Logging to NGINX error_log but not audit #2237
Comments
|
Is that happening within v3.0.3? is a new issue related to v3.0.4? |
|
It's 3.0.4 I think. I am just cloning v3/master and building from source in my docker file. |
|
I've done some further troubleshooting. If I change |
|
So I think I've got to the bottom of it. If I leave the default Nginx error pages configuration in then it doesn't log to ModSecurity audit log. If I remove the lines then it does. I suspect Nginx is intercepting the 403 before ModSecurity can? |
|
@dto20 , see if victorhora/ModSecurity-nginx@ac3e8a9 solves your issue. |
victorhora
added
3.x
|
Exactly the same behavior here. Tried with 014adab and ModSecurity-nginx v1.0.1 |
|
@victorhora I had the same issue as above. No audit log when blocking action occurs. Building master, which included your change, did fix it. |
|
Tested with 7e0bc26 and custom error page and audit logs are working fine. Thanks |
|
@averges i tryd flow to build modsecurity but no using. what's the mater. git clone https://github.com/SpiderLabs/ModSecurity \
&& git checkout 7e0bc2691727b8c75f74638cdc4d1c45a689a7b6 \
&& /bin/bash build.sh \
&& yum install -y https://archives.fedoraproject.org/pub/archive/fedora/linux/updates/23/x86_64/b/bison-3.0.4-3.fc23.x86_64.rpm \
&& git submodule init \
&& git submodule update \
&& ./configure \
&& make && make installmodsecurity-7e0bc + modsecurity-nginx-v1.0.1 |
Describe the bug
I'm testing a WAF setup with nginx, modsecurity and the OWASP ruleset. I am just running a simple XSS curl attack.
The attack is being blocked and a 403 is being returned. However, the attack isn't logged in the audit log, only the nginx error log. We need to send the logs to a SIEM and we need any blocks to be in the audit log.
Logs and dumps
Output of:
Notice: Be carefully to not leak any confidential information.
[157893220069.056272] [] [4] Initializing transaction [157893220069.056272] [] [4] Transaction context created. [157893220069.056272] [] [4] Starting phase CONNECTION. (SecRules 0) [157893220069.056272] [] [9] This phase consists of 28 rule(s). [157893220069.056272] [] [4] Starting phase URI. (SecRules 0 + 1/2) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Adding request argument (GET): name "q", value ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Starting phase REQUEST_HEADERS. (SecRules 1) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] This phase consists of 135 rule(s). [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 200000) Executing operator "Rx" with param "(?:application(?:/soap\+|/)|text/)xml" against REQUEST_HEADERS:Content-Type. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 200001) Executing operator "Rx" with param "application/json" against REQUEST_HEADERS:Content-Type. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 900990) Executing unconditional rule... [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:crs_setup_version with value: 330 [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901001) Executing operator "Eq" with param "0" against TX:crs_setup_version. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:crs_setup_version) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901100) Executing operator "Eq" with param "0" against TX:inbound_anomaly_score_threshold. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:inbound_anomaly_score_threshold) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:inbound_anomaly_score_threshold with value: 5 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901110) Executing operator "Eq" with param "0" against TX:outbound_anomaly_score_threshold. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:outbound_anomaly_score_threshold) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:outbound_anomaly_score_threshold with value: 4 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901120) Executing operator "Eq" with param "0" against TX:paranoia_level. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:paranoia_level) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:paranoia_level with value: 1 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901125) Executing operator "Eq" with param "0" against TX:executing_paranoia_level. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:executing_paranoia_level) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:executing_paranoia_level with value: 1 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901130) Executing operator "Eq" with param "0" against TX:sampling_percentage. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:sampling_percentage) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:sampling_percentage with value: 100 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901140) Executing operator "Eq" with param "0" against TX:critical_anomaly_score. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:critical_anomaly_score) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:critical_anomaly_score with value: 5 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901141) Executing operator "Eq" with param "0" against TX:error_anomaly_score. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:error_anomaly_score) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:error_anomaly_score with value: 4 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901142) Executing operator "Eq" with param "0" against TX:warning_anomaly_score. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:warning_anomaly_score) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:warning_anomaly_score with value: 3 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901143) Executing operator "Eq" with param "0" against TX:notice_anomaly_score. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:notice_anomaly_score) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:notice_anomaly_score with value: 2 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901150) Executing operator "Eq" with param "0" against TX:do_reput_block. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:do_reput_block) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:do_reput_block with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901152) Executing operator "Eq" with param "0" against TX:reput_block_duration. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:reput_block_duration) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:reput_block_duration with value: 300 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901160) Executing operator "Eq" with param "0" against TX:allowed_methods. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:allowed_methods) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:allowed_methods with value: GET HEAD POST OPTIONS [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901162) Executing operator "Eq" with param "0" against TX:allowed_request_content_type. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:allowed_request_content_type) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:allowed_request_content_type with value: application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901168) Executing operator "Eq" with param "0" against TX:allowed_request_content_type_charset. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:allowed_request_content_type_charset) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:allowed_request_content_type_charset with value: utf-8|iso-8859-1|iso-8859-15|windows-1252 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901163) Executing operator "Eq" with param "0" against TX:allowed_http_versions. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:allowed_http_versions) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:allowed_http_versions with value: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901164) Executing operator "Eq" with param "0" against TX:restricted_extensions. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:restricted_extensions) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:restricted_extensions with value: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901165) Executing operator "Eq" with param "0" against TX:restricted_headers. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:restricted_headers) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:restricted_headers with value: /proxy/ /lock-token/ /content-range/ /if/ [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901166) Executing operator "Eq" with param "0" against TX:static_extensions. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:static_extensions) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:static_extensions with value: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/ [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901167) Executing operator "Eq" with param "0" against TX:enforce_bodyproc_urlencoded. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:enforce_bodyproc_urlencoded) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:enforce_bodyproc_urlencoded with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901200) Executing unconditional rule... [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:anomaly_score with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:anomaly_score_pl1 with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:anomaly_score_pl2 with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:anomaly_score_pl3 with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:anomaly_score_pl4 with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:sql_injection_score with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:xss_score with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:rfi_score with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:lfi_score with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:rce_score with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:php_injection_score with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:http_violation_score with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:session_fixation_score with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:inbound_anomaly_score with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:outbound_anomaly_score with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:outbound_anomaly_score_pl1 with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:outbound_anomaly_score_pl2 with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:outbound_anomaly_score_pl3 with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:outbound_anomaly_score_pl4 with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:sql_error_match with value: 0 [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901318) Executing operator "Rx" with param "^.*$" against REQUEST_HEADERS:User-Agent. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:sha1: "V��ٶ��RՕ��_ׂ)+$�" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:hexEncode: "56c1a7d9b6b7cf5217d595b3825fd782292b24cc" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "56c1a7d9b6b7cf5217d595b3825fd782292b24cc" (Variable: REQUEST_HEADERS:User-Agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:ua_hash with value: 56c1a7d9b6b7cf5217d595b3825fd782292b24cc [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901321) Executing unconditional rule... [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:real_ip with value: 172.17.0.1 [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: initcol [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Collectionglobal' initialized with value: global[157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: initcol
[157893220069.056272] [/?q="><script>alert(1)</script>] [5] Collection
ip' initialized with value: 172.17.0.1_56c1a7d9b6b7cf5217d595b3825fd782292b24cc [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901340) Executing operator "Rx" with param "(?:URLENCODED|MULTIPART|XML|JSON)" against REQBODY_PROCESSOR. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "" (Variable: REQBODY_PROCESSOR) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving msg: Enabling body inspection [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (non-disruptive) action: tag [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule tag: paranoia-level/1 [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: noauditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: ctl [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901350) Executing operator "Eq" with param "1" against TX:enforce_bodyproc_urlencoded. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:enforce_bodyproc_urlencoded) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901400) Executing operator "Eq" with param "100" against TX:sampling_percentage. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "100" (Variable: TX:sampling_percentage) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-SAMPLING [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '901410' due to a SecMarker: END-SAMPLING [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '901420' due to a SecMarker: END-SAMPLING [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '901430' due to a SecMarker: END-SAMPLING [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '901440' due to a SecMarker: END-SAMPLING [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '901450' due to a SecMarker: END-SAMPLING [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-SAMPLING [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-SAMPLING [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 6 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 901500) Executing operator "Lt" with param "1" Was: "" against TX:executing_paranoia_level. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:executing_paranoia_level) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 905100) Executing operator "StrEq" with param "GET /" against REQUEST_LINE. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "GET /?q="><script>alert(1)</script> HTTP/1.1" (Variable: REQUEST_LINE) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 905110) Executing operator "IpMatch" with param "127.0.0.1,::1" against REMOTE_ADDR. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "172.17.0.1" (Variable: REMOTE_ADDR) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 910011) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 910013) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-910-IP-REPUTATION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '910015' due to a SecMarker: END-REQUEST-910-IP-REPUTATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '910017' due to a SecMarker: END-REQUEST-910-IP-REPUTATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-910-IP-REPUTATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-910-IP-REPUTATION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 911011) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 911013) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-911-METHOD-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '911015' due to a SecMarker: END-REQUEST-911-METHOD-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '911017' due to a SecMarker: END-REQUEST-911-METHOD-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-911-METHOD-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-911-METHOD-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 912100) Executing operator "Eq" with param "0" against TX:dos_burst_time_slice. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:dos_burst_time_slice) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Executing chained rule. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 0) Executing operator "Eq" with param "0" against TX:dos_counter_threshold. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:dos_counter_threshold) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Executing chained rule. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 0) Executing operator "Eq" with param "0" against TX:dos_block_timeout. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:dos_block_timeout) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-DOS-PROTECTION-CHECKS [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '912011' due to a SecMarker: END-DOS-PROTECTION-CHECKS [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '912120' due to a SecMarker: END-DOS-PROTECTION-CHECKS [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '912130' due to a SecMarker: END-DOS-PROTECTION-CHECKS [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '912013' due to a SecMarker: END-DOS-PROTECTION-CHECKS [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '912015' due to a SecMarker: END-DOS-PROTECTION-CHECKS [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '912017' due to a SecMarker: END-DOS-PROTECTION-CHECKS [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-DOS-PROTECTION-CHECKS [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-912-DOS-PROTECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-DOS-PROTECTION-CHECKS [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-DOS-PROTECTION-CHECKS [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 8 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 913011) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 913013) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-913-SCANNER-DETECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '913015' due to a SecMarker: END-REQUEST-913-SCANNER-DETECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '913017' due to a SecMarker: END-REQUEST-913-SCANNER-DETECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-913-SCANNER-DETECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-913-SCANNER-DETECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920011) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920160) Executing operator "Rx" with param "^\d+$" against REQUEST_HEADERS:Content-Length. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920470) Executing operator "Rx" with param "^[\w/.+-]+(?:\s?;\s?(?:boundary|charset)\s?=\s?['\"\w.()+,/:=?-]+)?$" against REQUEST_HEADERS:Content-Type. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920480) Executing operator "Rx" with param "charset\s*=\s*[\"']?([^;\"'\s]+)" against REQUEST_HEADERS:Content-Type. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920430) Executing operator "Within" with param "HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0" Was: "" against REQUEST_PROTOCOL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "HTTP/1.1" (Variable: REQUEST_PROTOCOL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920013) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920015' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920490' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920017' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 4 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 921011) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 921160) Executing operator "Rx" with param "[\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" against ARGS_GET_NAMES|ARGS_GET. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_GET_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS_GET:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 921190) Executing operator "Rx" with param "[\n\r]" against REQUEST_FILENAME. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "/" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "/" (Variable: REQUEST_FILENAME) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 921013) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-921-PROTOCOL-ATTACK [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '921015' due to a SecMarker: END-REQUEST-921-PROTOCOL-ATTACK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '921017' due to a SecMarker: END-REQUEST-921-PROTOCOL-ATTACK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-921-PROTOCOL-ATTACK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-921-PROTOCOL-ATTACK [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 930011) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 930013) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-930-APPLICATION-ATTACK-LFI [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '930015' due to a SecMarker: END-REQUEST-930-APPLICATION-ATTACK-LFI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '930017' due to a SecMarker: END-REQUEST-930-APPLICATION-ATTACK-LFI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-930-APPLICATION-ATTACK-LFI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-930-APPLICATION-ATTACK-LFI [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 931011) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 931013) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-931-APPLICATION-ATTACK-RFI [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '931015' due to a SecMarker: END-REQUEST-931-APPLICATION-ATTACK-RFI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '931017' due to a SecMarker: END-REQUEST-931-APPLICATION-ATTACK-RFI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-931-APPLICATION-ATTACK-RFI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-931-APPLICATION-ATTACK-RFI [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932011) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932013) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-932-APPLICATION-ATTACK-RCE [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '932015' due to a SecMarker: END-REQUEST-932-APPLICATION-ATTACK-RCE [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '932017' due to a SecMarker: END-REQUEST-932-APPLICATION-ATTACK-RCE [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-932-APPLICATION-ATTACK-RCE [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-932-APPLICATION-ATTACK-RCE [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933011) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933013) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '933015' due to a SecMarker: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '933017' due to a SecMarker: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 941011) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 941013) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-941-APPLICATION-ATTACK-XSS [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '941015' due to a SecMarker: END-REQUEST-941-APPLICATION-ATTACK-XSS [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '941017' due to a SecMarker: END-REQUEST-941-APPLICATION-ATTACK-XSS [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-941-APPLICATION-ATTACK-XSS [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-941-APPLICATION-ATTACK-XSS [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 942011) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 942013) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-942-APPLICATION-ATTACK-SQLI [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '942015' due to a SecMarker: END-REQUEST-942-APPLICATION-ATTACK-SQLI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '942017' due to a SecMarker: END-REQUEST-942-APPLICATION-ATTACK-SQLI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-942-APPLICATION-ATTACK-SQLI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-942-APPLICATION-ATTACK-SQLI [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 943011) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 943013) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '943015' due to a SecMarker: END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '943017' due to a SecMarker: END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 949011) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 949013) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-949-BLOCKING-EVALUATION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '949015' due to a SecMarker: END-REQUEST-949-BLOCKING-EVALUATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '949017' due to a SecMarker: END-REQUEST-949-BLOCKING-EVALUATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-949-BLOCKING-EVALUATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-949-BLOCKING-EVALUATION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 980011) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 980013) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-RESPONSE-980-CORRELATION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '980015' due to a SecMarker: END-RESPONSE-980-CORRELATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '980017' due to a SecMarker: END-RESPONSE-980-CORRELATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-RESPONSE-980-CORRELATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-RESPONSE-980-CORRELATION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Starting phase REQUEST_BODY. (SecRules 2) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] This phase consists of 285 rule(s). [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 200002) Executing operator "Eq" with param "0" against REQBODY_ERROR. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: REQBODY_ERROR) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 200003) Executing operator "Eq" with param "0" against MULTIPART_STRICT_ERROR. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "" (Variable: MULTIPART_STRICT_ERROR) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 200004) Executing operator "Eq" with param "1" against MULTIPART_UNMATCHED_BOUNDARY. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "" (Variable: MULTIPART_UNMATCHED_BOUNDARY) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 200005) Executing operator "StrEq" with param "0" against TX:regex(^MSC_). [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 910012) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 910000) Executing operator "Eq" with param "1" against TX:DO_REPUT_BLOCK. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:DO_REPUT_BLOCK) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 910100) Executing operator "Rx" with param "^$" against TX:HIGH_RISK_COUNTRY_CODES. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 910120) Executing operator "Eq" with param "1" against IP:PREVIOUS_RBL_CHECK. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 910130) Executing operator "Eq" with param "0" against TX:block_suspicious_ip. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:block_suspicious_ip) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Executing chained rule. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 0) Executing operator "Eq" with param "0" against TX:block_harvester_ip. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:block_harvester_ip) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Executing chained rule. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 0) Executing operator "Eq" with param "0" against TX:block_spammer_ip. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:block_spammer_ip) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Executing chained rule. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 0) Executing operator "Eq" with param "0" against TX:block_search_ip. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:block_search_ip) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (non-disruptive) action: tag [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule tag: paranoia-level/1 [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-RBL-CHECK [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '910140' due to a SecMarker: END-RBL-CHECK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '910150' due to a SecMarker: END-RBL-CHECK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '910160' due to a SecMarker: END-RBL-CHECK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '910170' due to a SecMarker: END-RBL-CHECK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '910180' due to a SecMarker: END-RBL-CHECK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '910190' due to a SecMarker: END-RBL-CHECK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-RBL-CHECK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-RBL-LOOKUP [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-RBL-CHECK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-RBL-CHECK [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 8 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 910014) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-910-IP-REPUTATION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '910016' due to a SecMarker: END-REQUEST-910-IP-REPUTATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '910018' due to a SecMarker: END-REQUEST-910-IP-REPUTATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-910-IP-REPUTATION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-910-IP-REPUTATION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 911012) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 911100) Executing operator "Within" with param "GET HEAD POST OPTIONS" Was: "" against REQUEST_METHOD. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "GET" (Variable: REQUEST_METHOD) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 911014) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-911-METHOD-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '911016' due to a SecMarker: END-REQUEST-911-METHOD-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '911018' due to a SecMarker: END-REQUEST-911-METHOD-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-911-METHOD-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-911-METHOD-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 912012) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 912014) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-912-DOS-PROTECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '912016' due to a SecMarker: END-REQUEST-912-DOS-PROTECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '912018' due to a SecMarker: END-REQUEST-912-DOS-PROTECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-912-DOS-PROTECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-912-DOS-PROTECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 913012) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 913100) Executing operator "PmFromFile" with param "scanners-user-agents.data" against REQUEST_HEADERS:User-Agent. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "curl/7.54.0" (Variable: REQUEST_HEADERS:User-Agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 913110) Executing operator "PmFromFile" with param "scanners-headers.data" against REQUEST_HEADERS_NAMES|REQUEST_HEADERS. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "host" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "host" (Variable: REQUEST_HEADERS_NAMES:Host) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "user-agent" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "user-agent" (Variable: REQUEST_HEADERS_NAMES:User-Agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "accept" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "accept" (Variable: REQUEST_HEADERS_NAMES:Accept) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "localhost:8080" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "localhost:8080" (Variable: REQUEST_HEADERS:Host) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "curl/7.54.0" (Variable: REQUEST_HEADERS:User-Agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "*/*" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "*/*" (Variable: REQUEST_HEADERS:Accept) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 913120) Executing operator "PmFromFile" with param "scanners-urls.data" against REQUEST_FILENAME|ARGS. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "/" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "/" (Variable: REQUEST_FILENAME) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 913014) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-913-SCANNER-DETECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '913101' due to a SecMarker: END-REQUEST-913-SCANNER-DETECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '913102' due to a SecMarker: END-REQUEST-913-SCANNER-DETECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '913016' due to a SecMarker: END-REQUEST-913-SCANNER-DETECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '913018' due to a SecMarker: END-REQUEST-913-SCANNER-DETECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-913-SCANNER-DETECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-913-SCANNER-DETECTION [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 5 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920012) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920100) Executing operator "Rx" with param "^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" against REQUEST_LINE. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "GET /?q="><script>alert(1)</script> HTTP/1.1" (Variable: REQUEST_LINE) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920120) Executing operator "Rx" with param "(?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:[eEiIoOuUyY]acute)|&(?:[aAeEiIoOuU]grave)|&(?:[cC]cedil)|&(?:[aAnNoO]tilde)|&(?:amp)|&(?:apos));|['\"=]" against FILES_NAMES|FILES. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920170) Executing operator "Rx" with param "^(?:GET|HEAD)$" against REQUEST_METHOD. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "GET" (Variable: REQUEST_METHOD) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] This rule severity is: 2 current transaction is: 255 [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving msg: GET or HEAD Request with Body Content. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Executing chained rule. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 0) Executing operator "Rx" with param "^0?$" against REQUEST_HEADERS:Content-Length. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920171) Executing operator "Rx" with param "^(?:GET|HEAD)$" against REQUEST_METHOD. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "GET" (Variable: REQUEST_METHOD) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] This rule severity is: 2 current transaction is: 2 [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving msg: GET or HEAD Request with Transfer-Encoding. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Executing chained rule. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 0) Executing operator "Eq" with param "0" against REQUEST_HEADERS:Transfer-Encoding. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: REQUEST_HEADERS:Transfer-Encoding) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920180) Executing operator "Rx" with param "^POST$" against REQUEST_METHOD. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "GET" (Variable: REQUEST_METHOD) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920190) Executing operator "Rx" with param "(\d+)-(\d+)\," against REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920210) Executing operator "Rx" with param "\b(?:keep-alive|close),\s?(?:keep-alive|close)\b" against REQUEST_HEADERS:Connection. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920220) Executing operator "Rx" with param "\x25" against REQUEST_URI. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "/?q="><script>alert(1)</script>" (Variable: REQUEST_URI) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920240) Executing operator "Rx" with param "^(?i)application/x-www-form-urlencoded" against REQUEST_HEADERS:Content-Type. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920250) Executing operator "Eq" with param "1" against TX:CRS_VALIDATE_UTF8_ENCODING. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920260) Executing operator "Rx" with param "\%u[fF]{2}[0-9a-fA-F]{2}" against REQUEST_URI|REQUEST_BODY. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "/?q="><script>alert(1)</script>" (Variable: REQUEST_URI) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "" (Variable: REQUEST_BODY) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920270) Executing operator "ValidateByteRange" with param "1-255" against REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "/?q="><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "/?q="><script>alert(1)</script>" (Variable: REQUEST_URI) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "localhost:8080" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "localhost:8080" (Variable: REQUEST_HEADERS:Host) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "curl/7.54.0" (Variable: REQUEST_HEADERS:User-Agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "*/*" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "*/*" (Variable: REQUEST_HEADERS:Accept) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920280) Executing operator "Eq" with param "0" against REQUEST_HEADERS:Host. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: REQUEST_HEADERS:Host) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920290) Executing operator "Rx" with param "^$" against REQUEST_HEADERS:Host. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "localhost:8080" (Variable: REQUEST_HEADERS:Host) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920310) Executing operator "Rx" with param "^$" against REQUEST_HEADERS:Accept. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "*/*" (Variable: REQUEST_HEADERS:Accept) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920311) Executing operator "Rx" with param "^$" against REQUEST_HEADERS:Accept. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "*/*" (Variable: REQUEST_HEADERS:Accept) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920330) Executing operator "Rx" with param "^$" against REQUEST_HEADERS:User-Agent. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "curl/7.54.0" (Variable: REQUEST_HEADERS:User-Agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920340) Executing operator "Rx" with param "^0$" against REQUEST_HEADERS:Content-Length. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920350) Executing operator "Rx" with param "^[\d.:]+$" against REQUEST_HEADERS:Host. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "localhost:8080" (Variable: REQUEST_HEADERS:Host) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920380) Executing operator "Eq" with param "1" against TX:MAX_NUM_ARGS. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:MAX_NUM_ARGS) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920360) Executing operator "Eq" with param "1" against TX:ARG_NAME_LENGTH. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:ARG_NAME_LENGTH) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920370) Executing operator "Eq" with param "1" against TX:ARG_LENGTH. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:ARG_LENGTH) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920390) Executing operator "Eq" with param "1" against TX:TOTAL_ARG_LENGTH. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:TOTAL_ARG_LENGTH) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920400) Executing operator "Eq" with param "1" against TX:MAX_FILE_SIZE. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:MAX_FILE_SIZE) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920410) Executing operator "Eq" with param "1" against TX:COMBINED_FILE_SIZES. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "0" (Variable: TX:COMBINED_FILE_SIZES) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920420) Executing operator "Rx" with param "^[^;\s]+" against REQUEST_HEADERS:Content-Type. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920440) Executing operator "Rx" with param "\.([^.]+)$" against REQUEST_BASENAME. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "" (Variable: REQUEST_BASENAME) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920500) Executing operator "Rx" with param "\.[^.~]+~(?:/.*|)$" against REQUEST_FILENAME. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "/" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "/" (Variable: REQUEST_FILENAME) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920450) Executing operator "Rx" with param "^.*$" against REQUEST_HEADERS_NAMES. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "host" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "host" (Variable: REQUEST_HEADERS_NAMES:Host) [157893220069.056272] [/?q="><script>alert(1)</script>] [7] Added regex subexpression TX.0: host [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:header_name_host with value: /host/ [157893220069.056272] [/?q="><script>alert(1)</script>] [9] This rule severity is: 2 current transaction is: 2 [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving msg: HTTP header is restricted by policy (host) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "user-agent" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "user-agent" (Variable: REQUEST_HEADERS_NAMES:User-Agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [7] Added regex subexpression TX.0: user-agent [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:header_name_user-agent with value: /user-agent/ [157893220069.056272] [/?q="><script>alert(1)</script>] [9] This rule severity is: 2 current transaction is: 2 [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving msg: HTTP header is restricted by policy (user-agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "accept" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "accept" (Variable: REQUEST_HEADERS_NAMES:Accept) [157893220069.056272] [/?q="><script>alert(1)</script>] [7] Added regex subexpression TX.0: accept [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:header_name_accept with value: /accept/ [157893220069.056272] [/?q="><script>alert(1)</script>] [9] This rule severity is: 2 current transaction is: 2 [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving msg: HTTP header is restricted by policy (accept) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Executing chained rule. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 0) Executing operator "Within" with param "/proxy/ /lock-token/ /content-range/ /if/" Was: "" against TX:regex(^HEADER_NAME_). [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 920014) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920200' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920201' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920230' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920300' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920271' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920320' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920121' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920341' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920016' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920272' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920018' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920202' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920273' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920274' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920275' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '920460' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-920-PROTOCOL-ENFORCEMENT [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 17 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 921012) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 921110) Executing operator "Rx" with param "[\n\r]+(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+(?:\s+http|[\r\n])" against ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 921120) Executing operator "Rx" with param "[\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 921130) Executing operator "Rx" with param "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 921140) Executing operator "Rx" with param "[\n\r]" against REQUEST_HEADERS_NAMES|REQUEST_HEADERS. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: "Host" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "Host" (Variable: REQUEST_HEADERS_NAMES:Host) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: "User-Agent" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "User-Agent" (Variable: REQUEST_HEADERS_NAMES:User-Agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: "Accept" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "Accept" (Variable: REQUEST_HEADERS_NAMES:Accept) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: "localhost:8080" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "localhost:8080" (Variable: REQUEST_HEADERS:Host) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "curl/7.54.0" (Variable: REQUEST_HEADERS:User-Agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: "*/*" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "*/*" (Variable: REQUEST_HEADERS:Accept) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 921150) Executing operator "Rx" with param "[\n\r]" against ARGS_NAMES. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 921014) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-921-PROTOCOL-ATTACK [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '921151' due to a SecMarker: END-REQUEST-921-PROTOCOL-ATTACK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '921016' due to a SecMarker: END-REQUEST-921-PROTOCOL-ATTACK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '921170' due to a SecMarker: END-REQUEST-921-PROTOCOL-ATTACK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '921180' due to a SecMarker: END-REQUEST-921-PROTOCOL-ATTACK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '921018' due to a SecMarker: END-REQUEST-921-PROTOCOL-ATTACK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-921-PROTOCOL-ATTACK [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-921-PROTOCOL-ATTACK [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 6 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 930012) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 930100) Executing operator "Rx" with param "(?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" against REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "/?q="><script>alert(1)</script>" (Variable: REQUEST_URI_RAW) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "" (Variable: REQUEST_BODY) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "localhost:8080" (Variable: REQUEST_HEADERS:Host) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "curl/7.54.0" (Variable: REQUEST_HEADERS:User-Agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "*/*" (Variable: REQUEST_HEADERS:Accept) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 930110) Executing operator "Rx" with param "(?:^|[\\/])\.\.(?:[\\/]|$)" against REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:utf8toUnicode: "/?q="><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "/?q="><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:removeNulls: "/?q="><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (1) t:cmdLine: "/?q=><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] multiMatch is enabled. 2 values to be tested. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "/?q="><script>alert(1)</script>" (Variable: REQUEST_URI) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "/?q=><script>alert(1)</script>" (Variable: REQUEST_URI) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:utf8toUnicode: "" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:removeNulls: "" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cmdLine: "" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] multiMatch is enabled. 1 values to be tested. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "" (Variable: REQUEST_BODY) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:utf8toUnicode: "localhost:8080" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "localhost:8080" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:removeNulls: "localhost:8080" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cmdLine: "localhost:8080" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] multiMatch is enabled. 1 values to be tested. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "localhost:8080" (Variable: REQUEST_HEADERS:Host) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:utf8toUnicode: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:removeNulls: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cmdLine: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] multiMatch is enabled. 1 values to be tested. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "curl/7.54.0" (Variable: REQUEST_HEADERS:User-Agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:utf8toUnicode: "*/*" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "*/*" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:removeNulls: "*/*" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cmdLine: "*/*" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] multiMatch is enabled. 1 values to be tested. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "*/*" (Variable: REQUEST_HEADERS:Accept) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 930120) Executing operator "PmFromFile" with param "lfi-os-files.data" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:utf8toUnicode: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:normalizePathWin: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:utf8toUnicode: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:normalizePathWin: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 930130) Executing operator "PmFromFile" with param "restricted-files.data" against REQUEST_FILENAME. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:utf8toUnicode: "/" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "/" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:normalizePathWin: "/" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "/" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "/" (Variable: REQUEST_FILENAME) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 930014) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-930-APPLICATION-ATTACK-LFI [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '930016' due to a SecMarker: END-REQUEST-930-APPLICATION-ATTACK-LFI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '930018' due to a SecMarker: END-REQUEST-930-APPLICATION-ATTACK-LFI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-930-APPLICATION-ATTACK-LFI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-930-APPLICATION-ATTACK-LFI [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 3 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 931012) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 931100) Executing operator "Rx" with param "^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" against ARGS. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 931110) Executing operator "Rx" with param "(?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/" against QUERY_STRING|REQUEST_BODY. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q="><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q="><script>alert(1)</script>" (Variable: QUERY_STRING) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "" (Variable: REQUEST_BODY) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 931120) Executing operator "Rx" with param "^(?i:file|ftps?|https?).*?\?+$" against ARGS. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 931014) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-931-APPLICATION-ATTACK-RFI [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '931130' due to a SecMarker: END-REQUEST-931-APPLICATION-ATTACK-RFI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '931016' due to a SecMarker: END-REQUEST-931-APPLICATION-ATTACK-RFI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '931018' due to a SecMarker: END-REQUEST-931-APPLICATION-ATTACK-RFI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-931-APPLICATION-ATTACK-RFI [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-931-APPLICATION-ATTACK-RFI [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 4 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932012) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932100) Executing operator "Rx" with param "(?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(||${|<(|>(|(\s*))\s*(?:{|\s*(\s*|\w+=(?:[^\s]|$.|$.|<.|>.|'.'|".")\s+|!\s|$)\s(?:'|")(?:[?*[]()-|+\w'"./\\]+/)?[\\'"](?:l[\\'"](?:w[\\'"]p[\\'"]-[\\'"](?:d[\\'"]*(?:o[\\'"]*w[\\'"]*n[\\'"]*l[\\'"]*o[\\'"]*a[\\'"]*d|u[\\'"]*m[\\'"]*p)|r[\\'"]*e[\\'"]*q[\\'"]*u[\\'"]*e[\\'"]*s[\\'"]*t|m[\\'"]*i[\\'"]*r[\\'"]*r[\\'"]o[\\'"]r)|s(?:[\\'"](?:b[\\'"]_[\\'"]*r[\\'"]*e[\\'"]*l[\\'"]*e[\\'"]*a[\\'"]*s[\\'"]*e|c[\\'"]*p[\\'"]*u|m[\\'"]*o[\\'"]*d|p[\\'"]*c[\\'"]*i|u[\\'"]*s[\\'"]*b|-[\\'"]*F|h[\\'"]w|o[\\'"]f))?|z[\\'"](?:(?:[ef][\\'"])?g[\\'"]*r[\\'"]*e[\\'"]p|c[\\'"](?:a[\\'"]*t|m[\\'"]p)|m[\\'"](?:o[\\'"]*r[\\'"]*e|a)|d[\\'"]*i[\\'"]*f[\\'"]*f|l[\\'"]*e[\\'"]*s[\\'"]*s)|e[\\'"]*s[\\'"]s[\\'"](?:(?:f[\\'"]*i[\\'"]*l|p[\\'"]*i[\\'"]*p)[\\'"]*e|e[\\'"]*c[\\'"]*h[\\'"]o|(?:\s|<|>).)|a[\\'"]*s[\\'"]t[\\'"](?:l[\\'"]*o[\\'"]*g(?:[\\'"]*i[\\'"]*n)?|c[\\'"]o[\\'"]m[\\'"]m|(?:\s|<|>).)|o[\\'"](?:c[\\'"]a[\\'"](?:t[\\'"]e|l)[\\'"](?:\s|<|>).|g[\\'"]*n[\\'"]*a[\\'"]*m[\\'"]e)|d[\\'"](?:c[\\'"]*o[\\'"]*n[\\'"]*f[\\'"]i[\\'"]g|d[\\'"](?:\s|<|>).)|f[\\'"]*t[\\'"]*p(?:[\\'"]g[\\'"]e[\\'"]t)?|(?:[np]|y[\\'"]n[\\'"]x)[\\'"](?:\s|<|>).)|b[\\'"](?:z[\\'"](?:(?:[ef][\\'"])?g[\\'"]*r[\\'"]*e[\\'"]*p|d[\\'"]*i[\\'"]*f[\\'"]*f|l[\\'"]*e[\\'"]*s[\\'"]*s|m[\\'"]*o[\\'"]*r[\\'"]*e|c[\\'"]*a[\\'"]*t|i[\\'"]*p[\\'"]*2)|s[\\'"]d[\\'"](?:c[\\'"]*a[\\'"]*t|i[\\'"]*f[\\'"]*f|t[\\'"]*a[\\'"]r)|a[\\'"](?:t[\\'"]c[\\'"]h[\\'"](?:\s|<|>).|s[\\'"]*h)|r[\\'"]*e[\\'"]*a[\\'"]*k[\\'"]*s[\\'"]*w|u[\\'"]*i[\\'"]*l[\\'"]t[\\'"]i[\\'"]n)|c[\\'"](?:o[\\'"](?:m[\\'"](?:p[\\'"]*r[\\'"]*e[\\'"]*s[\\'"]*s|m[\\'"]*a[\\'"]n[\\'"]d)[\\'"](?:\s|<|>).|p[\\'"]*r[\\'"]*o[\\'"]c)|h[\\'"](?:d[\\'"]i[\\'"]r[\\'"](?:\s|<|>).|f[\\'"]*l[\\'"]*a[\\'"]*g[\\'"]*s|a[\\'"]*t[\\'"]*t[\\'"]*r|m[\\'"]*o[\\'"]*d)|r[\\'"]*o[\\'"]*n[\\'"]*t[\\'"]*a[\\'"]b|(?:[cp]|a[\\'"]t)[\\'"](?:\s|<|>).|u[\\'"]*r[\\'"]l|s[\\'"]h)|f[\\'"](?:i(?:[\\'"](?:l[\\'"]e[\\'"](?:t[\\'"]*e[\\'"]s[\\'"]t|(?:\s|<|>).)|n[\\'"]d[\\'"](?:\s|<|>).))?|t[\\'"]p[\\'"](?:s[\\'"]*t[\\'"]*a[\\'"]*t[\\'"]*s|w[\\'"]*h[\\'"]o|(?:\s|<|>).)|u[\\'"]*n[\\'"]*c[\\'"]*t[\\'"]*i[\\'"]*o[\\'"]*n|(?:e[\\'"]*t[\\'"]c[\\'"]h|c)[\\'"](?:\s|<|>).|o[\\'"]*r[\\'"]*e[\\'"]*a[\\'"]*c[\\'"]*h|g[\\'"]r[\\'"]e[\\'"]p)|e[\\'"](?:n[\\'"](?:v(?:[\\'"]-[\\'"]*u[\\'"]*p[\\'"]*d[\\'"]*a[\\'"]*t[\\'"]e)?|d[\\'"](?:i[\\'"]f|s[\\'"]w))|x[\\'"](?:p[\\'"](?:a[\\'"]*n[\\'"]*d|o[\\'"]*r[\\'"]t|r)|e[\\'"]c[\\'"](?:\s|<|>).)|c[\\'"]h[\\'"]o[\\'"](?:\s|<|>).|g[\\'"]*r[\\'"]*e[\\'"]*p|s[\\'"]*a[\\'"]*c|v[\\'"]a[\\'"]l)|h[\\'"](?:t[\\'"](?:d[\\'"]*i[\\'"]*g[\\'"]*e[\\'"]*s[\\'"]*t|p[\\'"]*a[\\'"]*s[\\'"]*s[\\'"]*w[\\'"]*d)|o[\\'"]*s[\\'"]t[\\'"](?:n[\\'"]*a[\\'"]*m[\\'"]*e|i[\\'"]*d)|(?:e[\\'"]*a[\\'"]d|u[\\'"]p)[\\'"](?:\s|<|>).|i[\\'"]*s[\\'"]*t[\\'"]o[\\'"]r[\\'"]y)|i[\\'"](?:p[\\'"](?:(?:6[\\'"])?t[\\'"]*a[\\'"]*b[\\'"]*l[\\'"]*e[\\'"]*s|c[\\'"]*o[\\'"]*n[\\'"]*f[\\'"]i[\\'"]g)|r[\\'"]b(?:[\\'"](?:1(?:[\\'"][89])?|2[\\'"][012]))?|f[\\'"]*c[\\'"]*o[\\'"]*n[\\'"]f[\\'"]i[\\'"]g|d[\\'"](?:\s|<|>).)|g[\\'"](?:(?:e[\\'"]*t[\\'"]*f[\\'"]*a[\\'"]*c[\\'"]*l|r[\\'"]*e[\\'"]p|c[\\'"]c|i[\\'"]t)[\\'"](?:\s|<|>).|z[\\'"](?:c[\\'"]*a[\\'"]*t|i[\\'"]*p)|u[\\'"]*n[\\'"]*z[\\'"]*i[\\'"]*p|d[\\'"]b)|a[\\'"](?:(?:l[\\'"]*i[\\'"]*a[\\'"]s|w[\\'"]k)[\\'"](?:\s|<|>).|d[\\'"]*d[\\'"]*u[\\'"]*s[\\'"]*e[\\'"]*r|p[\\'"]t[\\'"]-[\\'"]g[\\'"]e[\\'"]t|r[\\'"](?:c[\\'"]h[\\'"](?:\s|<|>).|p))|d[\\'"](?:h[\\'"]*c[\\'"]*l[\\'"]*i[\\'"]*e[\\'"]*n[\\'"]*t|(?:i[\\'"]f[\\'"]f|u)[\\'"](?:\s|<|>).|(?:m[\\'"]*e[\\'"]*s|p[\\'"]*k)[\\'"]g|o[\\'"](?:a[\\'"]*s|n[\\'"]*e)|a[\\'"]*s[\\'"]h)|m[\\'"](?:(?:k[\\'"]*d[\\'"]*i[\\'"]r|o[\\'"]r[\\'"]e)[\\'"](?:\s|<|>).|a[\\'"]i[\\'"]l[\\'"](?:x[\\'"](?:\s|<|>).|q)|l[\\'"]*o[\\'"]*c[\\'"]*a[\\'"]t[\\'"]e)|j[\\'"](?:(?:a[\\'"]v[\\'"]a|o[\\'"]b[\\'"]s)[\\'"](?:\s|<|>).|e[\\'"]x[\\'"]e[\\'"]c)|k[\\'"]i[\\'"]l[\\'"]l[\\'"](?:a[\\'"]l[\\'"]l|(?:\s|<|>).)|(?:G[\\'"]E[\\'"]T[\\'"](?:\s|<|>)|.\s).|7[\\'"]z(?:[\\'"][ar])?)\b" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/.[157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q)
[157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q)
[157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0.
[157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned.
