Skip to content

Instantly share code, notes, and snippets.

Revisions

  1. @francabrera francabrera created this gist Sep 20, 2016.
    968 changes: 968 additions & 0 deletions Cloudant View for Intrusion Detection System
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,968 @@
    function (doc) {
    if (doc.loopback__model__name == "Auditlog"){
    var filters = {
    "filters":{
    "filter":[
    {
    "id":"1",
    "rule":"(?:\"[^\"]*[^-]?>)|(?:[^\\w\\s]\\s*\\\/>)|(?:>\")",
    "description":"Finds html breaking injections including whitespace attacks",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"4"
    },
    {
    "id":"2",
    "rule":"(?:\"+.*[<=]\\s*\"[^\"]+\")|(?:\"\\s*\\w+\\s*=)|(?:>\\w=\\\/)|(?:#.+\\)[\"\\s]*>)|(?:\"\\s*(?:src|style|on\\w+)\\s*=\\s*\")|(?:[^\"]?\"[,;\\s]+\\w*[\\[\\(])",
    "description":"Finds attribute breaking injections including whitespace attacks",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"4"
    },
    {
    "id":"3",
    "rule":"(?:^>[\\w\\s]*<\\\/?\\w{2,}>)",
    "description":"Finds unquoted attribute breaking injections",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"2"
    },
    {
    "id":"4",
    "rule":"(?:[+\\\/]\\s*name[\\W\\d]*[)+])|(?:;\\W*url\\s*=)|(?:[^\\w\\s\\\/?:>]\\s*(?:location|referrer|name)\\s*[^\\\/\\w\\s-])",
    "description":"Detects url-, name-, JSON, and referrer-contained payload attacks",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"5"
    },
    {
    "id":"5",
    "rule":"(?:\\W\\s*hash\\s*[^\\w\\s-])|(?:\\w+=\\W*[^,]*,[^\\s(]\\s*\\()|(?:\\?\"[^\\s\"]\":)|(?:(?<!\\\/)__[a-z]+__)|(?:(?:^|[\\s)\\]\\}])(?:s|g)etter\\s*=)",
    "description":"Detects hash-contained xss payload attacks, setter usage and property overloading",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"5"
    },
    {
    "id":"6",
    "rule":"(?:with\\s*\\(\\s*.+\\s*\\)\\s*\\w+\\s*\\()|(?:(?:do|while|for)\\s*\\([^)]*\\)\\s*\\{)|(?:\\\/[\\w\\s]*\\[\\W*\\w)",
    "description":"Detects self contained xss via with(), common loops and regex to string conversion",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"5"
    },
    {
    "id":"7",
    "rule":"(?:[=(].+\\?.+:)|(?:with\\([^)]*\\)\\))|(?:\\.\\s*source\\W)",
    "description":"Detects JavaScript with(), ternary operators and XML predicate attacks",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"5"
    },
    {
    "id":"8",
    "rule":"(?:\\\/\\w*\\s*\\)\\s*\\()|(?:\\([\\w\\s]+\\([\\w\\s]+\\)[\\w\\s]+\\))|(?:(?<!(?:mozilla\\\/\\d\\.\\d\\s))\\([^)[]+\\[[^\\]]+\\][^)]*\\))|(?:[^\\s!][{([][^({[]+[{([][^}\\])]+[}\\])][\\s+\",\\d]*[}\\])])|(?:\"\\)?\\]\\W*\\[)|(?:=\\s*[^\\s:;]+\\s*[{([][^}\\])]+[}\\])];)",
    "description":"Detects self-executing JavaScript functions",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"5"
    },
    {
    "id":"9",
    "rule":"(?:\\\\u00[a-f0-9]{2})|(?:\\\\x0*[a-f0-9]{2})|(?:\\\\\\d{2,3})",
    "description":"Detects the IE octal, hex and unicode entities",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"2"
    },
    {
    "id":"10",
    "rule":"(?:(?:\\\/|\\\\)?\\.+(\\\/|\\\\)(?:\\.+)?)|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\\/[\\w*-]+\\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\\/(?:%2e){2})",
    "description":"Detects basic directory traversal",
    "tags":{
    "tag":[
    "dt",
