From 3197fada594d03798fdc71847d741be682d2487b Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Mon, 25 Jan 2010 10:06:52 +0000
Subject: [PATCH] update of IDS checking method

---
 lib/utils/detection.py  |  26 +-
 xml/detection_rules.xml | 731 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 747 insertions(+), 10 deletions(-)
 create mode 100644 xml/detection_rules.xml

diff --git a/lib/utils/detection.py b/lib/utils/detection.py
index f1d24153e..50d601c65 100644
--- a/lib/utils/detection.py
+++ b/lib/utils/detection.py
@@ -21,14 +21,23 @@ You should have received a copy of the GNU General Public License along
 with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """
-import re
-import urllib2
+import re, sre_constants
 from xml.dom import minidom
 
+from lib.core.data import conf
+from lib.core.data import paths
 from lib.core.data import logger
 
 rules = None
 
+def __adjustGrammar(string):
+    string = re.sub('\ADetects', 'Detected', string)
+    string = re.sub('\Afinds', 'Found', string)
+    string = re.sub('attempts\Z', 'attempt', string)
+    string = re.sub('injections\Z', 'injection', string)
+    string = re.sub('attacks\Z', 'attack', string)
+    return string
+
 def checkPayload(string):
     """
     This method checks if the generated payload is detectable by the PHPIDS filter rules
@@ -36,19 +45,16 @@ def checkPayload(string):
     global rules
 
     if not rules:
-        url = 'https://svn.phpids.org/svn/trunk/lib/IDS/default_filter.xml'
-        request = urllib2.Request(url)
-        response = urllib2.urlopen(request)
-        xmlrules = minidom.parse(response).documentElement
-        response.close()
+        file = open(paths.DETECTION_RULES_XML, 'r')
+        xmlrules = minidom.parse(file).documentElement
+        file.close()
         rules = []
         for xmlrule in xmlrules.getElementsByTagName("filter"):
             try:
                 rule = re.compile(xmlrule.getElementsByTagName('rule')[0].childNodes[0].nodeValue)
-                desc = xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue
-                desc = desc.replace('Detects', 'Detected').replace('finds', 'Found').replace('attempts', 'attempt').replace('injections', 'injection').replace('attacks', 'attack')
+                desc = __adjustGrammar(xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue)
                 rules.append((rule, desc))
-            except:
+            except sre_constants.error: #some issues with some regex expressions in Python 2.5
                 pass
     
