# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecRule REQUEST_FILENAME "@pm /wp- /node /admin" \
	"id:211350,chain,msg:'COMODO WAF: IGNORE_CRS||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,t:urlDecodeUni,t:normalisePath,skipAfter:'IGNORE_CRS_Generic',rev:1,severity:2,tag:'CWAF',tag:'Generic'"
SecRule MATCHED_VARS "@rx (?:\/wp-admin\/[a-z\-\_]+?\.php)|(?:\/wp-comments-post\.php)|(?:\/node\/\d+\/edit$)|(?:\/administrator\/(index\d?|options|postarticles|contactus|homepagecontent|functions\/update_article)\.php)|(?:\/admin\w*?\/)" \
	"setvar:'TX.CWAF_modsec=1',t:none,t:urlDecodeUni,t:normalisePath,t:lowercase"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm cmd echo exec include printenv" \
	"id:211040,chain,msg:'COMODO WAF: SSI injection Attack||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.matched_var_name=%{MATCHED_VAR_NAME}',logdata:'Matched Data: %{TX.0} found within %{tx.matched_var_name}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:3,severity:2,tag:'CWAF',tag:'Generic'"
SecRule MATCHED_VAR "@rx <\!--[^a-zA-Z0-9_]{0,}?#[^a-zA-Z0-9_]{0,}?(?:cmd|e(?:cho|xec)|include|printenv)" \
	"capture,setvar:'tx.points=+%{tx.points_limit4}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

SecRule QUERY_STRING|REQUEST_BODY "@pm =http =ftp" \
	"id:211110,chain,msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.matched_var_name=%{MATCHED_VAR_NAME}',logdata:'Matched Data: %{TX.0} found within %{tx.matched_var_name}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:4,severity:2,tag:'CWAF',tag:'Generic'"
SecRule MATCHED_VAR "@rx (?i:(\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(ht|f)tps?:\/\/)" \
	"setvar:'tx.points=+%{tx.points_limit4}',t:none,t:urlDecodeUni"

SecRule ARGS|!ARGS_POST:jform[params][yt_link] "@rx ^(?i)(?:ft|htt)ps?(.{0,399}?)\?+$" \
	"id:211120,chain,msg:'COMODO WAF: Remote File Inclusion Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:lowercase,t:urlDecodeUni,rev:12,severity:2,tag:'CWAF',tag:'Generic'"
SecRule REQUEST_FILENAME "!@endsWith /modules/paypal/express_checkout/payment.php" \
	"setvar:'tx.points=+%{tx.points_limit4}',t:none,t:lowercase,t:urlDecodeUni,t:normalizePath"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pmFromFile bl_input" \
	"id:211140,phase:2,pass,setvar:'tx.pm_points=+1',nolog,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Generic'"

SecRule TX:PM_POINTS "@eq 0" \
	"id:211150,phase:2,pass,nolog,t:none,skipAfter:'SECMARKER_211040',rev:1,severity:2,tag:'CWAF',tag:'Generic'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm expires domain set-cookie" \
	"id:211160,chain,msg:'COMODO WAF: Session Fixation Attack||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.matched_var_name=%{MATCHED_VAR_NAME}',logdata:'Matched Data: %{TX.0} found within %{tx.matched_var_name}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'Generic'"
SecRule MATCHED_VAR "@rx (?i)(?:\.cookie\b.{0,399}?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
	"capture,setvar:'tx.points=+%{tx.points_limit4}',t:none,t:urlDecodeUni"

SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession cfid cftoken cfsid jservsession jwsession" \
	"id:211170,chain,msg:'COMODO WAF: Session Fixation: SessionID Parameter Name with Off-Domain Referer||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.matched_var_name=%{MATCHED_VAR_NAME}',logdata:'Matched Data: %{TX.0} found within %{tx.matched_var_name}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:lowercase,rev:6,severity:2,tag:'CWAF',tag:'Generic'"
SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" \
	"capture"