    "id",
    "lfi"
    ]
    },
    "impact":"5"
    },
    {
    "id":"11",
    "rule":"(?:%c0%ae\\\/)|(?:(?:\\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\\/|\\\\))|(?:(?:\\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)",
    "description":"Detects specific directory and path traversal",
    "tags":{
    "tag":[
    "dt",
    "id",
    "lfi"
    ]
    },
    "impact":"5"
    },
    {
    "id":"12",
    "rule":"(?:etc\\\/\\W*passwd)",
    "description":"Detects etc\/passwd inclusion attempts",
    "tags":{
    "tag":[
    "dt",
    "id",
    "lfi"
    ]
    },
    "impact":"5"
    },
    {
    "id":"13",
    "rule":"(?:%u(?:ff|00|e\\d)\\w\\w)|(?:(?:%(?:e\\w|c[^3\\W]|))(?:%\\w\\w)(?:%\\w\\w)?)",
    "description":"Detects halfwidth\/fullwidth encoded unicode HTML breaking attempts",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"3"
    },
    {
    "id":"14",
    "rule":"(?:#@~\\^\\w+)|(?:\\w+script:|@import[^\\w]|;base64|base64,)|(?:\\w\\s*\\([\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+,[\\w\\s]+\\))",
    "description":"Detects possible includes, VBSCript\/JScript encodeed and packed functions",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id",
    "rfe"
    ]
    },
    "impact":"5"
    },
    {
    "id":"15",
    "rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@\\-\\|])(\\s*return\\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\\wettimeout|(?:ms)?setimmediate|option|useragent)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.+\\-]))",
    "description":"Detects JavaScript DOM\/miscellaneous properties and methods",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id",
    "rfe"
    ]
    },
    "impact":"6"
    },
    {
    "id":"16",
    "rule":"([^*\\s\\w,.\\\/?+-]\\s*)?(?<![a-mo-z]\\s)(?<![a-z\\\/_@])(\\s*return\\s*)?(?:alert|inputbox|showmod(?:al|eless)dialog|showhelp|infinity|isnan|isnull|iterator|msgbox|executeglobal|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\",.:\\\/+\\-]))",
    "description":"Detects possible includes and typical script methods",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id",
    "rfe"
    ]
    },
    "impact":"5"
    },
    {
    "id":"17",
    "rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@])(\\s*return\\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\\w%\"]|(?:\\s*[^@\\\/\\s\\w%.+\\-]))",
    "description":"Detects JavaScript object properties and methods",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id",
    "rfe"
    ]
    },
    "impact":"4"
    },
    {
    "id":"18",
    "rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@\\-\\|])(\\s*return\\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%,.+\\-]))",
    "description":"Detects JavaScript array properties and methods",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id",
    "rfe"
    ]
    },
    "impact":"4"
    },
    {
    "id":"19",
    "rule":"([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z\\\/_@\\-\\|])(\\s*return\\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\\w+codeuri\\w*)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%,.+\\-]))",
    "description":"Detects JavaScript string properties and methods",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id",
    "rfe"
    ]
    },
    "impact":"4"
    },
    {
    "id":"20",
