# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecRule TX:CWAF_modsec "@eq 1" \
	"id:212780,msg:'COMODO WAF: IGNORE_CRS||%{tx.domain}|%{tx.mode}|2',phase:2,pass,nolog,t:none,skipAfter:'IGNORE_CRS_XSS',rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx (?:\bon[a-z]{3,16}|(?:parent|special)folder|script|document|meta|activexobject|expression|<!\[cdata\[|\.(innerhtml|fromcharcode|addimport)|settimeout|(?:shell|asfunction|http|mocha):|background|@import|alert|createtextrange|<input|iframe)" \
	"id:212030,phase:2,pass,setvar:'tx.pm_xss_points=+%{tx.points_limit4}',nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecRule &TX:PM_XSS_POINTS "@eq 0" \
	"id:212040,phase:2,pass,nolog,t:none,skipAfter:'SECMARKER_212000',rev:1,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx \b(?:get|copy)(?:parent|special)folder\b" \
	"id:212050,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\blowsrc\b[^a-zA-Z0-9_]{0,}?\bhttp:" \
	"id:212100,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:removeComments,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx style\W{0,}=.{0,}expression\W{0,}\(" \
	"id:212120,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\bcreatetextrange\b" \
	"id:212140,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\.execscript\b" \
	"id:212180,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "<body\b.{0,}?\bonload\b" \
	"id:212200,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\bsettimeout\b[^a-zA-Z0-9_]{0,}?\(" \
	"id:212270,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx <i?frame" \
	"id:212280,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS_POST:form[sign] "@rx \b(?:href|src|lowsrc|url)\b\W+?\b(?:(?:vb|java)script|shell)(?::|&colon)" \
	"id:212290,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:removeComments,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:emailglobalheader|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "<body\b.{0,}?\bbackground\b" \
	"id:212300,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\btype\b\W+?\b(?:text|application)\b\W+?\b(?:(x-)?(?:java|vb|j|ecma)script)" \
	"id:212320,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:removeComments,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:template_data|!ARGS:fiets "@pm document.cookie .parentnode .innerhtml <!-- --> <![cdata[" \
	"id:212340,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,rev:5,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\bactivexobject\b" \
	"id:212380,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\.addimport\b" \
	"id:212420,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS_POST:fiets "<script\b" \
	"id:212620,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecMarker SECMARKER_212000
SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx \bon(?:abort|blur|change|click|dblclick|dragdrop|error|focus|keydown|keypress|keyup|load|mouse(?:down|move|out|over|up)|move|readystatechange|reset|resize|select|submit|unload)\b[^a-zA-Z0-9_]{0,}?=" \
	"id:212750,msg:'COMODO WAF: XSS Attack Detected||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:search "@rx [\s\x22'](?:alert|eval|\.fromcharcode)\s?(?:\(|`)" \
	"id:212790,msg:'COMODO WAF: XSS Attack Detected||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:5,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS_NAMES:/singlepage\[section_/|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1|!ARGS:/shortcodes\[\d+?\]\[string\]/ "@rx moz-binding\b|@import\b|(?:background|behavior)\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?url|background-image\b[^a-zA-Z0-9_]{0,}?:|expression\b[^a-zA-Z0-9_]{0,}?\(" \
	"id:212800,chain,msg:'COMODO WAF: XSS Attack Detected||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:cssDecode,t:removeComments,t:compressWhitespace,t:lowercase,rev:8,severity:2,tag:'CWAF',tag:'XSS'"
SecRule MATCHED_VAR "!@rx (?:body|content|description|post|desc|html_message|text)=" \
	"t:none,t:urlDecodeUni,t:lowercase"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "[\x22'<\/]xss[\x22'\/>]" \
	"id:212820,msg:'COMODO WAF: XSS Attack Detected||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "(88,83,83)" \
	"id:212830,msg:'COMODO WAF: XSS Attack Detected||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "'';!--\x22<xss>=&{()}" \
	"id:212840,msg:'COMODO WAF: XSS Attack Detected||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "&{" \
