Global Rules List
Response
CODE
{
"status": true,
"data": [
{
"ruleSet": "General",
"description": "This rule includes measures against various types of attacks to protect web applications and provides a general defense against potential threats.",
"rules": [
{
"ruleId": "200002",
"description": "Failed to Parse Request Body."
},
{
"ruleId": "200003",
"description": "Multipart Request Body Strict Validation."
},
{
"ruleId": "200004",
"description": "Possible Multipart Unmatched Boundary."
}
]
},
{
"ruleSet": "Known CVES",
"description": "This rule protects web applications from potential attacks by providing defense against known vulnerabilities in the CVE database through the Web Application Firewall.",
"rules": [
{
"ruleId": "800100",
"description": "Rule to help detect and mitigate log4j vulnerability CVE-2021-44228, CVE-2021-45046"
},
{
"ruleId": "800110",
"description": "Spring4Shell Interaction Attempt"
},
{
"ruleId": "800111",
"description": "Attempted Spring Cloud routing-expression injection - CVE-2022-22963"
},
{
"ruleId": "800112",
"description": "Attempted Spring Framework unsafe class object exploitation - CVE-2022-22965"
},
{
"ruleId": "800113",
"description": "Attempted Spring Cloud Gateway Actuator injection - CVE-2022-22947"
}
]
},
{
"ruleSet": "Method Enforcement",
"description": "This rule enforces specific HTTP methods in web applications ensuring that only secure or expected HTTP methods are used in requests from clients.",
"rules": [
{
"ruleId": "911100",
"description": "Method is not allowed by policy"
}
]
},
{
"ruleSet": "Scanner Detection",
"description": "This rule detects and prevents scanner or attack tools targeting web applications by monitoring automated scanners or tools used to identify security vulnerabilities.",
"rules": [
{
"ruleId": "913100",
"description": "Found User-Agent associated with security scanner"
},
{
"ruleId": "913101",
"description": "Found User-Agent associated with scripting/generic HTTP client"
},
{
"ruleId": "913102",
"description": "Found User-Agent associated with web crawler/bot"
},
{
"ruleId": "913110",
"description": "Found request header associated with security scanner"
},
{
"ruleId": "913120",
"description": "Found request filename/argument associated with security scanner"
}
]
},
{
"ruleSet": "Protocol Enforcement",
"description": "This rule aims to enhance security and limit potential security vulnerabilities by enforcing specific protocol versions or features.",
"rules": [
{
"ruleId": "920100",
"description": "Invalid HTTP Request Line"
},
{
"ruleId": "920120",
"description": "Attempted multipart/form-data bypass"
},
{
"ruleId": "920121",
"description": "Attempted multipart/form-data bypass"
},
{
"ruleId": "920160",
"description": "Content-Length HTTP header is not numeric."
},
{
"ruleId": "920170",
"description": "GET or HEAD Request with Body Content."
},
{
"ruleId": "920171",
"description": "GET or HEAD Request with Transfer-Encoding."
},
{
"ruleId": "920180",
"description": "POST request missing Content-Length Header."
},
{
"ruleId": "920190",
"description": "Range: Invalid Last Byte Value."
},
{
"ruleId": "920200",
"description": "Range: Too many fields (6 or more)"
},
{
"ruleId": "920201",
"description": "Range: Too many fields for pdf request (35 or more)"
},
{
"ruleId": "920202",
"description": "Range: Too many fields for pdf request (6 or more)"
},
{
"ruleId": "920210",
"description": "Multiple/Conflicting Connection Header Data Found."