    "rule":"(?:\\)\\s*\\[)|([^*\":\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z_@\\|])(\\s*return\\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\\s*(?:each)?|elseif|case|switch|regex|boolean|location|(?:ms)?setimmediate|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\\w%\"]|(?:\\s*[^@\\s\\w%\".+\\-\\\/]))",
    "description":"Detects JavaScript language constructs",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id",
    "rfe"
    ]
    },
    "impact":"4"
    },
    {
    "id":"21",
    "rule":"(?:,\\s*(?:alert|showmodaldialog|eval)\\s*,)|(?::\\s*eval\\s*[^\\s])|([^:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z\\\/_@])(\\s*return\\s*)?(?:(?:document\\s*\\.)?(?:.+\\\/)?(?:alert|eval|msgbox|showmod(?:al|eless)dialog|showhelp|prompt|write(?:ln)?|confirm|dialog|open))\\s*(?:[^.a-z\\s\\-]|(?:\\s*[^\\s\\w,.@\\\/+-]))|(?:java[\\s\\\/]*\\.[\\s\\\/]*lang)|(?:\\w\\s*=\\s*new\\s+\\w+)|(?:&\\s*\\w+\\s*\\)[^,])|(?:\\+[\\W\\d]*new\\s+\\w+[\\W\\d]*\\+)|(?:document\\.\\w)",
    "description":"Detects very basic XSS probings",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id",
    "rfe"
    ]
    },
    "impact":"3"
    },
    {
    "id":"22",
    "rule":"(?:=\\s*(?:top|this|window|content|self|frames|_content))|(?:\\\/\\s*[gimx]*\\s*[)}])|(?:[^\\s]\\s*=\\s*script)|(?:\\.\\s*constructor)|(?:default\\s+xml\\s+namespace\\s*=)|(?:\\\/\\s*\\+[^+]+\\s*\\+\\s*\\\/)",
    "description":"Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id",
    "rfe"
    ]
    },
    "impact":"5"
    },
    {
    "id":"23",
    "rule":"(?:\\.\\s*\\w+\\W*=)|(?:\\W\\s*(?:location|document)\\s*\\W[^({[;]+[({[;])|(?:\\(\\w+\\?[:\\w]+\\))|(?:\\w{2,}\\s*=\\s*\\d+[^&\\w]\\w+)|(?:\\]\\s*\\(\\s*\\w+)",
    "description":"Detects JavaScript location\/document property access and window access obfuscation",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"5"
    },
    {
    "id":"24",
    "rule":"(?:[\".]script\\s*\\()|(?:\\$\\$?\\s*\\(\\s*[\\w\"])|(?:\\\/[\\w\\s]+\\\/\\.)|(?:=\\s*\\\/\\w+\\\/\\s*\\.)|(?:(?:this|window|top|parent|frames|self|content)\\[\\s*[(,\"]*\\s*[\\w\\$])|(?:,\\s*new\\s+\\w+\\s*[,;)])",
    "description":"Detects basic obfuscated JavaScript script injections",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"5"
    },
    {
    "id":"25",
    "rule":"(?:=\\s*[$\\w]\\s*[\\(\\[])|(?:\\(\\s*(?:this|top|window|self|parent|_?content)\\s*\\))|(?:src\\s*=s*(?:\\w+:|\\\/\\\/))|(?:\\w+\\[(\"\\w+\"|\\w+\\|\\|))|(?:[\\d\\W]\\|\\|[\\d\\W]|\\W=\\w+,)|(?:\\\/\\s*\\+\\s*[a-z\"])|(?:=\\s*\\$[^([]*\\()|(?:=\\s*\\(\\s*\")",
    "description":"Detects obfuscated JavaScript script injections",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"5"
    },
    {
    "id":"26",
    "rule":"(?:[^:\\s\\w]+\\s*[^\\w\\\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\\w])",
    "description":"Detects JavaScript cookie stealing and redirection attempts",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"4"
    },
    {
    "id":"27",
    "rule":"(?:(?:vbs|vbscript|data):.*[,+])|(?:\\w+\\s*=\\W*(?!https?)\\w+:)|(jar:\\w+:)|(=\\s*\"?\\s*vbs(?:ript)?:)|(language\\s*=\\s?\"?\\s*vbs(?:ript)?)|on\\w+\\s*=\\*\\w+\\-\"?",
    "description":"Detects data: URL injections, VBS injections and common URI schemes",
    "tags":{
    "tag":[
    "xss",
    "rfe"
    ]
    },
    "impact":"5"
    },
    {
    "id":"28",