[157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932105) Executing operator "Rx" with param "(?:;|{||||||&|&&|\n|\r|$(|$((|
|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:s[\\\\'\"]*(?:e[\\\\'\"]*(?:t[\\\\'\"]*(?:(?:f[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*l[\\\\'\"]*)?(?:\s|<|>).*|e[\\\\'\"]*n[\\\\'\"]*v|s[\\\\'\"]*i[\\\\'\"]*d)|n[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*i[\\\\'\"]*l|d[\\\\'\"]*(?:\s|<|>).*)|h[\\\\'\"]*(?:\.[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*b|u[\\\\'\"]*t[\\\\'\"]*d[\\\\'\"]*o[\\\\'\"]*w[\\\\'\"]*n|(?:\s|<|>).*)|o[\\\\'\"]*(?:(?:u[\\\\'\"]*r[\\\\'\"]*c[\\\\'\"]*e|r[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|c[\\\\'\"]*a[\\\\'\"]*t)|c[\\\\'\"]*(?:h[\\\\'\"]*e[\\\\'\"]*d|p[\\\\'\"]*(?:\s|<|>).*)|t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g[\\\\'\"]*s|(?:l[\\\\'\"]*e[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|y[\\\\'\"]*s[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*l|u[\\\\'\"]*(?:(?:\s|<|>).*|d[\\\\'\"]*o)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|s[\\\\'\"]*h|v[\\\\'\"]*n)|p[\\\\'\"]*(?:k[\\\\'\"]*(?:g(?:(?:[\\\\'\"]*_)?[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*o)?|e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c|i[\\\\'\"]*l[\\\\'\"]*l)|t[\\\\'\"]*a[\\\\'\"]*r(?:[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p))?|a[\\\\'\"]*(?:t[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|s[\\\\'\"]*s[\\\\'\"]*w[\\\\'\"]*d)|r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*(?:e[\\\\'\"]*n[\\\\'\"]*v|f[\\\\'\"]*(?:\s|<|>).*)|y[\\\\'\"]*t[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*n(?:[\\\\'\"]*(?:3(?:[\\\\'\"]*m)?|2))?|e[\\\\'\"]*r[\\\\'\"]*(?:l(?:[\\\\'\"]*(?:s[\\\\'\"]*h|5))?|m[\\\\'\"]*s)|(?:g[\\\\'\"]*r[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|(?:u[\\\\'\"]*s[\\\\'\"]*h|o[\\\\'\"]*p)[\\\\'\"]*d|h[\\\\'\"]*p(?:[\\\\'\"]*[57])?|i[\\\\'\"]*n[\\\\'\"]*g|s[\\\\'\"]*(?:\s|<|>).*)|n[\\\\'\"]*(?:c[\\\\'\"]*(?:\.[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*l|o[\\\\'\"]*p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*d)|(?:\s|<|>).*|a[\\\\'\"]*t)|e[\\\\'\"]*t[\\\\'\"]*(?:k[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*f[\\\\'\"]*t[\\\\'\"]*p|(?:s[\\\\'\"]*t|c)[\\\\'\"]*a[\\\\'\"]*t|(?:\s|<|>).*)|s[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*o[\\\\'\"]*k[\\\\'\"]*u[\\\\'\"]*p|t[\\\\'\"]*a[\\\\'\"]*t)|(?:a[\\\\'\"]*n[\\\\'\"]*o|i[\\\\'\"]*c[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|(?:o[\\\\'\"]*h[\\\\'\"]*u|m[\\\\'\"]*a)[\\\\'\"]*p|p[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g)|r[\\\\'\"]*(?:e[\\\\'\"]*(?:(?:p[\\\\'\"]*(?:l[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e|e[\\\\'\"]*a[\\\\'\"]*t)|n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|a[\\\\'\"]*l[\\\\'\"]*p[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*h)|m[\\\\'\"]*(?:(?:d[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*)?(?:\s|<|>).*|u[\\\\'\"]*s[\\\\'\"]*e[\\\\'\"]*r)|u[\\\\'\"]*b[\\\\'\"]*y(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|(?:a[\\\\'\"]*r|c[\\\\'\"]*p|p[\\\\'\"]*m)[\\\\'\"]*(?:\s|<|>).*|n[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*o|o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|s[\\\\'\"]*y[\\\\'\"]*n[\\\\'\"]*c)|t[\\\\'\"]*(?:c[\\\\'\"]*(?:p[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|i[\\\\'\"]*n[\\\\'\"]*g)|s[\\\\'\"]*h)|r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e(?:[\\\\'\"]*6)?|e[\\\\'\"]*(?:l[\\\\'\"]*n[\\\\'\"]*e[\\\\'\"]*t|e[\\\\'\"]*(?:\s|<|>).*)|i[\\\\'\"]*m[\\\\'\"]*e[\\\\'\"]*(?:o[\\\\'\"]*u[\\\\'\"]*t|(?:\s|<|>).*)|a[\\\\'\"]*(?:i[\\\\'\"]*l(?:[\\\\'\"]*f)?|r[\\\\'\"]*(?:\s|<|>).*)|o[\\\\'\"]*(?:u[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|p))|u[\\\\'\"]*(?:n[\\\\'\"]*(?:l[\\\\'\"]*(?:i[\\\\'\"]*n[\\\\'\"]*k[\\\\'\"]*(?:\s|<|>).*|z[\\\\'\"]*m[\\\\'\"]*a)|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|a[\\\\'\"]*m[\\\\'\"]*e|r[\\\\'\"]*a[\\\\'\"]*r|s[\\\\'\"]*e[\\\\'\"]*t|z[\\\\'\"]*i[\\\\'\"]*p|x[\\\\'\"]*z)|s[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*(?:(?:a[\\\\'\"]*d|m[\\\\'\"]*o)[\\\\'\"]*d|d[\\\\'\"]*e[\\\\'\"]*l)|l[\\\\'\"]*i[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*(?:\s|<|>).*)|m[\\\\'\"]*(?:y[\\\\'\"]*s[\\\\'\"]*q[\\\\'\"]*l(?:[\\\\'\"]*(?:d[\\\\'\"]*u[\\\\'\"]*m[\\\\'\"]*p(?:[\\\\'\"]*s[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*w)?|h[\\\\'\"]*o[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*p[\\\\'\"]*y|a[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*n|s[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*w))?|(?:(?:o[\\\\'\"]*u[\\\\'\"]*n|u[\\\\'\"]*t)[\\\\'\"]*t|v)[\\\\'\"]*(?:\s|<|>).*)|x[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*(?:i[\\\\'\"]*f[\\\\'\"]*f|e[\\\\'\"]*c)|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|(?:\s|<|>).*)|a[\\\\'\"]*r[\\\\'\"]*g[\\\\'\"]*s|t[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*m|x[\\\\'\"]*d[\\\\'\"]*(?:\s|<|>).*)|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|i[\\\\'\"]*p[\\\\'\"]*(?:\s|<|>).*|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|r[\\\\'\"]*u[\\\\'\"]*n|s[\\\\'\"]*h)|o[\\\\'\"]*(?:p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*l|n[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*r)|w[\\\\'\"]*(?:h[\\\\'\"]*o[\\\\'\"]*(?:a[\\\\'\"]*m[\\\\'\"]*i|(?:\s|<|>).*)|g[\\\\'\"]*e[\\\\'\"]*t|3[\\\\'\"]*m)|v[\\\\'\"]*i[\\\\'\"]*(?:m[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*r|p[\\\\'\"]*w)|y[\\\\'\"]*u[\\\\'\"]*m)\b" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932110) Executing operator "Rx" with param "(?i)(?:;|\{|\||\|\||&|&&|\n|\r|)\s[(,@'"\s](?:[\w'"./]+/|[\\'"^]\w[\\'"^]:.\\|[^\.\w '\"/\\\\]]\\)?["^](?:m["^](?:y["^]*s["^]*q["^]l(?:["^](?:d["^]*u["^]*m["^]*p(?:["^]*s["^]*l["^]*o["^]*w)?|h["^]*o["^]*t["^]*c["^]*o["^]*p["^]*y|a["^]*d["^]*m["^]*i["^]*n|s["^]*h["^]o["^]w))?|s["^](?:i["^](?:n["^]*f["^]*o["^]*3["^]*2|e["^]*x["^]*e["^]*c)|c["^]*o["^]*n["^]*f["^]i["^]g|g["^](?:[\s,;]|.|/|<|>).|t["^]*s["^]c)|o["^](?:u["^]n["^]t["^](?:(?:[\s,;]|.|/|<|>).|v["^]*o["^]*l)|v["^]*e["^]*u["^]*s["^]e["^]r|[dr]["^]e["^](?:[\s,;]|.|/|<|>).)|k["^](?:d["^]i["^]r["^](?:[\s,;]|.|/|<|>).|l["^]*i["^]*n["^]k)|d["^](?:s["^]*c["^]*h["^]*e["^]d|(?:[\s,;]|.|/|<|>).)|a["^]*p["^]*i["^]*s["^]*e["^]*n["^]*d|b["^]*s["^]*a["^]*c["^]*l["^]*i|e["^]*a["^]*s["^]*u["^]*r["^]*e|m["^]*s["^]y["^]s)|d["^](?:i["^](?:s["^]k["^](?:(?:m["^]*g["^]*m|p["^]*a["^]*r)["^]*t|s["^]*h["^]*a["^]d["^]o["^]w)|r["^](?:(?:[\s,;]|.|/|<|>).|u["^]s["^]e)|f["^]f["^](?:[\s,;]|.|/|<|>).)|e["^](?:l["^](?:p["^]*r["^]*o["^]*f|t["^]*r["^]e["^]e|(?:[\s,;]|.|/|<|>).)|v["^](?:m["^]*g["^]*m["^]*t|c["^]*o["^]*n)|(?:f["^]*r["^]*a|b["^]u)["^]g)|s["^](?:a["^](?:c["^]*l["^]*s|d["^]*d)|q["^]*u["^]*e["^]*r["^]*y|m["^]o["^](?:v["^]*e|d)|g["^]*e["^]*t|r["^]*m)|(?:r["^]*i["^]*v["^]*e["^]*r["^]*q["^]*u["^]*e["^]*r|o["^]*s["^]*k["^]*e)["^]*y|(?:c["^]*o["^]*m["^]*c["^]*n["^]*f|x["^]*d["^]*i["^]*a)["^]*g|a["^]t["^]e["^](?:[\s,;]|.|/|<|>).|n["^]*s["^]s["^]t["^]a["^]t)|c["^](?:o["^](?:m["^](?:p["^](?:(?:a["^]c["^]t["^])?(?:[\s,;]|.|/|<|>).|m["^]*g["^]*m["^]*t)|e["^]*x["^]p)|n["^](?:2["^]*p|v["^]*e)["^]*r["^]*t|p["^]y)|l["^](?:e["^]a["^](?:n["^]*m["^]*g["^]*r|r["^]*m["^]*e["^]*m)|u["^]*s["^]*t["^]e["^]r)|h["^](?:k["^](?:n["^]*t["^]*f["^]*s|d["^]s["^]k)|d["^]i["^]r["^](?:[\s,;]|.|/|<|>).)|s["^](?:c["^](?:r["^]*i["^]*p["^]*t|c["^]*m["^]*d)|v["^]*d["^]*e)|e["^]*r["^]t["^](?:u["^]*t["^]*i["^]*l|r["^]e["^]q)|a["^](?:l["^]l["^](?:[\s,;]|.|/|<|>).|c["^]*l["^]*s)|m["^]*d(?:["^]*k["^]*e["^]*y)?|i["^]*p["^]*h["^]*e["^]*r|u["^]*r["^]l)|f["^](?:o["^]r["^](?:m["^]a["^]t["^](?:[\s,;]|.|/|<|>).|f["^]*i["^]*l["^]*e["^]*s|e["^]*a["^]*c["^]*h)|i["^]n["^]d["^](?:(?:[\s,;]|.|/|<|>).|s["^]*t["^]r)|s["^](?:m["^]*g["^]*m["^]*t|u["^]t["^]i["^]l)|t["^](?:p["^](?:[\s,;]|.|/|<|>).|y["^]*p["^]*e)|r["^]*e["^]*e["^]*d["^]*i["^]s["^]k|c["^](?:[\s,;]|.|/|<|>).|g["^]*r["^]e["^]p)|n["^](?:e["^]t["^](?:s["^](?:t["^]*a["^]*t|v["^]c|h)|(?:[\s,;]|.|/|<|>).|c["^]*a["^]*t|d["^]*o["^]m)|t["^](?:b["^]*a["^]*c["^]*k["^]*u["^]*p|r["^]*i["^]*g["^]*h["^]*t["^]*s)|(?:s["^]*l["^]*o["^]*o["^]*k["^]*u|m["^]a)["^]p|c["^](?:(?:[\s,;]|.|/|<|>).|a["^]*t)|b["^]*t["^]*s["^]*t["^]*a["^]t)|e["^](?:x["^]p["^](?:a["^]n["^]d["^](?:[\s,;]|.|/|<|>).|l["^]*o["^]*r["^]*e["^]*r)|v["^]*e["^]*n["^]t["^](?:c["^]*r["^]*e["^]*a["^]*t["^]*e|v["^]*w["^]*r)|n["^]*d["^]*l["^]*o["^]*c["^]*a["^]*l|g["^]*r["^]*e["^]*p|r["^]*a["^]*s["^]*e|c["^]*h["^]o)|g["^](?:a["^]*t["^]*h["^]*e["^]*r["^]*n["^]*e["^]*t["^]*w["^]*o["^]*r["^]*k["^]*i["^]*n["^]*f["^]o|p["^](?:(?:r["^]*e["^]*s["^]*u["^]*l|e["^]*d["^]*i)["^]*t|u["^]*p["^]*d["^]*a["^]*t["^]e)|i["^]t["^](?:[\s,;]|.|/|<|>).|e["^]*t["^]m["^]a["^]c)|i["^](?:r["^]b(?:["^](?:1(?:["^][89])?|2["^][012]))?|f["^]*m["^]*e["^]*m["^]*b["^]*e["^]*r|p["^]*c["^]*o["^]*n["^]*f["^]*i["^]*g|n["^]*e["^]*t["^]*c["^]*p["^]*l|c["^]*a["^]*c["^]l["^]s)|a["^](?:d["^](?:d["^]*u["^]*s["^]*e["^]*r["^]*s|m["^]*o["^]*d["^]*c["^]*m["^]d)|r["^]p["^](?:[\s,;]|.|/|<|>).|t["^]*t["^]*r["^]*i["^]*b|s["^]*s["^]*o["^]*c|z["^]*m["^]*a["^]n)|l["^](?:o["^]g["^](?:e["^]*v["^]*e["^]*n["^]*t|t["^]*i["^]*m["^]*e|m["^]*a["^]*n|o["^]*f["^]*f)|a["^]*b["^]e["^]l["^](?:[\s,;]|.|/|<|>).|u["^]*s["^]*r["^]*m["^]*g["^]r)|b["^](?:(?:c["^]d["^](?:b["^]*o["^]*o|e["^]*d["^]*i)|r["^]*o["^]*w["^]*s["^]*t["^]*a)["^]*t|i["^]*t["^]*s["^]*a["^]*d["^]*m["^]*i["^]*n|o["^]*o["^]*t["^]*c["^]*f["^]g)|h["^](?:o["^]*s["^]*t["^]*n["^]*a["^]*m["^]*e|d["^]*w["^]*w["^]*i["^]z)|j["^]a["^]v["^]a["^](?:[\s,;]|.|/|<|>).|7["^]z(?:["^][ar])?)(?:.["^]\w+)?\b" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/.[157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q)
