misc changes
parent
92f455cc6e
commit
ad269dddc7
|
@ -4,9 +4,8 @@ info:
|
|||
name: WAF Detection
|
||||
author: dwisiswant0 & lu4nx
|
||||
severity: info
|
||||
|
||||
# Source:
|
||||
# - https://github.com/Ekultek/WhatWaf
|
||||
reference: https://github.com/Ekultek/WhatWaf
|
||||
tags: waf,tech,misc
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
@ -20,11 +19,13 @@ requests:
|
|||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
name: instart
|
||||
regex:
|
||||
- '(?i)instartrequestid'
|
||||
part: all
|
||||
part: body
|
||||
|
||||
- type: regex
|
||||
name: perimx
|
||||
regex:
|
||||
|
@ -34,6 +35,7 @@ requests:
|
|||
- '(?i)(..)?client.perimeterx.*/[a-zA-Z]{8,15}/*.*.js'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: webknight
|
||||
regex:
|
||||
|
@ -41,6 +43,7 @@ requests:
|
|||
- '(?i)webknight'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: zscaler
|
||||
regex:
|
||||
|
@ -48,6 +51,7 @@ requests:
|
|||
- '(?i)zscaler'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: fortigate
|
||||
regex:
|
||||
|
@ -63,18 +67,21 @@ requests:
|
|||
- '(?i)the.page.cannot.be.displayed..please.contact.[^@]+@[^@]+\.[^@]+.for.additional.information'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: teros
|
||||
regex:
|
||||
- '(?i)st8(id|.wa|.wf)?.?(\d+|\w+)?'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: stricthttp
|
||||
regex:
|
||||
- '(?i)the.request.was.rejected.because.the.url.contained.a.potentially.malicious.string'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: stricthttp
|
||||
regex:
|
||||
|
@ -82,6 +89,7 @@ requests:
|
|||
- '(?i)/rejected.by.url.scan'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: shadowd
|
||||
regex:
|
||||
|
@ -89,6 +97,7 @@ requests:
|
|||
- '(?i)request.forbidden.by.administrative.rules.'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: bigip
|
||||
regex:
|
||||
|
@ -99,12 +108,14 @@ requests:
|
|||
- '(?i)bigipserver'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: edgecast
|
||||
regex:
|
||||
- '(?i)\Aecdf'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: radware
|
||||
regex:
|
||||
|
@ -113,6 +124,7 @@ requests:
|
|||
- '(?i)with.the.following.case.number.in.its.subject:.\d+.'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: varnish
|
||||
regex:
|
||||
|
@ -122,6 +134,7 @@ requests:
|
|||
- '(?i).>access.is.blocked.according.to.our.site.security.policy.<+'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: infosafe
|
||||
regex:
|
||||
|
@ -131,6 +144,7 @@ requests:
|
|||
- '(?i)var.infosafekey='
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: aliyundun
|
||||
regex:
|
||||
|
@ -138,6 +152,7 @@ requests:
|
|||
- '(?i)http(s)?://(www.)?aliyun.(com|net)'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: ats
|
||||
regex:
|
||||
|
@ -145,6 +160,7 @@ requests:
|
|||
- '(?i)ats((\/)?(\d+(.\d+(.\d+)?)?))?'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: malcare
|
||||
regex:
|
||||
|
@ -153,16 +169,19 @@ requests:
|
|||
- '(?i).>firewall<.+.><.+>powered.by<.+.>(<.+.>)?(.?malcare.-.pro|blogvault)?'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: wts
|
||||
regex:
|
||||
- '(?i)(<title>)?wts.wa(f)?(\w+(\w+(\w+)?)?)?'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: dw
|
||||
regex:
|
||||
- '(?i)dw.inj.check'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: denyall
|
||||
regex:
|
||||
|
@ -170,6 +189,7 @@ requests:
|
|||
- '(?i)\Asessioncookie='
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: yunsuo
|
||||
regex:
|
||||
|
@ -177,11 +197,13 @@ requests:
|
|||
- '(?i)yunsuo.session'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: litespeed
|
||||
regex:
|
||||
- '(?i)litespeed.web.server'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: cloudfront
|
||||
regex:
|
||||
|
@ -190,6 +212,7 @@ requests:
|
|||
- '(?i)x.amz.cf.id|nguardx'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: anyu
|
||||
regex:
|
||||
|
@ -198,6 +221,7 @@ requests:
|
|||
- '(?i)anyu-?.the.green.channel'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: googlewebservices
|
||||
regex:
|
||||
|
@ -206,6 +230,7 @@ requests:
|
|||
- '(?i)block(ed)?.by.g.cloud.security.policy.+'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: didiyun
|
||||
regex:
|
||||
|
@ -213,26 +238,31 @@ requests:
|
|||
- '(?i)didiyun'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: blockdos
|
||||
regex:
|
||||
- '(?i)blockdos\.net'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: codeigniter
|
||||
regex:
|
||||
- '(?i)the.uri.you.submitted.has.disallowed.characters'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: stingray