    "rule":"(?:firefoxurl:\\w+\\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\\s*:\\s*[%&#xu\\\/]+)|(wyciwyg|firefoxurl\\s*:\\s*\\\/\\s*\\\/)",
    "description":"Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion\/execution",
    "tags":{
    "tag":[
    "xss",
    "rfe",
    "lfi",
    "csrf"
    ]
    },
    "impact":"5"
    },
    {
    "id":"29",
    "rule":"(?:binding\\s?=|moz-binding|behavior\\s?=)|(?:[\\s\\\/]style\\s*=\\s*[-\\\\])",
    "description":"Detects bindings and behavior injections",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "rfe"
    ]
    },
    "impact":"4"
    },
    {
    "id":"30",
    "rule":"(?:=\\s*\\w+\\s*\\+\\s*\")|(?:\\+=\\s*\\(\\s\")|(?:!+\\s*[\\d.,]+\\w?\\d*\\s*\\?)|(?:=\\s*\\[s*\\])|(?:\"\\s*\\+\\s*\")|(?:[^\\s]\\[\\s*\\d+\\s*\\]\\s*[;+])|(?:\"\\s*[&|]+\\s*\")|(?:\\\/\\s*\\?\\s*\")|(?:\\\/\\s*\\)\\s*\\[)|(?:\\d\\?.+:\\d)|(?:]\\s*\\[\\W*\\w)|(?:[^\\s]\\s*=\\s*\\\/)",
    "description":"Detects common XSS concatenation patterns 1\/2",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id",
    "rfe"
    ]
    },
    "impact":"4"
    },
    {
    "id":"31",
    "rule":"(?:=\\s*\\d*\\.\\d*\\?\\d*\\.\\d*)|(?:[|&]{2,}\\s*\")|(?:!\\d+\\.\\d*\\?\")|(?:\\\/:[\\w.]+,)|(?:=[\\d\\W\\s]*\\[[^]]+\\])|(?:\\?\\w+:\\w+)",
    "description":"Detects common XSS concatenation patterns 2\/2",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id",
    "rfe"
    ]
    },
    "impact":"4"
    },
    {
    "id":"32",
    "rule":"(?:[^\\w\\s=]on(?!g\\&gt;)\\w+[^=_+-]*=[^$]+(?:\\W|\\&gt;)?)",
    "description":"Detects possible event handlers",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"4"
    },
    {
    "id":"33",
    "rule":"(?:\\<\\w*:?\\s(?:[^\\>]*)t(?!rong))|(?:\\<scri)|(<\\w+:\\w+)",
    "description":"Detects obfuscated script tags and XML wrapped HTML",
    "tags":{
    "tag":"xss"
    },
    "impact":"4"
    },
    {
    "id":"34",
    "rule":"(?:\\<\\\/\\w+\\s\\w+)|(?:@(?:cc_on|set)[\\s@,\"=])",
    "description":"Detects attributes in closing tags and conditional compilation tokens",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"4"
    },
    {
    "id":"35",
    "rule":"(?:--[^\\n]*$)|(?:\\<!-|-->)|(?:[^*]\\\/\\*|\\*\\\/[^*])|(?:(?:[\\W\\d]#|--|{)$)|(?:\\\/{3,}.*$)|(?:<!\\[\\W)|(?:\\]!>)",
    "description":"Detects common comment types",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id"
    ]
    },
    "impact":"3"
    },
    {
    "id":"37",
    "rule":"(?:\\<base\\s+)|(?:<!(?:element|entity|\\[CDATA))",
    "description":"Detects base href injections and XML entity injections",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id"
    ]
    },
    "impact":"5"
    },
    {
    "id":"38",
    "rule":"(?:\\<[\\\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\\w+|image|im(?:g|port)))",
    "description":"Detects possibly malicious html elements including some attributes",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id",
    "rfe",
    "lfi"
    ]
    },
    "impact":"4"
    },
    {
    "id":"39",
    "rule":"(?:\\\\x[01fe][\\db-ce-f])|(?:%[01fe][\\db-ce-f])|(?:&#[01fe][\\db-ce-f])|(?:\\\\[01fe][\\db-ce-f])|(?:&#x[01fe][\\db-ce-f])",
    "description":"Detects nullbytes and other dangerous characters",
    "tags":{
    "tag":[
    "id",
    "rfe",
    "xss"
    ]
    },
    "impact":"5"
    },
    {