     for rule, desc in rules:
diff --git a/xml/detection_rules.xml b/xml/detection_rules.xml
new file mode 100644
index 000000000..48e3ff23b
--- /dev/null
+++ b/xml/detection_rules.xml
@@ -0,0 +1,731 @@
+<filters>
+    <filter>
+        <id>1</id>
+        <rule><![CDATA[(?:"[^"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>")]]></rule>
+        <description>finds html breaking injections including whitespace attacks</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>2</id>
+        <rule><![CDATA[(?:"+.*[<=]\s*"[^"]+")|(?:"\w+\s*=)|(?:>\w=\/)|(?:#.+\)["\s]*>)|(?:"\s*(?:src|style|on\w+)\s*=\s*")|(?:[^"]?"[,;\s]+\w*[\[\(])]]></rule>
+        <description>finds attribute breaking injections including whitespace attacks</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>69</id>
+        <rule><![CDATA[(?:[\s\d\/"]+(?:on\w+|style)=[$"\w])]]></rule>
+        <description>finds malicious attribute injection attempts</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>	
+    <filter>
+        <id>3</id>
+        <rule><![CDATA[(?:^>[\w\s]*<\/?\w{2,}>)]]></rule>
+        <description>finds unquoted attribute breaking injections</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>2</impact>
+    </filter>
+    <filter>
+        <id>4</id>
+        <rule><![CDATA[(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])]]></rule>
+        <description>Detects url-, name-, JSON, and referrer-contained payload attacks</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>5</id>
+        <rule><![CDATA[(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?"[^\s"]":)|(?:(?<!\/)__[a-z]+__)|(?:(?:^|[\s)\]\}])(?:s|g)etter\s*=)]]></rule>
+        <description>Detects hash-contained xss payload attacks, setter usage and property overloading</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>6</id>
+        <rule><![CDATA[(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)]]></rule>
+        <description>Detects self contained xss via with(), common loops and regex to string conversion</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>7</id>
+        <rule><![CDATA[(?:\d\s*[|&]{2}\s*\w)|(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)|(?:\?[^:=]+:[^;]+(;|$))]]></rule>
+        <description>Detects JavaScript with(), ternary operators and XML predicate attacks</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>8</id>
+        <rule><![CDATA[(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+",\d]*[}\])])|(?:"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)]]></rule>
+        <description>Detects self-executing JavaScript functions</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>9</id>
+        <rule><![CDATA[(?:\\u00[a-f0-9]{2})|(?:\\x0*[a-f0-9]{2})|(?:\\\d{2,3})]]></rule>
+        <description>Detects the IE octal, hex and unicode entities</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>2</impact>
+    </filter>
+    <filter>
+        <id>10</id>
+        <rule><![CDATA[(?:(?:\/|\\)?\.+(\/|\\)(?:\.+)?)|(?:\w+\.exe\??\s)|(?:;\s*\w+\s*\/[\w*-]+\/)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})]]></rule>
+        <description>Detects basic directory traversal</description>
+        <tags>
+            <tag>dt</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>11</id>
+        <rule><![CDATA[(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))|(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)]]></rule>
+        <description>Detects specific directory and path traversal</description>
+        <tags>
+            <tag>dt</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>12</id>
+        <rule><![CDATA[(?:etc\/\W*passwd)]]></rule>
+        <description>Detects etc/passwd inclusion attempts</description>
+        <tags>
+            <tag>dt</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>13</id>
+        <rule><![CDATA[(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)]]></rule>
+        <description>Detects halfwidth/fullwidth encoded unicode HTML breaking attempts</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>3</impact>
+    </filter>
+    <filter>
+        <id>14</id>
+        <rule><![CDATA[(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))]]></rule>
+        <description>Detects possible includes, VBSCript/JScript encodeed and packed functions</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+            <tag>rfe</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>15</id>
+        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]></rule>
+        <description>Detects JavaScript DOM/miscellaneous properties and methods</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+            <tag>rfe</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>
+    <filter>
+        <id>16</id>
+        <rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule>
+        <description>Detects possible includes and typical script methods</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+            <tag>rfe</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>17</id>
+        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%"]|(?:\s*[^@\/\s\w%,.+\-]))]]></rule>
+        <description>Detects JavaScript object properties and methods</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+            <tag>rfe</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>18</id>
+        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule>
+        <description>Detects JavaScript array properties and methods</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+            <tag>rfe</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>19</id>
+        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%"]|(?:\s*[^@\s\w%,.+\-]))]]></rule>
+        <description>Detects JavaScript string properties and methods</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+            <tag>rfe</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>20</id>
+        <rule><![CDATA[([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.+\-]))]]></rule>
+        <description>Detects JavaScript language constructs</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+            <tag>rfe</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>21</id>
+        <rule><![CDATA[(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)]]></rule>
+        <description>Detects very basic XSS probings</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+            <tag>rfe</tag>
+        </tags>
+        <impact>3</impact>
+    </filter>
+    <filter>
+        <id>22</id>
+        <rule><![CDATA[(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)]]></rule>
+        <description>Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+            <tag>rfe</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>	
+    <filter>
+        <id>23</id>
+        <rule><![CDATA[(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)]]></rule>