SecRule ARGS_NAMES "@pm jsession jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" \
	"id:211180,chain,msg:'COMODO WAF: Session Fixation: SessionID Parameter Name with No Referer||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'Generic'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" \
	"setvar:'tx.points=+%{tx.points_limit4}',t:none"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:code|!ARGS:/content/|!ARGS:/description/|!ARGS:/install\[values\]\[\w+\]\[fileDenyPattern\]/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1 "(?:(?<!\w)(?:\.(?:ht(?:access|group|passwd)|www_{0,1}acl)|boot\.ini|global\.asa|httpd\.conf)\b|/etc/)" \
	"id:211190,chain,msg:'COMODO WAF: Remote File Access Attempt||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:cmdLine,rev:9,severity:2,tag:'CWAF',tag:'Generic'"
SecRule REQUEST_URI "!@contains cpanel" \
	"t:none"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm cmd .exe" \
	"id:211200,chain,msg:'COMODO WAF: System Command Access||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.matched_var_name=%{MATCHED_VAR_NAME}',logdata:'Matched Data: %{TX.0} found within %{tx.matched_var_name}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:cmdLine,rev:3,severity:2,tag:'CWAF',tag:'Generic'"
SecRule MATCHED_VAR "@rx \b(?:cmd(?:\b[^a-zA-Z0-9_]{0,}?\/c|(?:32){0,1}\.exe\b)|(?:ftp|n(?:c|et|map)|rcmd|telnet|w(?:guest|sh))\.exe\b)" \
	"capture,setvar:'tx.points=+%{tx.points_limit4}',t:none,t:urlDecodeUni,t:lowercase"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:prev_sql_query|!ARGS:sql_query|!ARGS:text|!ARGS:/^where_clause(?:\[\d*])?$/|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm cd chmod cmd .exe echo net tclsh telnet tftp traceroute tracert g++ gcc chgrp chown chsh cpp finger ftp id ls lsof nasm nc nmap passwd perl ping ps python telnet uname xterm rm kill mail" \
	"id:211210,chain,msg:'COMODO WAF: System Command Injection||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.matched_var_name=%{MATCHED_VAR_NAME}',logdata:'Matched Data: %{TX.0} found within %{tx.matched_var_name}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:cmdLine,rev:8,severity:2,tag:'CWAF',tag:'Generic'"
SecRule MATCHED_VAR "@rx (?:\b(?:c(?:d(?:\b[^a-zA-Z0-9_]{0,}?[\/]|[^a-zA-Z0-9_]{0,}?\.\.)|hmod.{0,40}?\+.{0,3}x|md(?:\b[^a-zA-Z0-9_]{0,}?\/c|(?:\.exe|32)\b))|(?:echo\b[^a-zA-Z0-9_]{0,}?\by{1,}|n(?:et(?:\b[^a-zA-Z0-9_]{1,}?\blocalgroup|\.exe)|(?:c|map)\.exe)|t(?:clsh8{0,1}|elnet\.exe|ftp|racer(?:oute|t))|(?:ftp|rcmd|w(?:guest|sh))\.exe)\b)|[;`|][^a-zA-Z0-9_]{0,}?\b(?:g(?:\+\+|cc\b)|(?:c(?:h(?:grp|mod|own|sh)|md|pp)|echo|f(?:inger|tp)|id|ls(?:of){0,1}|n(?:asm|c|map)|p(?:asswd|erl|ing|s|ython)|telnet|uname|(?:xte){0,1}rm|(?:kil|mai)l)\b))" \
	"capture,setvar:'tx.points=+%{tx.points_limit4}',t:none,t:cmdLine,t:lowercase"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
	"id:211230,msg:'COMODO WAF: PHP Injection Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:1,severity:2,tag:'CWAF',tag:'Generic'"

SecMarker SECMARKER_211040
SecRule REQUEST_HEADERS:Cookie "@rx (^|;)=(;|$)" \
	"id:220020,msg:'COMODO WAF: DoS vulnerability in Apache 2.2.17 - 2.2.21 (CVE-2012-0021)||%{tx.domain}|%{tx.mode}|2',phase:1,deny,status:403,log,rev:2,severity:2,tag:'CWAF',tag:'Generic'"