|
||||
regex:
|
||||
- '(?i)\AX-Mapping-'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: west263
|
||||
regex:
|
||||
- '(?i)wt\d*cdn'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: aws
|
||||
regex:
|
||||
|
@ -242,6 +272,7 @@ requests:
|
|||
- '(?i)x.amz.request.id'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: yundun
|
||||
regex:
|
||||
|
@ -251,6 +282,7 @@ requests:
|
|||
- '(?i)<title>.403.forbidden:.access.is.denied.{0,2}<.{0,2}title>'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: barracuda
|
||||
regex:
|
||||
|
@ -259,11 +291,13 @@ requests:
|
|||
- '(?i)barracuda.networks.{1,2}inc'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: dodenterpriseprotection
|
||||
regex:
|
||||
- '(?i)dod.enterprise.level.protection.system'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: secupress
|
||||
regex:
|
||||
|
@ -271,11 +305,13 @@ requests:
|
|||
- '(?i)block.id.{1,2}bad.url.contents.<.'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: aesecure
|
||||
regex:
|
||||
- '(?i)aesecure.denied.png'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: incapsula
|
||||
regex:
|
||||
|
@ -284,6 +320,7 @@ requests:
|
|||
- '(?i)incapsula.incident.id'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: nexusguard
|
||||
regex:
|
||||
|
@ -291,6 +328,7 @@ requests:
|
|||
- '(?i)((http(s)?://)?speresources.)?nexusguard.com.wafpage'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: cloudflare
|
||||
regex:
|
||||
|
@ -304,6 +342,7 @@ requests:
|
|||
- '(?i)__cfduid'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: akamai
|
||||
regex:
|
||||
|
@ -312,6 +351,7 @@ requests:
|
|||
- '(?i)ak.bmsc.'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: webseal
|
||||
regex:
|
||||
|
@ -319,11 +359,13 @@ requests:
|
|||
- '(?i)webseal.server.received.an.invalid.http.request'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: dotdefender
|
||||
regex:
|
||||
- '(?i)dotdefender.blocked.your.request'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: pk
|
||||
regex:
|
||||
|
@ -332,6 +374,7 @@ requests:
|
|||
- '(?i).>A.safety.critical.request.was.discovered.and.blocked.<.'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: expressionengine
|
||||
regex:
|
||||
|
@ -340,16 +383,19 @@ requests:
|
|||
- '(?i)invalid.(get|post).data'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: comodo
|
||||
regex:
|
||||
- '(?i)protected.by.comodo.waf'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: ciscoacexml
|
||||
regex:
|
||||
- '(?i)ace.xml.gateway'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: barikode
|
||||
regex:
|
||||
|
@ -357,6 +403,7 @@ requests:
|
|||
- '(?i)<h\d{1}>forbidden.access<.h\d{1}>'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: watchguard
|
||||
regex:
|
||||
|
@ -364,6 +411,7 @@ requests:
|
|||
- '(?i)watchguard(.technologies(.inc)?)?'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: binarysec
|
||||
regex:
|
||||
|
@ -372,6 +420,7 @@ requests:
|
|||
- '(?i)binarysec'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: bekchy
|
||||
regex:
|
||||
|
@ -379,6 +428,7 @@ requests:
|
|||
- '(?i)(http(s)?://)(www.)?bekchy.com(/report)?'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: bitninja
|
||||
regex:
|
||||
|
@ -387,6 +437,7 @@ requests:
|
|||
- '(?i).>visitor.anti(\S)?robot.validation<.'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: apachegeneric
|
||||
regex:
|
||||
|
@ -397,6 +448,7 @@ requests:
|
|||
- '(?i)<title>403 Forbidden</title>'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: greywizard
|
||||
regex:
|
||||
|
@ -406,11 +458,13 @@ requests:
|
|||
- '(?i)grey.wizard'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: configserver
|
||||
regex:
|
||||
- '(?i).>the.firewall.on.this.server.is.blocking.your.connection.<+'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: viettel
|
||||
regex:
|
||||
|
@ -419,6 +473,7 @@ requests:
|
|||
- '(?i)(http(s).//)?cloudrity.com(.vn)?'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: safedog
|
||||
regex:
|
||||
|
@ -426,11 +481,13 @@ requests:
|
|||
- '(?i)waf(.?\d+.?\d+)'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: baidu
|
||||
regex:
|
||||
- '(?i)yunjiasu.nginx'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: alertlogic
|
||||
regex:
|
||||
|
@ -442,11 +499,13 @@ requests:
|
|||
- '(?i)page.has.either.been.removed.{1,2}renamed'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: armor
|
||||
regex:
|
||||
- '(?i)blocked.by.website.protection.from.armour'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: dosarrest
|
||||
regex:
|
||||