    "id":"40",
    "rule":"(?:\\)\\s*when\\s*\\d+\\s*then)|(?:\"\\s*(?:#|--|{))|(?:\\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*\\(\\s*\\d)|(?:(?:(n?and|x?or|not)\\s+|\\|\\||\\&\\&)\\s*\\w+\\()",
    "description":"Detects MySQL comments, conditions and ch(a)r injections",
    "tags":{
    "tag":[
    "sqli",
    "id",
    "lfi"
    ]
    },
    "impact":"6"
    },
    {
    "id":"41",
    "rule":"(?:[\\s()]case\\s*\\()|(?:\\)\\s*like\\s*\\()|(?:having\\s*[^\\s]+\\s*[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*[=<>~])",
    "description":"Detects conditional SQL injection attempts",
    "tags":{
    "tag":[
    "sqli",
    "id",
    "lfi"
    ]
    },
    "impact":"6"
    },
    {
    "id":"42",
    "rule":"(?:\"\\s*or\\s*\"?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:(?:^[\"\\\\]*(?:[\\d\"]+|[^\"]+\"))+\\s*(?:n?and|x?or|not|\\|\\||\\&\\&)\\s*[\\w\"[+&!@(),.-])|(?:[^\\w\\s]\\w+\\s*[|-]\\s*\"\\s*\\w)|(?:@\\w+\\s+(and|or)\\s*[\"\\d]+)|(?:@[\\w-]+\\s(and|or)\\s*[^\\w\\s])|(?:[^\\w\\s:]\\s*\\d\\W+[^\\w\\s]\\s*\".)|(?:\\Winformation_schema|table_name\\W)",
    "description":"Detects classic SQL injection probings 1\/2",
    "tags":{
    "tag":[
    "sqli",
    "id",
    "lfi"
    ]
    },
    "impact":"6"
    },
    {
    "id":"43",
    "rule":"(?:\"\\s*\\*.+(?:or|id)\\W*\"\\d)|(?:\\^\")|(?:^[\\w\\s\"-]+(?<=and\\s)(?<=or\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:\"[\\s\\d]*[^\\w\\s]+\\W*\\d\\W*.*[\"\\d])|(?:\"\\s*[^\\w\\s?]+\\s*[^\\w\\s]+\\s*\")|(?:\"\\s*[^\\w\\s]+\\s*[\\W\\d].*(?:#|--))|(?:\".*\\*\\s*\\d)|(?:\"\\s*or\\s[^\\d]+[\\w-]+.*\\d)|(?:[()*<>%+-][\\w-]+[^\\w\\s]+\"[^,])",
    "description":"Detects classic SQL injection probings 2\/2",
    "tags":{
    "tag":[
    "sqli",
    "id",
    "lfi"
    ]
    },
    "impact":"6"
    },
    {
    "id":"44",
    "rule":"(?:\\d\"\\s+\"\\s+\\d)|(?:^admin\\s*\"|(\\\/\\*)+\"+\\s?(?:--|#|\\\/\\*|{)?)|(?:\"\\s*or[\\w\\s-]+\\s*[+<>=(),-]\\s*[\\d\"])|(?:\"\\s*[^\\w\\s]?=\\s*\")|(?:\"\\W*[+=]+\\W*\")|(?:\"\\s*[!=|][\\d\\s!=+-]+.*[\"(].*$)|(?:\"\\s*[!=|][\\d\\s!=]+.*\\d+$)|(?:\"\\s*like\\W+[\\w\"(])|(?:\\sis\\s*0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:\"[<>~]+\")",
    "description":"Detects basic SQL authentication bypass attempts 1\/3",
    "tags":{
    "tag":[
    "sqli",
    "id",
    "lfi"
    ]
    },
    "impact":"7"
    },
    {
    "id":"45",
    "rule":"(?:union\\s*(?:all|distinct|[(!@]*)\\s*[([]*\\s*select)|(?:\\w+\\s+like\\s+\\\")|(?:like\\s*\"\\%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:\"\\s*[^?\\w\\s=.,;)(]+\\s*[(@\"]*\\s*\\w+\\W+\\w)|(?:select\\s*[\\[\\]()\\s\\w\\.,\"-]+from)|(?:find_in_set\\s*\\()",
    "description":"Detects basic SQL authentication bypass attempts 2\/3",
    "tags":{
    "tag":[
    "sqli",
    "id",
    "lfi"
    ]
    },
    "impact":"7"
    },
    {
    "id":"46",
    "rule":"(?:in\\s*\\(+\\s*select)|(?:(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*\\(|sounds\\s+like\\s*\"|[=\\d]+x))|(\"\\s*\\d\\s*(?:--|#))|(?:\"[%&<>^=]+\\d\\s*(=|or))|(?:\"\\W+[\\w+-]+\\s*=\\s*\\d\\W+\")|(?:\"\\s*is\\s*\\d.+\"?\\w)|(?:\"\\|?[\\w-]{3,}[^\\w\\s.,]+\")|(?:\"\\s*is\\s*[\\d.]+\\s*\\W.*\")",
    "description":"Detects basic SQL authentication bypass attempts 3\/3",
    "tags":{
    "tag":[
    "sqli",
    "id",
    "lfi"
    ]
    },
    "impact":"7"
    },
    {