[157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q)
[157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0.
[157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned.
[157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932115) Executing operator "Rx" with param "(?i)(?:;|{||||||&|&&|\n|\r|
)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\"\^]*e[\"\^]*m[\"\^]*(?:p[\"\^]*r[\"\^]*o[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*t[\"\^]*i[\"\^]*e[\"\^]*s[\"\^]*(?:d[\"\^]*a[\"\^]*t[\"\^]*a[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*p[\"\^]*r[\"\^]*e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|(?:p[\"\^]*e[\"\^]*r[\"\^]*f[\"\^]*o[\"\^]*r[\"\^]*m[\"\^]*a[\"\^]*n[\"\^]*c|h[\"\^]*a[\"\^]*r[\"\^]*d[\"\^]*w[\"\^]*a[\"\^]*r)[\"\^]*e|a[\"\^]*d[\"\^]*v[\"\^]*a[\"\^]*n[\"\^]*c[\"\^]*e[\"\^]*d)|i[\"\^]*n[\"\^]*f[\"\^]*o)|k[\"\^]*e[\"\^]*y|d[\"\^]*m)|h[\"\^]*(?:o[\"\^]*(?:w[\"\^]*(?:g[\"\^]*r[\"\^]*p|m[\"\^]*b[\"\^]*r)[\"\^]*s|r[\"\^]*t[\"\^]*c[\"\^]*u[\"\^]*t)|e[\"\^]*l[\"\^]*l[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*a[\"\^]*s|u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|r[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*w|a[\"\^]*r[\"\^]*e|i[\"\^]*f[\"\^]*t)|e[\"\^]*(?:t[\"\^]*(?:(?:x[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l)|c[\"\^]*p[\"\^]*o[\"\^]*l|l[\"\^]*e[\"\^]*c[\"\^]*t)|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|l[\"\^]*i[\"\^]*s[\"\^]*t)|u[\"\^]*b[\"\^]*(?:i[\"\^]*n[\"\^]*a[\"\^]*c[\"\^]*l|s[\"\^]*t)|t[\"\^]*a[\"\^]*r[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|i[\"\^]*g[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f|l[\"\^]*(?:e[\"\^]*e[\"\^]*p|m[\"\^]*g[\"\^]*r)|o[\"\^]*r[\"\^]*t|f[\"\^]*c|v[\"\^]*n)|p[\"\^]*(?:s[\"\^]*(?:s[\"\^]*(?:h[\"\^]*u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|e[\"\^]*r[\"\^]*v[\"\^]*i[\"\^]*c[\"\^]*e|u[\"\^]*s[\"\^]*p[\"\^]*e[\"\^]*n[\"\^]*d)|l[\"\^]*(?:o[\"\^]*g[\"\^]*(?:g[\"\^]*e[\"\^]*d[\"\^]*o[\"\^]*n|l[\"\^]*i[\"\^]*s[\"\^]*t)|i[\"\^]*s[\"\^]*t)|p[\"\^]*(?:a[\"\^]*s[\"\^]*s[\"\^]*w[\"\^]*d|i[\"\^]*n[\"\^]*g)|g[\"\^]*e[\"\^]*t[\"\^]*s[\"\^]*i[\"\^]*d|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*i[\"\^]*l[\"\^]*e|i[\"\^]*n[\"\^]*f[\"\^]*o|k[\"\^]*i[\"\^]*l[\"\^]*l)|o[\"\^]*(?:w[\"\^]*e[\"\^]*r[\"\^]*(?:s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l(?:[\"\^]*_[\"\^]*i[\"\^]*s[\"\^]*e)?|c[\"\^]*f[\"\^]*g)|r[\"\^]*t[\"\^]*q[\"\^]*r[\"\^]*y|p[\"\^]*d)|r[\"\^]*(?:i[\"\^]*n[\"\^]*t[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|b[\"\^]*r[\"\^]*m)|n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|m[\"\^]*n[\"\^]*g[\"\^]*r)|o[\"\^]*m[\"\^]*p[\"\^]*t)|a[\"\^]*t[\"\^]*h[\"\^]*(?:p[\"\^]*i[\"\^]*n[\"\^]*g|(?:[\s,;]|\.|/|<|>).*)|e[\"\^]*r[\"\^]*(?:l(?:[\"\^]*(?:s[\"\^]*h|5))?|f[\"\^]*m[\"\^]*o[\"\^]*n)|y[\"\^]*t[\"\^]*h[\"\^]*o[\"\^]*n(?:[\"\^]*(?:3(?:[\"\^]*m)?|2))?|k[\"\^]*g[\"\^]*m[\"\^]*g[\"\^]*r|h[\"\^]*p(?:[\"\^]*[57])?|u[\"\^]*s[\"\^]*h[\"\^]*d|i[\"\^]*n[\"\^]*g)|r[\"\^]*(?:e[\"\^]*(?:(?:p[\"\^]*l[\"\^]*a[\"\^]*c[\"\^]*e|n(?:[\"\^]*a[\"\^]*m[\"\^]*e)?|s[\"\^]*e[\"\^]*t)[\"\^]*(?:[\s,;]|\.|/|<|>).*|g[\"\^]*(?:s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2|e[\"\^]*d[\"\^]*i[\"\^]*t|(?:[\s,;]|\.|/|<|>).*|i[\"\^]*n[\"\^]*i)|c[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c|o[\"\^]*v[\"\^]*e[\"\^]*r)|k[\"\^]*e[\"\^]*y[\"\^]*w[\"\^]*i[\"\^]*z)|u[\"\^]*(?:n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|a[\"\^]*s)|b[\"\^]*y[\"\^]*(?:1(?:[\"\^]*[89])?|2[\"\^]*[012]))|a[\"\^]*(?:s[\"\^]*(?:p[\"\^]*h[\"\^]*o[\"\^]*n[\"\^]*e|d[\"\^]*i[\"\^]*a[\"\^]*l)|r[\"\^]*(?:[\s,;]|\.|/|<|>).*)|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|t[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*r[\"\^]*e)|o[\"\^]*(?:u[\"\^]*t[\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*|b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)|s[\"\^]*(?:t[\"\^]*r[\"\^]*u[\"\^]*i|y[\"\^]*n[\"\^]*c)|d[\"\^]*(?:[\s,;]|\.|/|<|>).*)|t[\"\^]*(?:a[\"\^]*(?:s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*c[\"\^]*h[\"\^]*d|m[\"\^]*g[\"\^]*r)|k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n)|(?:i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u|p[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*i|e[\"\^]*l[\"\^]*n[\"\^]*e|l[\"\^]*i[\"\^]*s)[\"\^]*t|s[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c[\"\^]*o|s[\"\^]*h[\"\^]*u[\"\^]*t[\"\^]*d)[\"\^]*n|y[\"\^]*p[\"\^]*e[\"\^]*(?:p[\"\^]*e[\"\^]*r[\"\^]*f|(?:[\s,;]|\.|/|<|>).*)|r[\"\^]*(?:a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*t|e[\"\^]*e))|w[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*i[\"\^]*f[\"\^]*f|m[\"\^]*s[\"\^]*d[\"\^]*p|v[\"\^]*a[\"\^]*r|r[\"\^]*[ms])|u[\"\^]*(?:a[\"\^]*(?:u[\"\^]*c[\"\^]*l[\"\^]*t|p[\"\^]*p)|s[\"\^]*a)|s[\"\^]*c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|u[\"\^]*i)|e[\"\^]*v[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|m[\"\^]*i[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|c)|a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|g[\"\^]*e[\"\^]*t)|u[\"\^]*(?:s[\"\^]*(?:e[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*t[\"\^]*r[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s|r[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|n[\"\^]*(?:r[\"\^]*a[\"\^]*r|z[\"\^]*i[\"\^]*p))|q[\"\^]*(?:u[\"\^]*e[\"\^]*r[\"\^]*y[\"\^]*(?:[\s,;]|\.|/|<|>).*|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a|g[\"\^]*r[\"\^]*e[\"\^]*p)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*(?:a[\"\^]*d[\"\^]*3[\"\^]*2|c[\"\^]*o[\"\^]*n[\"\^]*f)|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|v[\"\^]*(?:o[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y)|x[\"\^]*c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|o[\"\^]*p[\"\^]*y)|z[\"\^]*i[\"\^]*p[\"\^]*(?:[\s,;]|\.|/|<|>).*)(?:\.[\"\^]*\w+)?\b" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932120) Executing operator "PmFromFile" with param "windows-powershell-commands.data" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cmdLine: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cmdLine: "><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932130) Executing operator "Rx" with param "(?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\))" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cmdLine: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cmdLine: "><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932140) Executing operator "Rx" with param "\b(?:if(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==))|for(?:/[dflr].*)? %+[^ ]+ in\(.*\)\s?do)" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cmdLine: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cmdLine: "><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932150) Executing operator "Rx" with param "(?:^|=)\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:l[\\\\'\"]*(?:s(?:[\\\\'\"]*(?:b[\\\\'\"]*_[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*e|c[\\\\'\"]*p[\\\\'\"]*u|m[\\\\'\"]*o[\\\\'\"]*d|p[\\\\'\"]*c[\\\\'\"]*i|u[\\\\'\"]*s[\\\\'\"]*b|-[\\\\'\"]*F|o[\\\\'\"]*f))?|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|m[\\\\'\"]*(?:o[\\\\'\"]*r[\\\\'\"]*e|a)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s)|e[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*(?:(?:f[\\\\'\"]*i[\\\\'\"]*l|p[\\\\'\"]*i[\\\\'\"]*p)[\\\\'\"]*e|e[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*o)|a[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*g(?:[\\\\'\"]*i[\\\\'\"]*n)?|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*m)|w[\\\\'\"]*p(?:[\\\\'\"]*-[\\\\'\"]*d[\\\\'\"]*o[\\\\'\"]*w[\\\\'\"]*n[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*d)?|f[\\\\'\"]*t[\\\\'\"]*p(?:[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t)?|y[\\\\'\"]*n[\\\\'\"]*x)|s[\\\\'\"]*(?:e[\\\\'\"]*(?:t[\\\\'\"]*(?:e[\\\\'\"]*n[\\\\'\"]*v|s[\\\\'\"]*i[\\\\'\"]*d)|n[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*i[\\\\'\"]*l|d)|h(?:[\\\\'\"]*\.[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*b)?|o[\\\\'\"]*(?:u[\\\\'\"]*r[\\\\'\"]*c[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t)|t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g[\\\\'\"]*s|y[\\\\'\"]*s[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*l|c[\\\\'\"]*(?:h[\\\\'\"]*e[\\\\'\"]*d|p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|f[\\\\'\"]*t[\\\\'\"]*p|u[\\\\'\"]*d[\\\\'\"]*o|s[\\\\'\"]*h|v[\\\\'\"]*n)|p[\\\\'\"]*(?:t[\\\\'\"]*a[\\\\'\"]*r(?:[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p))?|y[\\\\'\"]*t[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*n(?:[\\\\'\"]*(?:3(?:[\\\\'\"]*m)?|2))?|k[\\\\'\"]*(?:e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c|i[\\\\'\"]*l[\\\\'\"]*l)|r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*v|(?:g[\\\\'\"]*r[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|e[\\\\'\"]*r[\\\\'\"]*l(?:[\\\\'\"]*5)?|h[\\\\'\"]*p(?:[\\\\'\"]*[57])?|i[\\\\'\"]*n[\\\\'\"]*g|o[\\\\'\"]*p[\\\\'\"]*d)|n[\\\\'\"]*(?:c(?:[\\\\'\"]*(?:\.[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*l|o[\\\\'\"]*p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*d)|a[\\\\'\"]*t))?