|
@ -454,6 +513,7 @@ requests:
|
|||
- '(?i)x.dis.request.id'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: paloalto
|
||||
regex:
|
||||
|
@ -461,6 +521,7 @@ requests:
|
|||
- '.>Virus.Spyware.Download.Blocked<.'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: aspgeneric
|
||||
regex:
|
||||
|
@ -478,6 +539,7 @@ requests:
|
|||
- '(?i)\basp.net\b'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: powerful
|
||||
regex:
|
||||
|
@ -485,6 +547,7 @@ requests:
|
|||
- '(?i)http(s)?...tiny.cc.powerful.firewall'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: uewaf
|
||||
regex:
|
||||
|
@ -492,6 +555,7 @@ requests:
|
|||
- '(?i)uewaf(.deny.pages)'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: janusec
|
||||
regex:
|
||||
|
@ -499,6 +563,7 @@ requests:
|
|||
- '(?i)(http(s)?\W+(www.)?)?janusec.(com|net|org)'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: siteguard
|
||||
regex:
|
||||
|
@ -506,6 +571,7 @@ requests:
|
|||
- '(?i)refuse.to.browse'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: sonicwall
|
||||
regex:
|
||||
|
@ -517,6 +583,7 @@ requests:
|
|||
- '(?i).>policy.this.site.is.blocked<.'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: jiasule
|
||||
regex:
|
||||
|
@ -526,6 +593,7 @@ requests:
|
|||
- '(?i)(static|www|dynamic).jiasule.(com|net)'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: nginxgeneric
|
||||
regex:
|
||||
|
@ -533,6 +601,7 @@ requests:
|
|||
- '(?i)you.do(not|n.t)?.have.permission.to.access.this.document'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: stackpath
|
||||
regex:
|
||||
|
@ -540,11 +609,13 @@ requests:
|
|||
- '(?i)<h2>sorry,.you.have.been.blocked.?<.h2>'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: sabre
|
||||
regex:
|
||||
- '(?i)dxsupport@sabre.com'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: wordfence
|
||||
regex:
|
||||
|
@ -553,6 +624,7 @@ requests:
|
|||
- '(?i).>wordfence<.'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: '360'
|
||||
regex:
|
||||
|
@ -563,12 +635,14 @@ requests:
|
|||
- '(?i)transfer.is.blocked'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: asm
|
||||
regex:
|
||||
- '(?i)the.requested.url.was.rejected..please.consult.with.your.administrator.'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: rsfirewall
|
||||
regex:
|
||||
|
@ -578,6 +652,7 @@ requests:
|
|||
- '(?i)rsfirewall'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: sucuri
|
||||
regex:
|
||||
|
@ -587,21 +662,25 @@ requests:
|
|||
- '(?i)http(s)?.\/\/(cdn|supportx.)?sucuri(.net|com)?'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: airlock
|
||||
regex:
|
||||
- '(?i)\Aal[.-]?(sess|lb)=?'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: xuanwudun
|
||||
regex:
|
||||
- '(?i)class=.(db)?waf.?(-row.)?>'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: chuangyudun
|
||||
regex:
|
||||
- '(?i)(http(s)?.//(www.)?)?365cyd.(com|net)'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: securesphere
|
||||
regex:
|
||||
|
@ -614,11 +693,13 @@ requests:
|
|||
- '(?i)contact.support.for.additional.information'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: anquanbao
|
||||
regex:
|
||||
- '(?i).aqb_cc.error.'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: modsecurity
|
||||
regex:
|
||||
|
@ -630,6 +711,7 @@ requests:
|
|||
- '(?i)blocked.by.mod.security'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: modsecurityowasp
|
||||
regex:
|
||||
|
@ -637,6 +719,7 @@ requests:
|
|||
- '(?i)additionally\S.a.406.not.acceptable'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: squid
|
||||
regex:
|
||||
|
@ -645,6 +728,7 @@ requests:
|
|||
- '(?i)X.Squid.Error'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: shieldsecurity
|
||||
regex:
|
||||
|
@ -653,11 +737,13 @@ requests:
|
|||
- '(?i)url.{1,2}form.or.cookie.data.wasn.t.appropriate'
|
||||
condition: or
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
name: wallarm
|
||||
regex:
|
||||
- '(?i)nginix.wallarm'
|
||||
part: all
|
||||
|
||||
- type: regex
|
||||
part: all
|
||||
name: huaweicloud
|
||||
|
@ -665,21 +751,4 @@ requests:
|
|||
regex:
|
||||
- '(?)content="CloudWAF"'
|
||||
- 'Server: CloudWAF'
|
||||
- 'Set-Cookie: HWWAFSESID='
|
||||
|
||||
dns:
|
||||
- name: "{{FQDN}}"
|
||||
type: CNAME
|
||||
recursion: true
|
||||
retries: 5
|
||||
class: inet
|
||||
matchers:
|
||||
- type: word
|
||||
name: sanfor-shield
|
||||
words:
|
||||
- ".sangfordns.com"
|
||||
|
||||
- type: word
|
||||
name: 360panyun
|
||||
words:
|
||||
- ".360panyun.com"
|
||||
- 'Set-Cookie: HWWAFSESID='
|
Loading…
Reference in New Issue