    "id":"47",
    "rule":"(?:[\\d\\W]\\s+as\\s*[\"\\w]+\\s*from)|(?:^[\\W\\d]+\\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:(?:group_)concat|char|load_file)\\s?\\(?)|(?:end\\s*\\);)|(\"\\s+regexp\\W)|(?:[\\s(]load_file\\s*\\()",
    "description":"Detects concatenated basic SQL injection and SQLLFI attempts",
    "tags":{
    "tag":[
    "sqli",
    "id",
    "lfi"
    ]
    },
    "impact":"5"
    },
    {
    "id":"48",
    "rule":"(?:@.+=\\s*\\(\\s*select)|(?:\\d+\\s*or\\s*\\d+\\s*[\\-+])|(?:\\\/\\w+;?\\s+(?:having|and|or|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|(?:(?:;|#|--)\\s*(?:update|insert)\\s*\\w{2,})|(?:[^\\w]SET\\s*@\\w+)|(?:(?:n?and|x?or|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*[!=+]+[\\s\\d]*[\"=()])",
    "description":"Detects chained SQL injection attempts 1\/2",
    "tags":{
    "tag":[
    "sqli",
    "id"
    ]
    },
    "impact":"6"
    },
    {
    "id":"49",
    "rule":"(?:\"\\s+and\\s*=\\W)|(?:\\(\\s*select\\s*\\w+\\s*\\()|(?:\\*\\\/from)|(?:\\+\\s*\\d+\\s*\\+\\s*@)|(?:\\w\"\\s*(?:[-+=|@]+\\s*)+[\\d(])|(?:coalesce\\s*\\(|@@\\w+\\s*[^\\w\\s])|(?:\\W!+\"\\w)|(?:\";\\s*(?:if|while|begin))|(?:\"[\\s\\d]+=\\s*\\d)|(?:order\\s+by\\s+if\\w*\\s*\\()|(?:[\\s(]+case\\d*\\W.+[tw]hen[\\s(])",
    "description":"Detects chained SQL injection attempts 2\/2",
    "tags":{
    "tag":[
    "sqli",
    "id"
    ]
    },
    "impact":"6"
    },
    {
    "id":"50",
    "rule":"(?:(select|;)\\s+(?:benchmark|if|sleep)\\s*?\\(\\s*\\(?\\s*\\w+)",
    "description":"Detects SQL benchmark and sleep injection attempts including conditional queries",
    "tags":{
    "tag":[
    "sqli",
    "id"
    ]
    },
    "impact":"4"
    },
    {
    "id":"51",
    "rule":"(?:create\\s+function\\s+\\w+\\s+returns)|(?:;\\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*[\\[(]?\\w{2,})",
    "description":"Detects MySQL UDF injection and other data\/structure manipulation attempts",
    "tags":{
    "tag":[
    "sqli",
    "id"
    ]
    },
    "impact":"6"
    },
    {
    "id":"52",
    "rule":"(?:alter\\s*\\w+.*character\\s+set\\s+\\w+)|(\";\\s*waitfor\\s+time\\s+\")|(?:\";.*:\\s*goto)",
    "description":"Detects MySQL charset switch and MSSQL DoS attempts",
    "tags":{
    "tag":[
    "sqli",
    "id"
    ]
    },
    "impact":"6"
    },
    {
    "id":"53",
    "rule":"(?:procedure\\s+analyse\\s*\\()|(?:;\\s*(declare|open)\\s+[\\w-]+)|(?:create\\s+(procedure|function)\\s*\\w+\\s*\\(\\s*\\)\\s*-)|(?:declare[^\\w]+[@#]\\s*\\w+)|(exec\\s*\\(\\s*@)",
    "description":"Detects MySQL and PostgreSQL stored procedure\/function injections",
    "tags":{
    "tag":[
    "sqli",
    "id"
    ]
    },
    "impact":"7"
    },
    {
    "id":"54",
    "rule":"(?:select\\s*pg_sleep)|(?:waitfor\\s*delay\\s?\"+\\s?\\d)|(?:;\\s*shutdown\\s*(?:;|--|#|\\\/\\*|{))",
    "description":"Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts",
    "tags":{
    "tag":[
    "sqli",
    "id"
    ]
    },
    "impact":"5"
    },
    {
    "id":"55",
    "rule":"(?:\\sexec\\s+xp_cmdshell)|(?:\"\\s*!\\s*[\"\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*\\([^\\)]*)|(?:\";?\\s*(?:select|union|having)\\s*[^\\s])|(?:\\wiif\\s*\\()|(?:exec\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*select)|(?:select.*\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*\")",