	"id:212850,msg:'COMODO WAF: XSS Attack Detected||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:emailglobalheader|!ARGS:html_message|!ARGS:text|!ARGS:template_data|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "<\!(doctype|entity)" \
	"id:212860,msg:'COMODO WAF: XSS Attack Detected||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@contains <style" \
	"id:212880,chain,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"
SecRule MATCHED_VAR "@rx (?i:<style.{0,399}?>.{0,399}?(?:@[i\\\\]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).{0,399}?(?:[(\\\\]|&#x?0*(?:40|28|92|5C);?)))" \
	"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace"

SecRule ARGS|ARGS_NAMES|REQUEST_URI|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:fiets "@rx (?i:<script.{0,}?[\s+\/]{0,}?((src)|(xlink:href)|(href))[\s+\/\t]{0,}=)" \
	"id:212890,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:urlDecodeUni,rev:5,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@contains vmlframe" \
	"id:212910,chain,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,block,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,rev:6,severity:2,tag:'CWAF',tag:'XSS'"
SecRule MATCHED_VAR "@contains src" \
	"chain,t:lowercase"
SecRule MATCHED_VAR "@rx :vmlframe.{0,399}?src\/{0,}?=" \
	"capture,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "(?i:(j|(&#x{0,1}0{0,}((74)|(4A)|(106)|(6A));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(a|(&#x{0,1}0{0,}((65)|(41)|(97)|(61));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(v|(&#x{0,1}0{0,}((86)|(56)|(118)|(76));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(a|(&#x{0,1}0{0,}((65)|(41)|(97)|(61));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(s|(&#x{0,1}0{0,}((83)|(53)|(115)|(73));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(c|(&#x{0,1}0{0,}((67)|(43)|(99)|(63));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(r|(&#x{0,1}0{0,}((82)|(52)|(114)|(72));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(i|(&#x{0,1}0{0,}((73)|(49)|(105)|(69));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(p|(&#x{0,1}0{0,}((80)|(50)|(112)|(70));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(t|(&#x{0,1}0{0,}((84)|(54)|(116)|(74));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(:|(&((#x{0,1}0{0,}((58)|(3A));{0,1})|(colon;)))).)" \
	"id:212920,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "(?i:(v|(&#x{0,1}0{0,}((86)|(56)|(118)|(76));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(b|(&#x{0,1}0{0,}((66)|(42)|(98)|(62));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(s|(&#x{0,1}0{0,}((83)|(53)|(115)|(73));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(c|(&#x{0,1}0{0,}((67)|(43)|(99)|(63));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(r|(&#x{0,1}0{0,}((82)|(52)|(114)|(72));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(i|(&#x{0,1}0{0,}((73)|(49)|(105)|(69));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(p|(&#x{0,1}0{0,}((80)|(50)|(112)|(70));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(t|(&#x{0,1}0{0,}((84)|(54)|(116)|(74));{0,1}))([\r]|(&((#x{0,1}0{0,}(9|A|D|(13)|(10));{0,1})|(tab;)|(newline;)))){0,}(:|(&((#x{0,1}0{0,}((58)|(3A));{0,1})|(colon;)))).)" \
	"id:212930,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx <embed.{0,}?(?:src|type)\/{0,}?=" \
	"id:212940,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx <\??import.{0,}?implementation\/{0,}=" \
	"id:212950,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS_POST:emailglobalheader|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS_POST:fiets "@rx <meta.{0,}?http-equiv\/{0,}?=\/{0,}?[\x22'`]{0,1}(?:c|r|s|&#?x?0{0,}?(?:67|43|99|63|82|52|114|72|83|53|115|73);?)" \
	"id:212960,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:7,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS_POST:emailglobalheader|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx <meta.{0,}?charset\/{0,}=" \
	"id:212970,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:6,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx <link.{0,}?href\/{0,}=" \
	"id:212980,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx <base.{0,}?href\/{0,}=" \
	"id:212990,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx <applet(?:\/|>)" \
