From 231ea51fe69e0f6164a5418f4aee16935e93f25b Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Fri, 1 Feb 2013 17:10:40 +0100
Subject: [PATCH] Removing leftover

---
 xml/phpids_rules.xml | 199 -------------------------------------------
 1 file changed, 199 deletions(-)
 delete mode 100644 xml/phpids_rules.xml

diff --git a/xml/phpids_rules.xml b/xml/phpids_rules.xml
deleted file mode 100644
index fa3690fa0..000000000
--- a/xml/phpids_rules.xml
+++ /dev/null
@@ -1,199 +0,0 @@
-<filters>
-    <filter>
-        <id>40</id>
-        <rule><![CDATA[(?:\)\s*when\s*\d+\s*then)|(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule>
-        <description>Detects MySQL comments, conditions and ch(a)r injections</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>   
-    <filter>
-        <id>41</id>
-        <rule><![CDATA[(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule>
-        <description>Detects conditional SQL injection attempts</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>   
-    <filter>
-        <id>42</id>
-        <rule><![CDATA[(?:"\s*or\s*\d)|(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule>
-        <description>Detects classic SQL injection probings 1/2</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>  
-    <filter>
-        <id>43</id>
-        <rule><![CDATA[(?:"\s*\*.+(?:or|id)\W*"\d)|(?:\^")|(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:"[\s\d]*[^\w\s]+\W*\d\W*.*["\d])|(?:"\s*[^\w\s?]+\s*[^\w\s]+\s*")|(?:"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:".*\*\s*\d)|(?:"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+"[^,])]]></rule>
-        <description>Detects classic SQL injection probings 2/2</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>6</impact>
-    </filter> 
-    <filter>
-        <id>44</id>
-        <rule><![CDATA[(?:\d"\s+"\s+\d)|(?:^admin\s*"|(\/\*)+"+\s?(?:--|#|\/\*|{)?)|(?:"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*like\W+[\w"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:"[<>~]+")]]></rule>
-        <description>Detects basic SQL authentication bypass attempts 1/3</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>7</impact>
-    </filter> 
-    <filter>
-        <id>45</id>
-        <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]+)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)]]></rule>
-        <description>Detects basic SQL authentication bypass attempts 2/3</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>7</impact>
-    </filter>
-     <filter>
-        <id>46</id>
-        <rule><![CDATA[(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule>
-        <description>Detects basic SQL authentication bypass attempts 3/3</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>7</impact>
-    </filter> 
-    <filter>
-        <id>47</id>
-        <rule><![CDATA[(?:[\d\W]\s+as\s*["\w]+\s*from)|(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()]]></rule>
-        <description>Detects concatenated basic SQL injection and SQLLFI attempts</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-            <tag>lfi</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>48</id>
-        <rule><![CDATA[(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*["=()])]]></rule>
-        <description>Detects chained SQL injection attempts 1/2</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>
-    <filter>
-        <id>49</id>
-        <rule><![CDATA[(?:"\s+and\s*=\W)|(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])]]></rule>
-        <description>Detects chained SQL injection attempts 2/2</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>
-    <filter>
-        <id>50</id>
-        <rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)]]></rule>
-        <description>Detects SQL benchmark and sleep injection attempts including conditional queries</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>
-    <filter>
-        <id>51</id>
-        <rule><![CDATA[(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})]]></rule>
-        <description>Detects MySQL UDF injection and other data/structure manipulation attempts</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>
-    <filter>
-        <id>52</id>
-        <rule><![CDATA[(?:alter\s*\w+.*character\s+set\s+\w+)|(";\s*waitfor\s+time\s+")|(?:";.*:\s*goto)]]></rule>
-        <description>Detects MySQL charset switch and MSSQL DoS attempts</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>6</impact>
-    </filter>
-    <filter>
-        <id>53</id>
-        <rule><![CDATA[(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)]]></rule>
-        <description>Detects MySQL and PostgreSQL stored procedure/function injections</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>7</impact>
-    </filter>
-    <filter>
-        <id>54</id>
-        <rule><![CDATA[(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))]]></rule>
-        <description>Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>55</id>
-        <rule><![CDATA[(?:\sexec\s+xp_cmdshell)|(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule>
-        <description>Detects MSSQL code execution and information gathering attempts</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>56</id>
-        <rule><![CDATA[(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()]]></rule>
-        <description>Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>57</id>
-        <rule><![CDATA[(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()]]></rule>
-        <description>Detects MySQL comment-/space-obfuscated injections</description>
-        <tags>
-            <tag>sqli</tag>
-            <tag>id</tag>
-        </tags>
-        <impact>5</impact>
-    </filter>
-    <filter>
-        <id>70</id>
-        <rule><![CDATA[(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule>
-        <description>finds basic MongoDB SQL injection attempts</description>
-        <tags>
-            <tag>sqli</tag>
-        </tags>
-        <impact>4</impact>
-    </filter>      
-</filters>