    "description":"Detects MSSQL code execution and information gathering attempts",
    "tags":{
    "tag":[
    "sqli",
    "id"
    ]
    },
    "impact":"5"
    },
    {
    "id":"56",
    "rule":"(?:merge.*using\\s*\\()|(execute\\s*immediate\\s*\")|(?:\\W+\\d*\\s*having\\s*[^\\s\\-])|(?:match\\s*[\\w(),+-]+\\s*against\\s*\\()",
    "description":"Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections",
    "tags":{
    "tag":[
    "sqli",
    "id"
    ]
    },
    "impact":"5"
    },
    {
    "id":"57",
    "rule":"(?:,.*[)\\da-f\"]\"(?:\".*\"|\\Z|[^\"]+))|(?:\\Wselect.+\\W*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*\\(\\s*space\\s*\\()",
    "description":"Detects MySQL comment-\/space-obfuscated injections and backtick termination",
    "tags":{
    "tag":[
    "sqli",
    "id"
    ]
    },
    "impact":"5"
    },
    {
    "id":"58",
    "rule":"(?:@[\\w-]+\\s*\\()|(?:]\\s*\\(\\s*[\"!]\\s*\\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\\s\\w|]*\\$\\w+\\s*=)|(?:\\$\\w+\\s*=(?:(?:\\s*\\$?\\w+\\s*[(;])|\\s*\".*\"))|(?:;\\s*\\{\\W*\\w+\\s*\\()",
    "description":"Detects code injection attempts 1\/3",
    "tags":{
    "tag":[
    "id",
    "rfe",
    "lfi"
    ]
    },
    "impact":"7"
    },
    {
    "id":"59",
    "rule":"(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\\w+|execute)\\s*[\"(@])",
    "description":"Detects code injection attempts 2\/3",
    "tags":{
    "tag":[
    "id",
    "rfe",
    "lfi"
    ]
    },
    "impact":"7"
    },
    {
    "id":"60",
    "rule":"(?:(?:[;]+|(<[?%](?:php)?)).*[^\\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\\s*rm\\s+-\\w+\\s+)|(?:;.*{.*\\$\\w+\\s*=)|(?:\\$\\w+\\s*\\[\\]\\s*=\\s*)",
    "description":"Detects code injection attempts 3\/3",
    "tags":{
    "tag":[
    "id",
    "rfe",
    "lfi"
    ]
    },
    "impact":"7"
    },
    {
    "id":"62",
    "rule":"(?:function[^(]*\\([^)]*\\))|(?:(?:delete|void|throw|instanceof|new|typeof)[^\\w.]+\\w+\\s*[([])|([)\\]]\\s*\\.\\s*\\w+\\s*=)|(?:\\(\\s*new\\s+\\w+\\s*\\)\\.)",
    "description":"Detects common function declarations and special JS operators",
    "tags":{
    "tag":[
    "id",
    "rfe",
    "lfi"
    ]
    },
    "impact":"5"
    },
    {
    "id":"63",
    "rule":"(?:[\\w.-]+@[\\w.-]+%(?:[01][\\db-ce-f])+\\w+:)",
    "description":"Detects common mail header injections",
    "tags":{
    "tag":[
    "id",
    "spam"
    ]
    },
    "impact":"5"
    },
    {
    "id":"64",
    "rule":"(?:\\.pl\\?\\w+=\\w?\\|\\w+;)|(?:\\|\\(\\w+=\\*)|(?:\\*\\s*\\)+\\s*;)",
    "description":"Detects perl echo shellcode injection and LDAP vectors",
    "tags":{
    "tag":[
    "lfi",
    "rfe"
    ]
    },
    "impact":"5"
    },
    {
    "id":"65",
    "rule":"(?:(^|\\W)const\\s+[\\w\\-]+\\s*=)|(?:(?:do|for|while)\\s*\\([^;]+;+\\))|(?:(?:^|\\W)on\\w+\\s*=[\\w\\W]*(?:on\\w+|alert|eval|print|confirm|prompt))|(?:groups=\\d+\\(\\w+\\))|(?:(.)\\1{128,})",
    "description":"Detects basic XSS DoS attempts",
    "tags":{
    "tag":[
    "rfe",
    "dos"
    ]
    },
    "impact":"5"
    },
    {
    "id":"67",
    "rule":"(?:\\({2,}\\+{2,}:{2,})|(?:\\({2,}\\+{2,}:+)|(?:\\({3,}\\++:{2,})|(?:\\$\\[!!!\\])",
    "description":"Detects unknown attack vectors based on PHPIDS Centrifuge detection",
    "tags":{
    "tag":[
    "xss",
    "csrf",
    "id",
    "rfe",