	"id:213000,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx <object.{0,}?(?:type|codetype|classid|code|data)\/{0,}=" \
	"id:213010,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "(?i:(((v|(\\\\u0076)|(\\166)|(\\x76))[^a-z0-9]{0,}(a|(\\\\u0061)|(\\141)|(\\x61))[^a-z0-9]{0,}(l|(\\\\u006C)|(\\154)|(\\x6C))[^a-z0-9]{0,}(u|(\\\\u0075)|(\\165)|(\\x75))[^a-z0-9]{0,}(e|(\\\\u0065)|(\\145)|(\\x65))[^a-z0-9]{0,}(O|(\\\\u004F)|(\\117)|(\\x4F))[^a-z0-9]{0,}(f|(\\\\u0066)|(\\146)|(\\x66)))|((t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]{0,}(o|(\\\\u006F)|(\\157)|(\\x6F))[^a-z0-9]{0,}(S|(\\\\u0053)|(\\123)|(\\x53))[^a-z0-9]{0,}(t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]{0,}(r|(\\\\u0072)|(\\162)|(\\x72))[^a-z0-9]{0,}(i|(\\\\u0069)|(\\151)|(\\x69))[^a-z0-9]{0,}(n|(\\\\u006E)|(\\156)|(\\x6E))[^a-z0-9]{0,}(g|(\\\\u0067)|(\\147)|(\\x67)))))" \
	"id:213020,chain,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,rev:6,severity:2,tag:'CWAF',tag:'XSS'"
SecRule REQUEST_FILENAME "!@endsWith wp-admin/nav-menus.php" \
	"chain,t:none,t:lowercase"
SecRule MATCHED_VAR "(?i:[\x22'].{0,250}?[,].{0,250}(((v|(\\\\u0076)|(\\166)|(\\x76))[^a-z0-9]{0,}(a|(\\\\u0061)|(\\141)|(\\x61))[^a-z0-9]{0,}(l|(\\\\u006C)|(\\154)|(\\x6C))[^a-z0-9]{0,}(u|(\\\\u0075)|(\\165)|(\\x75))[^a-z0-9]{0,}(e|(\\\\u0065)|(\\145)|(\\x65))[^a-z0-9]{0,}(O|(\\\\u004F)|(\\117)|(\\x4F))[^a-z0-9]{0,}(f|(\\\\u0066)|(\\146)|(\\x66)))|((t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]{0,}(o|(\\\\u006F)|(\\157)|(\\x6F))[^a-z0-9]{0,}(S|(\\\\u0053)|(\\123)|(\\x53))[^a-z0-9]{0,}(t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]{0,}(r|(\\\\u0072)|(\\162)|(\\x72))[^a-z0-9]{0,}(i|(\\\\u0069)|(\\151)|(\\x69))[^a-z0-9]{0,}(n|(\\\\u006E)|(\\156)|(\\x6E))[^a-z0-9]{0,}(g|(\\\\u0067)|(\\147)|(\\x67)))).{0,}?:)" \
	"setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',t:none,t:htmlEntityDecode,t:compressWhiteSpace"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx <isindex(?:\/|>)" \
	"id:213090,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "(?i:[\s\x22'+/`]on\[a-z]\[a-z]\[a-z]{1,}?[\s+]{0,}?=)" \
	"id:213110,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx [\x22'\/`]datasrc=" \
	"id:213120,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\+ADw\-|\+AD4\-).{0,399}(?:\+ADw\-|\+AD4\-|>)|(?:\+ADw\-|\+AD4\-|<).{0,399}(?:\+ADw\-|\+AD4\-)" \
	"id:212680,msg:'COMODO WAF: UTF-7 Encoding IE XSS - Attack Detected||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|REQUEST_HEADERS:Referer|ARGS_POST|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx [\x22'\/`]on[a-z]{1,}?\/{0,}=" \
	"id:212760,msg:'COMODO WAF: IE XSS Filters - Attack Detected.||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx _\d+?(?:\x22|')\(\):;\d" \
	"id:213030,msg:'COMODO WAF: XSS vulnerability||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx (?:'|\x22)(?:fscommand|seeksegmenttime|on[a-z]{3,16})=(?:\x22|')" \
	"id:213050,chain,msg:'COMODO WAF: XSS vulnerability||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeWhitespace,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'XSS'"
SecRule MATCHED_VAR "!@rx (?:body|content|description|post|desc|html_message|text)=" \
	"t:none,t:urlDecodeUni,t:lowercase"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!ARGS:/jform\[params\]\[offcanvas_topmod_style\]/|!ARGS:/jform\[params\]\[djmegamenu-module_style\]/|!ARGS:/jform\[params\]\[offcanvas_botmod_style\]/|!ARGS:emailglobalheader "@rx (?i)((?:\bx(?:link:href|html|mlns)|!ENTITY\b.{0,399}?\b(?:SYSTEM|PUBLIC)|\bdata:text\/html))" \
	"id:213060,msg:'COMODO WAF: XSS Filter - Category 3: Attribute Vector||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeNulls,t:removeComments,t:compressWhiteSpace,rev:7,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx ![!+ ]\[\]" \
	"id:213070,msg:'COMODO WAF: JSFuck / Hieroglyphy obfuscation detected||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeNulls,t:compressWhiteSpace,rev:1,severity:2,tag:'CWAF',tag:'XSS'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx (?:self|document|this|top|window)\)*(?:\[[\x22'](?:document|window|top|this|self)[\x22']\]|\.document|\.cookie)" \
	"id:213080,msg:'COMODO WAF: JavaScript global variable found||%{tx.domain}|%{tx.mode}|2',phase:2,pass,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeNulls,t:removeWhitespace,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'XSS'"

SecMarker IGNORE_CRS_XSS