SecRule QUERY_STRING|REQUEST_FILENAME|REQUEST_HEADERS:Accept|REQUEST_HEADERS:Content-Type|REQUEST_HEADERS:Cookie|REQUEST_HEADERS:Host|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:WWW-Authenticate "@contains () {" \
	"id:221260,chain,msg:'COMODO WAF: Shellshock Command Injection Vulnerabilities in GNU Bash through 4.3 bash43-026 (CVE-2014-7187, CVE-2014-7186, CVE-2014-7169, CVE-2014-6278, CVE-2014-6277, CVE-2014-6271)||%{tx.domain}|%{tx.mode}|2',phase:1,block,rev:3,severity:2,tag:'CWAF',tag:'Generic'"
SecRule MATCHED_VAR "@rx ^(?:\'\w+?=)?\(\)\s{"

SecRule REQUEST_URI|REQUEST_HEADERS:/Cookie/|REQUEST_BODY "@contains ../" \
	"id:210590,chain,msg:'COMODO WAF: Blocking directory traversal attempt||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,rev:3,severity:2,tag:'CWAF',tag:'Generic'"
SecRule MATCHED_VAR "@ge 3" \
	"chain,t:none,t:normalizePath,t:length"
SecRule MATCHED_VAR "@pmf bl_os_files" \
	"t:none,t:normalizePath"

SecRule ARGS|ARGS_NAMES|REQUEST_URI|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:search "@rx \s(?:print|echo|eval|exec)\s?\(" \
	"id:211270,msg:'COMODO WAF: Arbitrary code execution vulnerability in Request URI||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:removeWhitespace,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'Generic'"

SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@contains [!!]" \
	"id:211320,msg:'COMODO WAF: XSS vulnerability||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeWhitespace,rev:3,severity:2,tag:'CWAF',tag:'Generic'"

SecMarker IGNORE_CRS_Generic
SecRule RESPONSE_STATUS "@streq 406" \
	"id:210100,phase:3,pass,nolog,ctl:responseBodyAccess=On,rev:1,severity:2,tag:'CWAF',tag:'Generic'"

SecRule RESPONSE_STATUS "@streq 406" \
	"id:210101,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in the Apache HTTP Server 2.4.x before 2.4.3 (CVE-2012-2687)||%{tx.domain}|%{tx.mode}|2',phase:4,deny,status:403,log,rev:1,severity:2,tag:'CWAF',tag:'Generic'"
SecRule RESPONSE_BODY "@contains Available variants:"

SecRule TX:REAL_IP "@ipMatchFromFile userdata_wl_IPs" \
	"id:210480,phase:1,allow,nolog,rev:5,severity:5,tag:'CWAF',tag:'Generic'"

SecRule TX:REAL_IP "@ipMatchFromFile userdata_bl_IPs" \
	"id:210481,msg:'COMODO WAF: Source IP is not allowed by policy||%{tx.domain}|%{tx.mode}|5',phase:1,deny,status:403,log,rev:5,severity:5,tag:'CWAF',tag:'Generic'"

SecRule TX:REAL_IP "@ipMatchFromFile bl_IPs" \
	"id:210484,msg:'COMODO WAF: Source IP is not allowed by policy||%{tx.domain}|%{tx.mode}|2',phase:1,deny,status:403,log,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_URI "@pmFromFile userdata_wl_URLs" \
	"id:210490,phase:1,allow,nolog,rev:3,severity:5,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_URI "@pmFromFile userdata_bl_URLs" \
	"id:210491,msg:'COMODO WAF: URL is not allowed by policy||%{tx.domain}|%{tx.mode}|5',phase:1,deny,status:403,log,rev:3,severity:5,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_URI "@pmFromFile bl_URLs" \
	"id:210492,phase:1,deny,status:403,log,rev:3,severity:2,tag:'CWAF',tag:'Generic'"

SecRule ARGS:cwaf_test_request "@streq a12875a9e62e1ecbcd1dded1879ab06949566276" \
	"id:210860,msg:'COMODO WAF: Testing the work of the CWAF||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
	"id:210681,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:pwd,t:none,rev:3,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
	"id:210682,chain,phase:2,pass,nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'Generic'"
SecRule &ARGS:action "@eq 1" \
	"ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass1,ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass1-text,ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass2,t:none"

SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \
	"id:210685,chain,phase:2,pass,nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'Generic'"
SecRule ARGS:step "@streq 2" \
	"ctl:ruleRemoveTargetByTag=CWAF;ARGS:pwd,t:none"

SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \
	"id:210686,chain,phase:2,pass,nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'Generic'"
SecRule ARGS:step "@streq 2" \
	"ctl:ruleRemoveTargetByTag=CWAF;ARGS:admin_password,ctl:ruleRemoveTargetByTag=CWAF;ARGS:admin_password2,ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass1-text,t:none"

SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \
	"id:210687,chain,phase:2,pass,nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'Generic'"
SecRule ARGS:action "@streq update" \
	"chain,t:none"
SecRule &ARGS:action "@eq 1" \
	"ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass1,ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass1-text,ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass2,t:none"

SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \
	"id:210688,chain,phase:2,pass,nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'Generic'"
SecRule ARGS:action "@streq update" \
	"ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass1,ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass1-text,ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass2,t:none"

SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
	"id:210691,chain,phase:2,pass,nolog,t:none,rev:4,severity:2,tag:'CWAF',tag:'Generic'"
SecRule ARGS:action "@streq createuser" \
	"chain,t:none"
SecRule &ARGS:action "@eq 1" \
	"ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass1,ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass1-text,ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass2,t:none"

SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \
	"id:210692,chain,phase:2,pass,nolog,t:none,rev:4,severity:2,tag:'CWAF',tag:'Generic'"
SecRule ARGS:action "@rx ^(?:edit|editpost)$" \
	"ctl:ruleRemoveTargetByTag=SQLi;ARGS:post_title,ctl:ruleRemoveTargetByTag=CWAF;ARGS:content,ctl:ruleRemoveById=210416,t:none"

SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
	"id:210693,chain,phase:2,pass,nolog,t:none,rev:4,severity:2,tag:'CWAF',tag:'Generic'"
SecRule ARGS:action "@streq heartbeat" \
	"ctl:ruleRemoveTargetByTag=SQLi;ARGS:data[wp_autosave][post_title],ctl:ruleRemoveTargetByTag=CWAF;ARGS:data[wp_autosave][content],ctl:ruleRemoveById=210416,t:none"

SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \
	"id:210694,chain,phase:2,pass,nolog,t:none,rev:4,severity:2,tag:'CWAF',tag:'Generic'"
SecRule ARGS:action "@streq update" \
	"ctl:ruleRemoveTargetById=213020;ARGS:nav-menu-data,t:none"

SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
	"id:210695,chain,phase:2,pass,nolog,t:none,rev:4,severity:2,tag:'CWAF',tag:'Generic'"
SecRule ARGS:action "@rx ^(save-widget|update-widget)$" \
	"ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[0][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[1][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[2][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[3][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[4][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[5][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[6][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[7][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[8][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[9][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[10][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[11][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[12][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[13][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[14][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[15][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[16][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[17][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[18][text],ctl:ruleRemoveTargetByTag=CWAF;ARGS:widget-text[19][text],t:none"

SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
	"id:210696,chain,phase:2,pass,nolog,t:none,rev:4,severity:2,tag:'CWAF',tag:'Generic'"
SecRule ARGS:action "@streq sample-permalink" \
	"ctl:ruleRemoveTargetByTag=SQLi;ARGS:new_title,t:none"

SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \
	"id:210697,phase:2,pass,nolog,ctl:ruleRemoveTargetById=210416;ARGS:selection,ctl:ruleRemoveTargetById=210416;ARGS:permalink_structure,ctl:ruleRemoveTargetById=210416;REQUEST_BODY,t:none,rev:4,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
	"id:210698,chain,phase:2,pass,nolog,t:none,rev:4,severity:2,tag:'CWAF',tag:'Generic'"
SecRule ARGS:option_page "@streq discussion" \
	"chain,t:none"
SecRule ARGS:action "@streq update" \
	"ctl:ruleRemoveTargetByTag=CWAF;ARGS:blacklist_keys,ctl:ruleRemoveTargetByTag=CWAF;ARGS:moderation_keys,t:none"