    "lfi"
    ]
    },
    "impact":"7"
    },
    {
    "id":"68",
    "rule":"(?:[\\s\\\/\"]+[-\\w\\\/\\\\\\*]+\\s*=.+(?:\\\/\\s*>))",
    "description":"Finds attribute breaking injections including obfuscated attributes",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"4"
    },
    {
    "id":"69",
    "rule":"(?:(?:msgbox|eval)\\s*\\+|(?:language\\s*=\\*vbscript))",
    "description":"Finds basic VBScript injection attempts",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"4"
    },
    {
    "id":"70",
    "rule":"(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\\])",
    "description":"Finds basic MongoDB SQL injection attempts",
    "tags":{
    "tag":"sqli"
    },
    "impact":"4"
    },
    {
    "id":"71",
    "rule":"(?:[\\s\\d\\\/\"]+(?:on\\w+|style|poster|background)=[$\"\\w])|(?:-type\\s*:\\s*multipart)",
    "description":"Finds malicious attribute injection attempts and MHTML attacks",
    "tags":{
    "tag":[
    "xss",
    "csrf"
    ]
    },
    "impact":"6"
    },
    {
    "id":"72",
    "rule":"(?:(sleep\\((\\s*)(\\d*)(\\s*)\\)|benchmark\\((.*)\\,(.*)\\)))",
    "description":"Detects blind sqli tests using sleep() or benchmark().",
    "tags":{
    "tag":[
    "sqli",
    "id"
    ]
    },
    "impact":"4"
    },
    {
    "id":"73",
    "rule":"(?:(\\%SYSTEMROOT\\%))",
    "description":"An attacker is trying to locate a file to read or write.",
    "tags":{
    "tag":[
    "files",
    "id"
    ]
    },
    "impact":"4"
    },
    {
    "id":"75",
    "rule":"(?:(((.*)\\%[c|d|i|e|f|g|o|s|u|x|p|n]){8}))",
    "description":"Looking for a format string attack",
    "tags":{
    "tag":"format string"
    },
    "impact":"4"
    },
    {
    "id":"76",
    "rule":"(?:(union(.*)select(.*)from))",
    "description":"Looking for basic sql injection. Common attack string for mysql, oracle and others.",
    "tags":{
    "tag":[
    "sqli",
    "id"
    ]
    },
    "impact":"3"
    },
    {
    "id":"77",
    "rule":"(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|1e309)$)",
    "description":"Looking for integer overflow attacks, these are taken from skipfish, except 2.2250738585072007e-308 is the \"magic number\" crash",
    "tags":{
    "tag":[
    "sqli",
    "id"
    ]
    },
    "impact":"3"
    },
    {
    "id":"78",
    "rule":"(?:%23.*?%0a)",
    "description":"Detects SQL comment filter evasion",
    "tags":{
    "tag":[
    "format string"
    ]
    },
    "impact":"4"
    }
    ]
    }
    };
    var filtersArr = filters.filters.filter;
    var filterDetected;
    var detected = {};
    var issueDetected;
    for (var filterKey in filtersArr){
    var filter = filtersArr[filterKey];
    var re = new RegExp (filter.rule, 'i');
    var requestFind = doc.request.match(re);
    if (requestFind){
    issueDetected = true;
    detected.in = "request";
    detected.proof = requestFind;
    filterDetected = filter;
    break;
    }
    }
    if (issueDetected){
    var obj = {};
    obj.filter = filterDetected;
    obj.proof = detected;
    obj.id = doc._id;
    obj.date = doc.date;
    obj.user = doc.user;
    obj.method = doc.method;
    obj.request = doc.request;
    obj.revised = doc.revised;
    obj.requestBody = doc.requestBody;
    obj.status = doc.status;
    var date = new Date(doc.date);
    emit(date.getTime(), obj);
    }
    }
    }