</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>30</id>
-        <rule><![CDATA[(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)]]></rule>
-        <description>Detects common XSS concatenation patterns 1/2</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-            <tag>rfe</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>31</id>
-        <rule><![CDATA[(?:=\s*\d*\.\d*\?\d*\.\d*)|(?:[|&]{2,}\s*")|(?:!\d+\.\d*\?")|(?:\/:[\w.]+,)|(?:=[\d\W\s]*\[[^]]+\])|(?:\?\w+:\w+)]]></rule>
-        <description>Detects common XSS concatenation patterns 2/2</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-            <tag>rfe</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>32</id>
-        <rule><![CDATA[(?:[^\w\s=]on(?!g\&gt;)\w+[^=_+-]*=[^$]+(?:\W|\&gt;)?)]]></rule>
-        <description>Detects possible event handlers</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>33</id>
-        <rule><![CDATA[(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)|(<\w+:\w+)]]></rule>
-        <description>Detects obfuscated script tags and XML wrapped HTML</description>
-        <tags>
-            <tag>xss</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>34</id>
-        <rule><![CDATA[(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,"=])]]></rule>
-        <description>Detects attributes in closing tags and conditional compilation tokens</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>35</id>
-        <rule><![CDATA[(?:--[^\n]*$)|(?:\<!-|-->)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:<!\[\W)|(?:\]!>)]]></rule>
-        <description>Detects common comment types</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>3</impact>
-    </filter>
-    <filter>
-        <id>37</id>
-        <rule><![CDATA[(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))]]></rule>
-        <description>Detects base href injections and XML entity injections</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>38</id>
-        <rule><![CDATA[(?:\<[\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\w+|image|im(?:g|port)))]]></rule>
-        <description>Detects possibly malicious html elements including some attributes</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-            <tag>rfe</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>   
-    <filter>
-        <id>39</id>
-        <rule><![CDATA[(?:\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])]]></rule>
-        <description>Detects nullbytes and other dangerous characters</description>
-        <tags>
-            <tag>id</tag>
-            <tag>rfe</tag>
-            <tag>xss</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>   
-    <filter>
-        <id>40</id>
-        <rule><![CDATA[(?:\)\s*when\s*\d+\s*then)|(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule>
-        <description>Detects MySQL comments, conditions and ch(a)r injections</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>   
-    <filter>
-        <id>41</id>
-        <rule><![CDATA[(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule>
-        <description>Detects conditional SQL injection attempts</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>   
-    <filter>
-        <id>42</id>
-        <rule><![CDATA[(?:"\s*or\s*\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule>
-        <description>Detects classic SQL injection probings 1/2</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>  
-    <filter>
-        <id>43</id>
-        <rule><![CDATA[(?:"\s*\*.+(?:or|id)\W*"\d)|(?:\^")|(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:"[\s\d]*[^\w\s]+\W*\d\W*.*["\d])|(?:"\s*[^\w\s?]+\s*[^\w\s]+\s*")|(?:"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:".*\*\s*\d)|(?:"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+"[^,])]]></rule>
-        <description>Detects classic SQL injection probings 2/2</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>6</impact>
-    </filter> 
-    <filter>
-        <id>44</id>
-        <rule><![CDATA[(?:\d"\s+"\s+\d)|(?:^admin\s*"|(\/\*)+"+\s?(?:--|#|\/\*|{)?)|(?:"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*like\W+[\w"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:"[<>~]+")]]></rule>
-        <description>Detects basic SQL authentication bypass attempts 1/3</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>7</impact>
-    </filter> 
-    <filter>
-        <id>45</id>
-        <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)]]></rule>
-        <description>Detects basic SQL authentication bypass attempts 2/3</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>7</impact>
-    </filter>
-     <filter>
-        <id>46</id>
-        <rule><![CDATA[(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule>
-        <description>Detects basic SQL authentication bypass attempts 3/3</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>7</impact>
-    </filter> 
-    <filter>
-        <id>47</id>
-        <rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule>
-        <description>Detects concatenated basic SQL injection and SQLLFI attempts</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>48</id>
-        <rule><![CDATA[(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule>
-        <description>Detects chained SQL injection attempts 1/2</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>
-    <filter>
-        <id>49</id>
-        <rule><![CDATA[(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])]]></rule>
-        <description>Detects chained SQL injection attempts 2/2</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>