+        <description>Detects JavaScript location/document property access and window access obfuscation</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>    
+    <filter>
+        <id>24</id>
+        <rule><![CDATA[(?:[".]script\s*\()|(?:\$\$?\s*\(\s*[\w"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])]]></rule>
+        <description>Detects basic obfuscated JavaScript script injections</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>25</id>
+        <rule><![CDATA[(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[("\w+"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*")]]></rule>
+        <description>Detects obfuscated JavaScript script injections</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>26</id>
+        <rule><![CDATA[(?:[^:\s\w]+\s*[^\w\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\w])]]></rule>
+        <description>Detects JavaScript cookie stealing and redirection attempts</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>27</id>
+        <rule><![CDATA[(?:data:.*,)|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*"?\s*vbs(?:ript)?:)|(language\s*=\s?"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-"?]]></rule>
+        <description>Detects data: URL injections, VBS injections and common URI schemes</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>rfe</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>28</id>
+        <rule><![CDATA[(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)]]></rule>
+        <description>Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>rfe</tag>
+            <tag>lfi</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>29</id>    
+        <rule><![CDATA[(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\])]]></rule>
+        <description>Detects bindings and behavior injections</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>rfe</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>30</id>
+        <rule><![CDATA[(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)]]></rule>
+        <description>Detects common XSS concatenation patterns 1/2</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+            <tag>rfe</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>31</id>
+        <rule><![CDATA[(?:=\s*\d*\.\d*\?\d*\.\d*)|(?:[|&]{2,}\s*")|(?:!\d+\.\d*\?")|(?:\/:[\w.]+,)|(?:=[\d\W\s]*\[[^]]+\])|(?:\?\w+:\w+)]]></rule>
+        <description>Detects common XSS concatenation patterns 2/2</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+            <tag>rfe</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>32</id>
+        <rule><![CDATA[(?:[^\w\s=]on(?!g\&gt;)\w+[^=_+-]*=[^$]+(?:\W|\&gt;)?)]]></rule>
+        <description>Detects possible event handlers</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>33</id>
+        <rule><![CDATA[(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)|(<\w+:\w+)]]></rule>
+        <description>Detects obfuscated script tags and XML wrapped HTML</description>
+        <tags>
+            <tag>xss</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>34</id>
+        <rule><![CDATA[(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,"=])]]></rule>
+        <description>Detects attributes in closing tags and conditional compilation tokens</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>35</id>
+        <rule><![CDATA[(?:--[^\n]*$)|(?:\<!-|-->)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:<!\[\W)|(?:\]!>)]]></rule>
+        <description>Detects common comment types</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>3</impact>
+    </filter>
+    <filter>
+        <id>37</id>
+        <rule><![CDATA[(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))]]></rule>
+        <description>Detects base href injections and XML entity injections</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>38</id>
+        <rule><![CDATA[(?:\<[\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\w+|image|im(?:g|port)))]]></rule>
+        <description>Detects possibly malicious html elements including some attributes</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+            <tag>rfe</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>   
+    <filter>
+        <id>39</id>
+        <rule><![CDATA[(?:\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])]]></rule>
+        <description>Detects nullbytes and other dangerous characters</description>
+        <tags>
+            <tag>id</tag>
+            <tag>rfe</tag>
+            <tag>xss</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>   
+    <filter>
+        <id>40</id>
+        <rule><![CDATA[(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule>
+        <description>Detects MySQL comments, conditions and ch(a)r injections</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>   
+    <filter>
+        <id>41</id>
+        <rule><![CDATA[(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])]]></rule>
+        <description>Detects conditional SQL injection attempts</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>   
+    <filter>
+        <id>42</id>
+        <rule><![CDATA[(?:\\x(?:23|27|3d))|(?:^.?"$)|(?:^.*\\".+(?<!\\)")|(?:(?:^["\\]*(?:[\d"]+|[^"]+"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*"\s*\w)|(?:@\w+\s+(and|or)\s*["\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*".)]]></rule>
+        <description>Detects classic SQL injection probings 1/2</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>  
+    <filter>
+        <id>43</id>
+        <rule><![CDATA[(?:"\s*\*.+(?:or|id)\W*"\d)|(?:\^")|(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:"[\s\d]*[^\w\s]+\W*\d\W*.*["\d])|(?:"\s*[^\w\s?]+\s*[^\w\s]+\s*")|(?:"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:".*\*\s*\d)|(?:"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+"[^,])]]></rule>
+        <description>Detects classic SQL injection probings 2/2</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>6</impact>
+    </filter> 
+    <filter>
+        <id>44</id>
+        <rule><![CDATA[(?:\d"\s+"\s+\d)|(?:^admin\s*"|(\/\*)+"+\s?(?:--|#|\/\*|{)?)|(?:"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*like\W+[\w"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:"[<>~]+")]]></rule>
+        <description>Detects basic SQL authentication bypass attempts 1/3</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>7</impact>
+    </filter> 
+    <filter>
+        <id>45</id>
+        <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)]]></rule>
+        <description>Detects basic SQL authentication bypass attempts 2/3</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>7</impact>
+    </filter>
+     <filter>
+        <id>46</id>
+        <rule><![CDATA[(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule>
+        <description>Detects basic SQL authentication bypass attempts 3/3</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>7</impact>