},
{
"ruleId": "920220",
"description": "URL Encoding Abuse Attack Attempt"
},
{
"ruleId": "920230",
"description": "Multiple URL Encoding Detected"
},
{
"ruleId": "920240",
"description": "URL Encoding Abuse Attack Attempt"
},
{
"ruleId": "920250",
"description": "UTF8 Encoding Abuse Attack Attempt"
},
{
"ruleId": "920260",
"description": "Unicode Full/Half Width Abuse Attack Attempt"
},
{
"ruleId": "920270",
"description": "Invalid character in request (null character)"
},
{
"ruleId": "920271",
"description": "Invalid character in request (non printable characters)"
},
{
"ruleId": "920272",
"description": "Invalid character in request (outside of printable chars below ascii 127)"
},
{
"ruleId": "920273",
"description": "Invalid character in request (outside of very strict set)"
},
{
"ruleId": "920274",
"description": "Invalid character in request headers (outside of very strict set)"
},
{
"ruleId": "920280",
"description": "Request Missing a Host Header"
},
{
"ruleId": "920290",
"description": "Empty Host Header"
},
{
"ruleId": "920300",
"description": "Request Missing an Accept Header"
},
{
"ruleId": "920310",
"description": "Request Has an Empty Accept Header"
},
{
"ruleId": "920311",
"description": "Request Has an Empty Accept Header"
},
{
"ruleId": "920320",
"description": "Missing User Agent Header"
},
{
"ruleId": "920330",
"description": "Empty User Agent Header"
},
{
"ruleId": "920340",
"description": "Request Containing Content, but Missing Content-Type header"
},
{
"ruleId": "920341",
"description": "Request containing content requires Content-Type header"
},
{
"ruleId": "920350",
"description": "Host header is a numeric IP address"
},
{
"ruleId": "920420",
"description": "Request content type is not allowed by policy"
},
{
"ruleId": "920430",
"description": "HTTP protocol version is not allowed by policy"
},
{
"ruleId": "920440",
"description": "URL file extension is restricted by policy"
},
{
"ruleId": "920450",
"description": "HTTP header is restricted by policy (%{MATCHED_VAR})"
},
{
"ruleId": "920460",
"description": "Abnormal Escape Characters"
},
{
"ruleId": "920470",
"description": "Illegal Content-Type header"
},
{
"ruleId": "920480",
"description": "Restrict charset parameter within the content-type header"
}
]
},
{
"ruleSet": "Protocol Attack",
"description": "The rule detects and mitigates Protocol attacks that may involve manipulating network traffic or exploiting protocol-specific vulnerabilities.",
"rules": [
{
"ruleId": "921110",
"description": "HTTP Request Smuggling Attack"
},
{
"ruleId": "921120",
"description": "HTTP Response Splitting Attack"
},
{
"ruleId": "921130",
"description": "HTTP Response Splitting Attack"
},
{
"ruleId": "921140",
"description": "HTTP Header Injection Attack via headers"
},
{
"ruleId": "921150",
"description": "HTTP Header Injection Attack via payload (CR/LF detected)"
},
{
"ruleId": "921151",
"description": "HTTP Header Injection Attack via payload (CR/LF detected)"
},
{
"ruleId": "921160",
"description": "HTTP Header Injection Attack via payload (CR/LF and header-name detected)"
},
{
"ruleId": "921170",
"description": "HTTP Parameter Pollution"
},
{
"ruleId": "921180",
"description": "HTTP Parameter Pollution (%{TX.1})"
}
]
},
{
"ruleSet": "Application Attack LFI",
"description": "The rule defends against Local File Inclusion (LFI) attacks by monitoring potential LFI attack patterns in the URLs or parameters of the web application.",
"rules": [
{
"ruleId": "930100",
"description": "Path Traversal Attack (/../)"
},
{
"ruleId": "930110",
"description": "Path Traversal Attack (/../)"
},
{
"ruleId": "930120",
"description": "OS File Access Attempt"
},
{
"ruleId": "930130",
"description": "Restricted File Access Attempt"
}
]
},
{
"ruleSet": "Application Attack RFI",
"description": "The rule provides defense against Remote File Inclusion (RFI) attacks by monitoring potential RFI attack patterns in the URLs or parameters of the web application.",
"rules": [
{
"ruleId": "931100",
"description": "Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address"
},
{
"ruleId": "931110",
"description": "Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload"
},
{
"ruleId": "931120",
"description": "Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)"
},
{
"ruleId": "931130",
"description": "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"
}
]
},
{
"ruleSet": "Application Attack RCE",
"description": "This rule identifies Remote Code Execution (RCE) attempts by monitoring potential RCE attack patterns in the URLs or parameters of the web application.",
"rules": [
{
"ruleId": "932100",
"description": "Remote Command Execution: Unix Command Injection"
},
{
"ruleId": "932105",
"description": "Remote Command Execution: Unix Command Injection"
},
{
"ruleId": "932106",
"description": "Remote Command Execution: Unix Command Injection"
},
{
"ruleId": "932110",
"description": "Remote Command Execution: Windows Command Injection"
},
{
"ruleId": "932115",
"description": "Remote Command Execution: Windows Command Injection"
},
{
"ruleId": "932120",
"description": "Remote Command Execution: Windows PowerShell Command Found"
},
{
"ruleId": "932130",
"description": "Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) or Text4Shell (CVE-2022-42889) Found"
},
{
"ruleId": "932140",
"description": "Remote Command Execution: Windows FOR/IF Command Found"
},
{
"ruleId": "932150",
"description": "Remote Command Execution: Direct Unix Command Execution"
},
{
"ruleId": "932160",
"description": "Remote Command Execution: Unix Shell Code Found"
},
{
"ruleId": "932170",
"description": "Remote Command Execution: Shellshock (CVE-2014-6271)"
},
{
"ruleId": "932171",
"description": "Remote Command Execution: Shellshock (CVE-2014-6271)"
},
{
"ruleId": "932180",
"description": "Restricted File Upload Attempt"
},
{
"ruleId": "932190",
"description": "Remote Command Execution: Wildcard bypass technique attempt"
}
]
},
{
"ruleSet": "Application Attack XSS",
"description": "This rule detects and prevents Cross-Site-Scripting attacks by analyzing incoming requests for malicious script and blocking their execution.",
"rules": [
{
"ruleId": "941100",
"description": "XSS Attack Detected via libinjection"
},
{
"ruleId": "941101",
"description": "XSS Attack Detected via libinjection.This rule detects requests with a Referer header."