-    <filter>
-        <id>50</id>
-        <rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)]]></rule>
-        <description>Detects SQL benchmark and sleep injection attempts including conditional queries</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>51</id>
-        <rule><![CDATA[(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})]]></rule>
-        <description>Detects MySQL UDF injection and other data/structure manipulation attempts</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>
-    <filter>
-        <id>52</id>
-        <rule><![CDATA[(?:alter\s*\w+.*character\s+set\s+\w+)|(";\s*waitfor\s+time\s+")|(?:";.*:\s*goto)]]></rule>
-        <description>Detects MySQL charset switch and MSSQL DoS attempts</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>
-    <filter>
-        <id>53</id>
-        <rule><![CDATA[(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)]]></rule>
-        <description>Detects MySQL and PostgreSQL stored procedure/function injections</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>7</impact>
-    </filter>
-    <filter>
-        <id>54</id>
-        <rule><![CDATA[(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))]]></rule>
-        <description>Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>55</id>
-        <rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule>
-        <description>Detects MSSQL code execution and information gathering attempts</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>56</id>
-        <rule><![CDATA[(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()]]></rule>
-        <description>Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>57</id>
-        <rule><![CDATA[(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()]]></rule>
-        <description>Detects MySQL comment-/space-obfuscated injections</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>   
-    <filter>
-        <id>58</id>
-        <rule><![CDATA[(?:@[\w-]+\s*\()|(?:]\s*\(\s*["!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*".*"))|(?:;\s*\{\W*\w+\s*\()]]></rule>
-        <description>Detects code injection attempts 1/3</description>
-        <tags>
-            <tag>id</tag>
-            <tag>rfe</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>7</impact>
-    </filter>   
-    <filter>
-        <id>59</id>
-        <rule><![CDATA[(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*["(@])]]></rule>
-        <description>Detects code injection attempts 2/3</description>
-        <tags>
-            <tag>id</tag>
-            <tag>rfe</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>7</impact>
-    </filter>
-    <filter>
-        <id>60</id>
-        <rule><![CDATA[(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)]]></rule>
-        <description>Detects code injection attempts 3/3</description>
-        <tags>
-            <tag>id</tag>
-            <tag>rfe</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>7</impact>
-    </filter>
-    <filter>
-        <id>61</id>
-        <rule><![CDATA[(?:\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\{\s*\$\s*\{)]]></rule>
-        <description>Detects url injections and RFE attempts</description>
-        <tags>
-            <tag>id</tag>
-            <tag>rfe</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>   
-    <filter>
-        <id>62</id>
-        <rule><![CDATA[(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)\W+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)]]></rule>
-        <description>Detects common function declarations and special JS operators</description>
-        <tags>
-            <tag>id</tag>
-            <tag>rfe</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>  
-    <filter>
-        <id>63</id>
-        <rule><![CDATA[(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)]]></rule>
-        <description>Detects common mail header injections</description>
-        <tags>
-            <tag>id</tag>
-            <tag>spam</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>64</id>
-        <rule><![CDATA[(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)]]></rule>
-        <description>Detects perl echo shellcode injection and LDAP vectors</description>
-        <tags>
-            <tag>lfi</tag>
-            <tag>rfe</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>65</id>
-        <rule><![CDATA[(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})]]></rule>
-        <description>Detects basic XSS DoS attempts</description>
-        <tags>
-            <tag>rfe</tag>
-            <tag>dos</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>67</id>
-        <rule><![CDATA[(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])]]></rule>
-        <description>Detects unknown attack vectors based on PHPIDS Centrifuge detection</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-            <tag>id</tag>
-            <tag>rfe</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>7</impact>
-    </filter>
-    <filter>
-        <id>68</id>
-        <rule><![CDATA[(?:[\s\/"]+[-\w\/\\\*]+\s*=.+(?:\/\s*>))]]></rule>
-        <description>finds attribute breaking injections including obfuscated attributes</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>4</impact>
-    </filter> 
-    <filter>
-        <id>69</id>
-        <rule><![CDATA[(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))]]></rule>
-        <description>finds basic VBScript injection attempts</description>
-        <tags>
-            <tag>xss</tag>