+    </filter> 
+    <filter>
+        <id>47</id>
+        <rule><![CDATA[(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)]]></rule>
+        <description>Detects concatenated basic SQL injection and SQLLFI attempts</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>48</id>
+        <rule><![CDATA[(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+\w+[!=+]+[\s\d]*["=(])]]></rule>
+        <description>Detects chained SQL injection attempts 1/2</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>
+    <filter>
+        <id>49</id>
+        <rule><![CDATA[(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+"\w)|(?:";\s*(?:if|while|begin))|(?:"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()]]></rule>
+        <description>Detects chained SQL injection attempts 2/2</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>
+    <filter>
+        <id>50</id>
+        <rule><![CDATA[(?:(select|;)\s+(?:benchmark|if|sleep)\s?\(\s?\(?\s?\w+)]]></rule>
+        <description>Detects SQL benchmark and sleep injection attempts including conditional queries</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>
+    <filter>
+        <id>51</id>
+        <rule><![CDATA[(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})]]></rule>
+        <description>Detects MySQL UDF injection and other data/structure manipulation attempts</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>
+    <filter>
+        <id>52</id>
+        <rule><![CDATA[(?:alter\s*\w+.*character\s+set\s+\w+)|(";\s*waitfor\s+time\s+")|(?:";.*:\s*goto)]]></rule>
+        <description>Detects MySQL charset switch and MSSQL DoS attempts</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>6</impact>
+    </filter>
+    <filter>
+        <id>53</id>
+        <rule><![CDATA[(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)]]></rule>
+        <description>Detects MySQL and PostgreSQL stored procedure/function injections</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>7</impact>
+    </filter>
+    <filter>
+        <id>54</id>
+        <rule><![CDATA[(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))]]></rule>
+        <description>Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>55</id>
+        <rule><![CDATA[(?:"\s*!\s*["\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:";?\s*(?:select|union|having)\s*[^\s)|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")]]></rule>
+        <description>Detects MSSQL code execution and information gathering attempts</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>56</id>
+        <rule><![CDATA[(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()]]></rule>
+        <description>Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>57</id>
+        <rule><![CDATA[(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()]]></rule>
+        <description>Detects MySQL comment-/space-obfuscated injections</description>
+        <tags>
+            <tag>sqli</tag>
+            <tag>id</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>   
+    <filter>
+        <id>58</id>
+        <rule><![CDATA[(?:@[\w-]+\s*\()|(?:]\s*\(\s*["!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*".*"))|(?:;\s*\{\W*\w+\s*\()]]></rule>
+        <description>Detects code injection attempts 1/3</description>
+        <tags>
+            <tag>id</tag>
+            <tag>rfe</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>7</impact>
+    </filter>   
+    <filter>
+        <id>59</id>
+        <rule><![CDATA[(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*["(@])]]></rule>
+        <description>Detects code injection attempts 2/3</description>
+        <tags>
+            <tag>id</tag>
+            <tag>rfe</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>7</impact>
+    </filter>
+    <filter>
+        <id>60</id>
+        <rule><![CDATA[(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)]]></rule>
+        <description>Detects code injection attempts 3/3</description>
+        <tags>
+            <tag>id</tag>
+            <tag>rfe</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>7</impact>
+    </filter>
+    <filter>
+        <id>61</id>
+        <rule><![CDATA[(?:\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\{\s*\$\s*\{)]]></rule>
+        <description>Detects url injections and RFE attempts</description>
+        <tags>
+            <tag>id</tag>
+            <tag>rfe</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>   
+    <filter>
+        <id>62</id>
+        <rule><![CDATA[(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)\W+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)]]></rule>
+        <description>Detects common function declarations and special JS operators</description>
+        <tags>
+            <tag>id</tag>
+            <tag>rfe</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>  
+    <filter>
+        <id>63</id>
+        <rule><![CDATA[(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)]]></rule>
+        <description>Detects common mail header injections</description>
+        <tags>
+            <tag>id</tag>
+            <tag>spam</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>64</id>
+        <rule><![CDATA[(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)]]></rule>
+        <description>Detects perl echo shellcode injection and LDAP vectors</description>
+        <tags>
+            <tag>lfi</tag>
+            <tag>rfe</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>65</id>
+        <rule><![CDATA[(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})]]></rule>
+        <description>Detects basic XSS DoS attempts</description>
+        <tags>
+            <tag>rfe</tag>
+            <tag>dos</tag>
+        </tags>
+        <impact>5</impact>
+    </filter>
+    <filter>
+        <id>67</id>
+        <rule><![CDATA[(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])]]></rule>
+        <description>Detects unknown attack vectors based on PHPIDS Centrifuge detection</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+            <tag>id</tag>
+            <tag>rfe</tag>
+            <tag>lfi</tag>
+        </tags>
+        <impact>7</impact>
+    </filter>
+    <filter>
+        <id>68</id>
+        <rule><![CDATA[(?:[\s\/"]+[-\w\/\\\*]+\s*=.+(?:\/\s*>))]]></rule>
+        <description>finds attribute breaking injections including obfuscated attributes</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>4</impact>
+    </filter> 
+    <filter>
+        <id>69</id>
+        <rule><![CDATA[(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))]]></rule>
+        <description>finds basic VBScript injection attempts</description>
+        <tags>
+            <tag>xss</tag>
+            <tag>csrf</tag>
+        </tags>
+        <impact>4</impact>
+    </filter>  	
+</filters>
\ No newline at end of file