},
{
"ruleId": "941110",
"description": "XSS Filter - Category 1: Script Tag Vector"
},
{
"ruleId": "941120",
"description": "XSS Filter - Category 2: Event Handler Vector"
},
{
"ruleId": "941130",
"description": "XSS Filter - Category 3: Attribute Vector"
},
{
"ruleId": "941140",
"description": "XSS Filter - Category 4: JavaScript URI Vector"
},
{
"ruleId": "941150",
"description": "XSS Filter - Category 5: Disallowed HTML Attributes"
},
{
"ruleId": "941160",
"description": "NoScript XSS InjectionChecker: HTML Injection"
},
{
"ruleId": "941170",
"description": "NoScript XSS InjectionChecker: Attribute Injection"
},
{
"ruleId": "941180",
"description": "Node-Validator Blacklist Keywords"
},
{
"ruleId": "941190",
"description": "XSS Using style sheets"
},
{
"ruleId": "941200",
"description": "XSS using VML frames"
},
{
"ruleId": "941210",
"description": "XSS using obfuscated JavaScript or Text4Shell (CVE-2022-42889)"
},
{
"ruleId": "941220",
"description": "XSS using obfuscated VB Script"
},
{
"ruleId": "941230",
"description": "XSS using 'embed' tag"
},
{
"ruleId": "941240",
"description": "XSS using 'import' or 'implementation' attribute"
},
{
"ruleId": "941250",
"description": "IE XSS Filters - Attack Detected."
},
{
"ruleId": "941260",
"description": "XSS using 'meta' tag"
},
{
"ruleId": "941270",
"description": "XSS using 'link' tag"
},
{
"ruleId": "941280",
"description": "XSS using 'base' tag"
},
{
"ruleId": "941290",
"description": "XSS using 'applet' tag"
},
{
"ruleId": "941300",
"description": "XSS using 'object' tag"
},
{
"ruleId": "941310",
"description": "US-ASCII Malformed Encoding XSS Filter - Attack Detected."
},
{
"ruleId": "941320",
"description": "Possible XSS Attack Detected - HTML Tag Handler"
},
{
"ruleId": "941330",
"description": "IE XSS Filters - Attack Detected."
},
{
"ruleId": "941340",
"description": "IE XSS Filters - Attack Detected."
},
{
"ruleId": "941350",
"description": "UTF-7 Encoding IE XSS - Attack Detected."
},
{
"ruleId": "941360",
"description": "JavaScript obfuscation detected."
}
]
},
{
"ruleSet": "Application Attack SQLI",
"description": "This rule protects web applications against SQL injection attacksby preventing malicious SQL queries and enhancing database security.",
"rules": [
{
"ruleId": "942100",
"description": "SQL Injection Attack Detected via libinjection"
},
{
"ruleId": "942110",
"description": "SQL Injection Attack: Common Injection Testing Detected"
},
{
"ruleId": "942120",
"description": "SQL Injection Attack: SQL Operator Detected"
},
{
"ruleId": "942130",
"description": "SQL Injection Attack: SQL Tautology Detected."
},
{
"ruleId": "942140",
"description": "SQL Injection Attack: Common DB Names Detected"
},
{
"ruleId": "942150",
"description": "SQL Injection Attack"
},
{
"ruleId": "942160",
"description": "Detects blind sqli tests using sleep() or benchmark()."