|e[\\\\'\"]*t[\\\\'\"]*(?:k[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*f[\\\\'\"]*t[\\\\'\"]*p|(?:s[\\\\'\"]*t|c)[\\\\'\"]*a[\\\\'\"]*t)|o[\\\\'\"]*h[\\\\'\"]*u[\\\\'\"]*p|p[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g|s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t)|t[\\\\'\"]*(?:c[\\\\'\"]*(?:p[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|i[\\\\'\"]*n[\\\\'\"]*g)|s[\\\\'\"]*h)|r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e(?:[\\\\'\"]*6)?|i[\\\\'\"]*m[\\\\'\"]*e(?:[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t)?|a[\\\\'\"]*(?:i[\\\\'\"]*l(?:[\\\\'\"]*f)?|r)|e[\\\\'\"]*l[\\\\'\"]*n[\\\\'\"]*e[\\\\'\"]*t)|r[\\\\'\"]*(?:e[\\\\'\"]*(?:p[\\\\'\"]*(?:l[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e|e[\\\\'\"]*a[\\\\'\"]*t)|a[\\\\'\"]*l[\\\\'\"]*p[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*h|n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)|u[\\\\'\"]*b[\\\\'\"]*y(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|m[\\\\'\"]*(?:u[\\\\'\"]*s[\\\\'\"]*e|d[\\\\'\"]*i)[\\\\'\"]*r|n[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*o|s[\\\\'\"]*y[\\\\'\"]*n[\\\\'\"]*c|c[\\\\'\"]*p)|b[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t)|s[\\\\'\"]*d[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*f[\\\\'\"]*f|t[\\\\'\"]*a[\\\\'\"]*r)|u[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*n|a[\\\\'\"]*s[\\\\'\"]*h)|m[\\\\'\"]*(?:y[\\\\'\"]*s[\\\\'\"]*q[\\\\'\"]*l[\\\\'\"]*(?:d[\\\\'\"]*u[\\\\'\"]*m[\\\\'\"]*p(?:[\\\\'\"]*s[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*w)?|h[\\\\'\"]*o[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*p[\\\\'\"]*y|a[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*n|s[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*w)|l[\\\\'\"]*o[\\\\'\"]*c[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e|a[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*q)|u[\\\\'\"]*(?:n[\\\\'\"]*(?:c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|l[\\\\'\"]*z[\\\\'\"]*m[\\\\'\"]*a|a[\\\\'\"]*m[\\\\'\"]*e|r[\\\\'\"]*a[\\\\'\"]*r|s[\\\\'\"]*e[\\\\'\"]*t|z[\\\\'\"]*i[\\\\'\"]*p|x[\\\\'\"]*z)|s[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*(?:(?:a[\\\\'\"]*d|m[\\\\'\"]*o)[\\\\'\"]*d|d[\\\\'\"]*e[\\\\'\"]*l))|x[\\\\'\"]*(?:z(?:[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*(?:i[\\\\'\"]*f[\\\\'\"]*f|e[\\\\'\"]*c)|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e))?|a[\\\\'\"]*r[\\\\'\"]*g[\\\\'\"]*s)|z[\\\\'\"]*(?:(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e|i)[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|r[\\\\'\"]*u[\\\\'\"]*n|s[\\\\'\"]*h)|f[\\\\'\"]*(?:t[\\\\'\"]*p[\\\\'\"]*(?:s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*s|w[\\\\'\"]*h[\\\\'\"]*o)|i[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*t[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|e[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*h|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p)|c[\\\\'\"]*(?:o[\\\\'\"]*(?:m[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*d|p[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*c)|u[\\\\'\"]*r[\\\\'\"]*l|s[\\\\'\"]*h|c)|e[\\\\'\"]*(?:g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*h[\\\\'\"]*o|v[\\\\'\"]*a[\\\\'\"]*l|x[\\\\'\"]*e[\\\\'\"]*c|n[\\\\'\"]*v)|d[\\\\'\"]*(?:m[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*g|a[\\\\'\"]*s[\\\\'\"]*h|i[\\\\'\"]*f[\\\\'\"]*f|o[\\\\'\"]*a[\\\\'\"]*s)|g[\\\\'\"]*(?:z[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p)|r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*c)|j[\\\\'\"]*(?:o[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*\s+[\\\\'\"]*-[\\\\'\"]*x|a[\\\\'\"]*v[\\\\'\"]*a)|w[\\\\'\"]*(?:h[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*i|g[\\\\'\"]*e[\\\\'\"]*t|3[\\\\'\"]*m)|i[\\\\'\"]*r[\\\\'\"]*b(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|o[\\\\'\"]*n[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*r|h[\\\\'\"]*(?:e[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*p)|v[\\\\'\"]*i[\\\\'\"]*(?:g[\\\\'\"]*r|p[\\\\'\"]*w)|G[\\\\'\"]*E[\\\\'\"]*T)[\\\\'\"]*(?:\s|;|\||&|<|>)" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932160) Executing operator "PmFromFile" with param "unix-shell.data" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cmdLine: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:normalizePath: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cmdLine: "><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:normalizePath: "><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932170) Executing operator "Rx" with param "^\(\s*\)\s+{" against REQUEST_HEADERS|REQUEST_LINE. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecode: "localhost:8080" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "localhost:8080" (Variable: REQUEST_HEADERS:Host) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecode: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "curl/7.54.0" (Variable: REQUEST_HEADERS:User-Agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecode: "*/*" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "*/*" (Variable: REQUEST_HEADERS:Accept) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecode: "GET /?q="><script>alert(1)</script> HTTP/1.1" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "GET /?q="><script>alert(1)</script> HTTP/1.1" (Variable: REQUEST_LINE) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932171) Executing operator "Rx" with param "^\(\s*\)\s+{" against ARGS_NAMES|ARGS|FILES_NAMES. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecode: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecode: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932180) Executing operator "PmFromFile" with param "restricted-upload.data" against FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 932014) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-932-APPLICATION-ATTACK-RCE [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '932016' due to a SecMarker: END-REQUEST-932-APPLICATION-ATTACK-RCE [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '932106' due to a SecMarker: END-REQUEST-932-APPLICATION-ATTACK-RCE [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '932190' due to a SecMarker: END-REQUEST-932-APPLICATION-ATTACK-RCE [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '932018' due to a SecMarker: END-REQUEST-932-APPLICATION-ATTACK-RCE [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-932-APPLICATION-ATTACK-RCE [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-932-APPLICATION-ATTACK-RCE [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 5 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933012) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933100) Executing operator "Rx" with param "(?:<\?(?:[^x]|x[^m]|xm[^l]|xml[^\s]|xml$|$)|<\?php|\[(?:\/|\\\\)?php\])" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933110) Executing operator "Rx" with param ".*\.(?:php\d*|phtml)\.*$" against FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933120) Executing operator "PmFromFile" with param "php-config-directives.data" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:normalisePath: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:normalisePath: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933130) Executing operator "PmFromFile" with param "php-variables.data" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:normalisePath: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:normalisePath: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933140) Executing operator "Rx" with param "(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933200) Executing operator "Rx" with param "(?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:utf8toUnicode: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:removeNulls: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cmdLine: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:utf8toUnicode: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:removeNulls: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cmdLine: "><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933150) Executing operator "PmFromFile" with param "php-function-names-933150.data" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "/" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "/" (Variable: REQUEST_FILENAME) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:lowercase: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933160) Executing operator "Rx" with param "(?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "/" (Variable: REQUEST_FILENAME) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933170) Executing operator "Rx" with param "[oOcC]:\d+:\".+?\":\d+:{.*}" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "localhost:8080" (Variable: REQUEST_HEADERS:Host) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "curl/7.54.0" (Variable: REQUEST_HEADERS:User-Agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "*/*" (Variable: REQUEST_HEADERS:Accept) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933180) Executing operator "Rx" with param "\$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "/" (Variable: REQUEST_FILENAME) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933210) Executing operator "Rx" with param "(?:(?:\(|\[)[a-zA-Z0-9_.$\"'\[\](){}/*\s]+(?:\)|\])[0-9_.$\"'\[\](){}/*\s]*\([a-zA-Z0-9_.$\"'\[\](){}/*\s].