SecRule REQUEST_FILENAME "@rx \/wp-admin\/load-(?:scripts|styles)\.php$" \
	"id:210750,phase:2,pass,nolog,ctl:ruleRemoveTargetById=210417;ARGS_NAMES:load[],t:none,rev:2,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@endsWith /core/install.php" \
	"id:210760,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:account[pass][pass1],ctl:ruleRemoveTargetByTag=CWAF;ARGS:account[pass][pass2],t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@endsWith /user/login" \
	"id:210761,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass,t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
	"id:210762,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass[pass1],ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass[pass2],t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
	"id:210763,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:feed_description,t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@rx \/user\/[0-9]+?\/edit$" \
	"id:210764,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:current_pass,ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass[pass1],ctl:ruleRemoveTargetByTag=CWAF;ARGS:pass[pass2],t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
	"id:210765,phase:2,pass,nolog,ctl:ruleRemoveById=210415,ctl:ruleRemoveTargetByTag=CWAF;ARGS:user_mail_cancel_confirm_body,ctl:ruleRemoveTargetByTag=CWAF;ARGS:user_mail_password_reset_body,ctl:ruleRemoveTargetByTag=CWAF;ARGS:user_mail_register_admin_created_body,ctl:ruleRemoveTargetByTag=CWAF;ARGS:user_mail_register_no_approval_required_body,ctl:ruleRemoveTargetByTag=CWAF;ARGS:user_mail_register_pending_approval_body,ctl:ruleRemoveTargetByTag=CWAF;ARGS:user_mail_status_activated_body,ctl:ruleRemoveTargetByTag=CWAF;ARGS:user_mail_status_blocked_body,ctl:ruleRemoveTargetByTag=CWAF;ARGS:user_mail_status_canceled_body,t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \
	"id:210766,phase:2,pass,nolog,ctl:ruleRemoveById=210415,t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_html" \
	"id:210767,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:editor[settings][toolbar][button_groups],ctl:ruleRemoveTargetByTag=CWAF;ARGS:filters[filter_html][settings][allowed_html],t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_METHOD "@streq POST" \
	"id:210768,chain,phase:2,pass,nolog,noauditlog,t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"
SecRule REQUEST_FILENAME "@rx \/admin\/content\/assets\/add\/[a-z]+$" \
	"chain,t:none"
SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
	"ctl:requestBodyAccess=Off,t:none"

SecRule REQUEST_METHOD "@streq POST" \
	"id:210769,chain,phase:2,pass,nolog,noauditlog,t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"
SecRule REQUEST_FILENAME "@rx \/admin\/content\/assets\/manage\/[0-9]+$" \
	"chain,t:none"
SecRule ARGS:destination "@streq admin/content/assets" \
	"chain,t:none"
SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
	"chain"
SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
	"ctl:requestBodyAccess=Off,t:none"

SecRule REQUEST_METHOD "@streq POST" \
	"id:210770,chain,phase:2,pass,nolog,noauditlog,t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"
SecRule REQUEST_FILENAME "@rx \/file\/ajax\/field_asset_[a-z0-9_]+\/[ua]nd\/0\/form-[a-z0-9A-Z_-]+$" \
	"chain,t:none"
SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
	"chain"
SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \
	"chain,t:none"
SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
	"ctl:requestBodyAccess=Off,t:none"

SecRule REQUEST_FILENAME "@endsWith /node/add/article" \
	"id:210771,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:body[0][value],t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
	"id:210772,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:body[0][value],t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@rx \/node\/[0-9]+\/edit$" \
	"id:210773,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:body[0][value],t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@endsWith /block/add" \
	"id:210775,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:body[0][value],t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \
	"id:210776,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:description,t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@rx \/editor\/filter_xss\/(?:full|basic)_html$" \
	"id:210777,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:value,t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@rx \/user\/[0-9]+\/contact$" \
	"id:210778,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:message[0][value],t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"

SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
	"id:210779,phase:2,pass,nolog,ctl:ruleRemoveTargetByTag=CWAF;ARGS:maintenance_mode_message,t:none,rev:5,severity:2,tag:'CWAF',tag:'Generic'"