},
{
"ruleId": "942170",
"description": "Detects SQL benchmark and sleep injection attempts including conditional queries"
},
{
"ruleId": "942180",
"description": "Detects basic SQL authentication bypass attempts 1/3"
},
{
"ruleId": "942190",
"description": "Detects MSSQL code execution and information gathering attempts"
},
{
"ruleId": "942200",
"description": "Detects MySQL comment-/space-obfuscated injections and backtick termination"
},
{
"ruleId": "942210",
"description": "Detects chained SQL injection attempts 1/2"
},
{
"ruleId": "942220",
"description": "Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \"magic number\" crash"
},
{
"ruleId": "942230",
"description": "Detects conditional SQL injection attempts"
},
{
"ruleId": "942240",
"description": "Detects MySQL charset switch and MSSQL DoS attempts"
},
{
"ruleId": "942250",
"description": "Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections"
},
{
"ruleId": "942251",
"description": "Detects HAVING injections"
},
{
"ruleId": "942260",
"description": "Detects basic SQL authentication bypass attempts 2/3 "
},
{
"ruleId": "942270",
"description": "Looking for basic sql injection. Common attack string for mysql, oracle and others."
},
{
"ruleId": "942280",
"description": "Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts"
},
{
"ruleId": "942290",
"description": "Finds basic MongoDB SQL injection attempts"
},
{
"ruleId": "942300",
"description": "Detects MySQL comments, conditions and ch(a)r injections"
},
{
"ruleId": "942310",
"description": "Detects chained SQL injection attempts 2/2"
},
{
"ruleId": "942320",
"description": "Detects MySQL and PostgreSQL stored procedure/function injections"
},
{
"ruleId": "942330",
"description": "Detects classic SQL injection probings 1/2"
},
{
"ruleId": "942340",
"description": "Detects basic SQL authentication bypass attempts 3/3"
},
{
"ruleId": "942350",
"description": "Detects MySQL UDF injection and other data/structure manipulation attempts"
},
{
"ruleId": "942360",
"description": "Detects concatenated basic SQL injection and SQLLFI attempts"
},
{
"ruleId": "942361",
"description": "Detects basic SQL injection based on keyword alter or union"
},
{
"ruleId": "942370",
"description": "Detects classic SQL injection probings 2/2"
},
{
"ruleId": "942380",
"description": "SQL Injection Attack"
},
{
"ruleId": "942390",
"description": "SQL Injection Attack"
},
{
"ruleId": "942400",
"description": "SQL Injection Attack"
},
{
"ruleId": "942410",
"description": "SQL Injection Attack"
},
{
"ruleId": "942420",
"description": "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)"
},
{
"ruleId": "942421",
"description": "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)"
},
{
"ruleId": "942430",
"description": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)"
},
{
"ruleId": "942431",
"description": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)"
},
{
"ruleId": "942432",
"description": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"
},
{
"ruleId": "942440",
"description": "SQL Comment Sequence Detected."
},
{
"ruleId": "942450",
"description": "SQL Hex Encoding Identified"
},
{
"ruleId": "942460",
"description": "Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters"
},
{
"ruleId": "942470",
"description": "SQL Injection Attack"
},
{
"ruleId": "942480",
"description": "SQL Injection Attack"
},
{
"ruleId": "942490",
"description": "Detects classic SQL injection probings 3/3"
},
{
"ruleId": "942500",
"description": "MySQL in-line comment detected."
}
]
},
{
"ruleSet": "Application Attack Session Fixation",
"description": "This rule protects web applications against session fixation, preventing potential attacks and securing user sessions.",
"rules": [
{
"ruleId": "943100",
"description": "Possible Session Fixation Attack: Setting Cookie Values in HTML"
},
{
"ruleId": "943110",
"description": "Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer"
},
{
"ruleId": "943120",
"description": "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"
}
]
},
{
"ruleSet": "Application Attack Java",
"description": "This rule protects web applications against Java-based attacks by preventing potential Java application attacks.",
"rules": [
{
"ruleId": "944100",
"description": "Remote Command Execution: Apache Struts, Oracle WebLogic"
},
{
"ruleId": "944110",
"description": "Detects potential payload execution"
},
{
"ruleId": "944120",
"description": "Possible payload execution and remote command execution"
},
{
"ruleId": "944130",
"description": "Suspicious Java classes"
},
{
"ruleId": "944200",
"description": "Exploitation of Java deserialization Apache Commons"
},
{
"ruleId": "944210",
"description": "Possible use of Java serialization"
},
{
"ruleId": "944240",
"description": "Remote Command Execution: Java serialization"
},
{
"ruleId": "944250",
"description": "Remote Command Execution: Suspicious Java method detected"
},
{
"ruleId": "944300",
"description": "Base64 encoded string matched suspicious keyword"
}
]
}
]
}