-            <tag>csrf</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>70</id>
-        <rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule>
-        <description>finds basic MongoDB SQL injection attempts</description>
-        <tags>
-            <tag>sqli</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-</filters>
diff --git a/xml/phpids_rules.xml b/xml/phpids_rules.xml
new file mode 100644
index 000000000..118a5f491
--- /dev/null
+++ b/xml/phpids_rules.xml
@@ -0,0 +1,199 @@
+<filters>
+    <filter>
+        <id>40</id>
+        <rule><![CDATA[(?:\)\s*when\s*\d+\s*then)|(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule>
+        <description>Detects MySQL comments, conditions and ch(a)r injections</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>   
+    <filter>
+        <id>41</id>
+        <rule><![CDATA[(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule>
+        <description>Detects conditional SQL injection attempts</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>   
+    <filter>
+        <id>42</id>
+        <rule><![CDATA[(?:"\s*or\s*\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule>
+        <description>Detects classic SQL injection probings 1/2</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>  
+    <filter>
+        <id>43</id>
+        <rule><![CDATA[(?:"\s*\*.+(?:or|id)\W*"\d)|(?:\^")|(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:"[\s\d]*[^\w\s]+\W*\d\W*.*["\d])|(?:"\s*[^\w\s?]+\s*[^\w\s]+\s*")|(?:"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:".*\*\s*\d)|(?:"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+"[^,])]]></rule>
+        <description>Detects classic SQL injection probings 2/2</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>6</impact>
+    </filter> 
+    <filter>
+        <id>44</id>
+        <rule><![CDATA[(?:\d"\s+"\s+\d)|(?:^admin\s*"|(\/\*)+"+\s?(?:--|#|\/\*|{)?)|(?:"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*like\W+[\w"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:"[<>~]+")]]></rule>
+        <description>Detects basic SQL authentication bypass attempts 1/3</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>7</impact>
+    </filter> 
+    <filter>
+        <id>45</id>
+        <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)]]></rule>
+        <description>Detects basic SQL authentication bypass attempts 2/3</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>7</impact>
+    </filter>
+     <filter>
+        <id>46</id>
+        <rule><![CDATA[(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule>
+        <description>Detects basic SQL authentication bypass attempts 3/3</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>7</impact>
+    </filter> 
+    <filter>
+        <id>47</id>
+        <rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule>
+        <description>Detects concatenated basic SQL injection and SQLLFI attempts</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>48</id>
+        <rule><![CDATA[(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule>
+        <description>Detects chained SQL injection attempts 1/2</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>
+    <filter>
+        <id>49</id>
+        <rule><![CDATA[(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])]]></rule>
+        <description>Detects chained SQL injection attempts 2/2</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>
+    <filter>
+        <id>50</id>
+        <rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)]]></rule>
+        <description>Detects SQL benchmark and sleep injection attempts including conditional queries</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>51</id>
+        <rule><![CDATA[(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})]]></rule>
+        <description>Detects MySQL UDF injection and other data/structure manipulation attempts</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>
+    <filter>
+        <id>52</id>
+        <rule><![CDATA[(?:alter\s*\w+.*character\s+set\s+\w+)|(";\s*waitfor\s+time\s+")|(?:";.*:\s*goto)]]></rule>
+        <description>Detects MySQL charset switch and MSSQL DoS attempts</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>
+    <filter>
+        <id>53</id>
+        <rule><![CDATA[(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)]]></rule>
+        <description>Detects MySQL and PostgreSQL stored procedure/function injections</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>7</impact>
+    </filter>
+    <filter>
+        <id>54</id>
+        <rule><![CDATA[(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))]]></rule>
+        <description>Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>55</id>
+        <rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule>
+        <description>Detects MSSQL code execution and information gathering attempts</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>56</id>
+        <rule><![CDATA[(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()]]></rule>
+        <description>Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>57</id>
+        <rule><![CDATA[(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()]]></rule>
+        <description>Detects MySQL comment-/space-obfuscated injections</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>   
+    <filter>
+        <id>70</id>
+        <rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule>
+        <description>finds basic MongoDB SQL injection attempts</description>
+        <tags>
+            <tag>sqli</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+</filters>