*\)|\([\s]*string[\s]*\)[\s]*(?:\"|'))" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecode: "/" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:replaceComments: "/" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:compressWhitespace: "/" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "/" (Variable: REQUEST_FILENAME) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecode: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:replaceComments: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:compressWhitespace: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecode: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:replaceComments: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:compressWhitespace: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 933014) Executing operator "Lt" with param "2" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: skipAfter [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Setting skipAfter for: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: pass. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action pass [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '933151' due to a SecMarker: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '933016' due to a SecMarker: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '933131' due to a SecMarker: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '933161' due to a SecMarker: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '933111' due to a SecMarker: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '933190' due to a SecMarker: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '933018' due to a SecMarker: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Skipped rule id '0' due to a SecMarker: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule: END-REQUEST-933-APPLICATION-ATTACK-PHP [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Out of a SecMarker after skip 8 rules. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 941012) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL) [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 0. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars cleaned. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] (Rule: 941100) Executing operator "DetectXSS against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/*. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:utf8toUnicode: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:jsDecode: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cssDecode: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:removeNulls: "curl/7.54.0" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "curl/7.54.0" (Variable: REQUEST_HEADERS:User-Agent) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] libinjection was not able to find any XSS in: curl/7.54.0 [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:utf8toUnicode: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:jsDecode: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cssDecode: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:removeNulls: "q" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: "q" (Variable: ARGS_NAMES:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [9] libinjection was not able to find any XSS in: q [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:utf8toUnicode: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:urlDecodeUni: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:htmlEntityDecode: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:jsDecode: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:cssDecode: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] T (0) t:removeNulls: ""><script>alert(1)</script>" [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Target value: ""><script>alert(1)</script>" (Variable: ARGS:q) [157893220069.056272] [/?q="><script>alert(1)</script>] [5] detected XSS using libinjection. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Matched vars updated. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:xss_score with value: 5 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running [independent] (non-disruptive) action: setvar [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Saving variable: TX:anomaly_score_pl1 with value: 5 [157893220069.056272] [/?q="><script>alert(1)</script>] [9] This rule severity is: 2 current transaction is: 2 [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving msg: XSS Attack Detected via libinjection [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Rule returned 1. [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: nolog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: auditlog [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Saving transaction to logs [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: status [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (non-disruptive) action: tag [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule tag: application-multi [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (non-disruptive) action: tag [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule tag: language-multi [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (non-disruptive) action: tag [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule tag: platform-multi [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (non-disruptive) action: tag [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule tag: attack-xss [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (non-disruptive) action: tag [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule tag: paranoia-level/1 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (non-disruptive) action: tag [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule tag: OWASP_CRS [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (non-disruptive) action: tag [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule tag: OWASP_CRS/WEB_ATTACK/XSS [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (non-disruptive) action: tag [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule tag: WASCTC/WASC-8 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (non-disruptive) action: tag [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule tag: WASCTC/WASC-22 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (non-disruptive) action: tag [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule tag: OWASP_TOP_10/A3 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (non-disruptive) action: tag [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule tag: OWASP_AppSensor/IE1 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (non-disruptive) action: tag [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Rule tag: CAPEC-242 [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Running (disruptive) action: block. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Marking request as disruptive. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Running action deny [157893220069.056272] [/?q="><script>alert(1)</script>] [9] Running action: ctl [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Skipping this phase as this request was already intercepted. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Not appending response body. Response Content-Type is . It is not marked to be inspected. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Not appending response body. Response Content-Type is . It is not marked to be inspected. [157893220069.056272] [/?q="><script>alert(1)</script>] [4] Starting phase RESPONSE_BODY. (SecRules 4) [157893220069.056272] [/?q="><script>alert(1)</script>] [5] Response Content-Type is . It is not marked to be inspected. [157893220069.056272] [/?q="><script>alert(1)</script>] [8] Content-Type(s) marked to be inspected: text/html text/plain text/xml/var/log/nginx/error.log
2020/01/13 16:20:12 [error] 6#6: *4 [client 172.17.0.1] ModSecurity: Access denied with code 403 (phase 2). detected XSS using libinjection. [file "/usr/local/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:q: "><script>alert(1)</script>"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.17.0.3"] [uri "/"] [unique_id "157893241261.889121"] [ref "v8,27t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"], client: 172.17.0.1, server: juice.sky, request: "GET /?q="><script>alert(1)</script> HTTP/1.1", host: "localhost:8080"To Reproduce
Steps to reproduce the behavior:
Enable RuleEngine and audit logs in modsecurity.conf,
A curl command line that mimics the original request and reproduces the problem. Or a ModSecurity v3 test case.
[e.g: curl "modsec-full/ca/..\..\..\..\..\..\/\etc/\passwd" or issue-394.json]
curl 'http://localhost:8080/?q="><script>alert(1)</script>'Expected behavior
A clear and concise description of what you expected to happen.
Block logged in /var/log/modsec_audit.log
Server (please complete the following information):
ModSecurity version v3.0.4 with nginx-connector v1.0.1
nginx-1.17.6
Linux, Debian 10 (Buster)
Rule Set (please complete the following information):
OWASP v3.3
Additional context
Add any other context about the problem here.
`root@8f378ae6cecd:/# cat /usr/local/owasp-modsecurity-crs/crs-setup.conf
Set block by default (Won't block if SecRuleEngine is in detectiononly or off)
SecDefaultAction "phase:1,nolog,auditlog,deny,status:403"
SecDefaultAction "phase:2,nolog,auditlog,deny,status:403"
Set installed CRS version
SecAction
"id:900990,
phase:1,
nolog,
pass,
t:none,
setvar:tx.crs_setup_version=330"
Set timeout to lower value
SecCollectionTimeout 600`
The text was updated successfully, but these errors were encountered: