# - Ruleset Common - # Do NOT edit this file as it is generated every time the module starts # and provides the 'ruleset-Common' function # ruleset-Common() { local funtag="[${FUNCNAME[0]}]" : FILTER_STATE=Initial : FILTER_DATE=2025-08-04T19:40:41+02:00 local debugs="@nodebug|@notrace|@alloff|@debug|@debug2|@trace" local debfun RULE=SetDebug if [[ "$REPLY" =~ ($debugs) ]] then debfun=${BASH_REMATCH[1]} # Extract found matches trace "$funtag Debuging $debfun wanted" setdebug "$debfun" Pattern="$debfun" # Let the post processor know the choice ... return 241 fi WEB_CLASS=Scanner RULE="Shodan-Scanner" Pattern='.shodan.io[' if [[ "$REPLY" =~ "$Pattern" ]]; then inject 5; return $?; fi RULE="Censys-Scanner" Pattern='.censys-scanner.com[' if [[ "$REPLY" =~ "$Pattern" ]]; then inject 5; return $?; fi RULE="Cyberresilience-Scanner" Pattern='.cyberresilience.io[' if [[ "$REPLY" =~ "$Pattern" ]]; then inject 5; return $?; fi RULE="BinaryEdge-Scanner" Pattern='.binaryedge.ninja[' if [[ "$REPLY" =~ "$Pattern" ]]; then inject 5; return $?; fi RULE="Anthropic-AI" Pattern='"anthropic-ai"' if [[ "$REPLY" =~ "$Pattern" ]]; then inject 5; return $?; fi WEB_CLASS=Destroyer RULE=PROPFIND Pattern="GET /shell" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=NMAP-Attack Pattern="(compatible; Nmap" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=FAKE-Referer1 Pattern="ALittle Client" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=Dot-env Pattern="GET /.env" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=APP-Dot-env Pattern="GET /app/.env" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=Dot-git Pattern="GET /.git" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=Dot-aws Pattern="GET /.aws" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi WEB_CLASS=Illegal-Wordpress RULE=WP-inludes Pattern="/wp-inludes/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=WP Pattern="GET /wp/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=WEBSITE Pattern="GET /website/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=WORDPRESS Pattern="GET /wordpress/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=WP-admin Pattern="GET /wp-admin/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=WP-Login Pattern="GET /wp-login.php" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=WP-JSON Pattern="GET /wp-json" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=WP-CONTENT Pattern="GET /wp-content" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=WP-INCLUDES Pattern="GET /wp-includes" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi WEB_CLASS=Aggressor RULE=PROPFIND Pattern="PROPFIND /" if [[ "$REPLY" =~ "$Pattern" ]]; then inject 4; return $?; fi RULE=POST-admin-index Pattern="POST /administrator/index.php" if [[ "$REPLY" =~ "$Pattern" ]]; then inject 4; return $?; fi RULE=POST-autodiscover Pattern="POST /Autodiscover/" if [[ "$REPLY" =~ "$Pattern" ]]; then inject 4; return $?; fi RULE=POST-phpunit Pattern="POST /vendor/phpunit/" if [[ "$REPLY" =~ "$Pattern" ]]; then inject 4; return $?; fi RULE=POST-cgi-bin Pattern="POST /cgi-bin/" if [[ "$REPLY" =~ "$Pattern" ]]; then inject 4; return $?; fi RULE=POST-wp-includes Pattern="POST /wp-includes/" if [[ "$REPLY" =~ "$Pattern" ]]; then inject 4; return $?; fi RULE=POST-db-init Pattern="POST /db.init.php" if [[ "$REPLY" =~ "$Pattern" ]]; then inject 4; return $?; fi RULE=POST-db-session Pattern="POST /db_session.init.php" if [[ "$REPLY" =~ "$Pattern" ]]; then inject 4; return $?; fi RULE=POST-Black+white Pattern="POST /editBlackAndWhiteList" if [[ "$REPLY" =~ "$Pattern" ]]; then inject 4; return $?; fi RULE=POST-loginregister Pattern="POST /login-register/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=POST_en_login Pattern="POST /en/log-in" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi WEB_CLASS=HEADscan RULE=HEAD-Scanner Pattern="HEAD /" if [[ "$REPLY" =~ "$Pattern" ]]; then inject 3; return $?; fi WEB_CLASS=Trialbaloons RULE=Double-Dash Pattern="GET //" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=BREAK-vendor Pattern="GET /vendor/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=BREAK-webdav Pattern="GET /webdav/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=BREAK-owa Pattern="GET /owa/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=PMA-1 Pattern="GET /phpMyadmin" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=PMA-2 Pattern="GET /phpmyadmin" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=PMA-3 Pattern="GET /pma/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=PMA-4 Pattern="GET /PMA/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=Agent Pattern="GET /agent/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=Agent2 Pattern="GET /agc/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi RULE=Illegal_css Pattern="GET /css/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi WEB_CLASS=Fake-Request RULE=Double-Dash Pattern="GET /en/produkte/" if [[ "$REPLY" =~ "$Pattern" ]]; then kickoff; return $?; fi WEB_CLASS=Forbidden RULE=401 Pattern=' 401 ' if [[ "$REPLY" =~ "$Pattern" ]]; then inject; return $?; fi RULE=403 Pattern=' 403 ' if [[ "$REPLY" =~ "$Pattern" ]]; then inject; return $?; fi WEB_CLASS=Robots-Txt RULE=Robots-Txt Pattern='GET /robots.txt' if [[ "$REPLY" =~ "$Pattern" ]]; then inject 5; return $?; fi RULE=NO_RULESET_MATCH-$funtag return 0 }