http://acnc.com/img/raid/swf/raid0.swf
 http://acnc.com/img/raid/swf/raid01.swf
 http://acnc.com/img/raid/swf/raid0_1.swf
 http://acnc.com/img/raid/swf/raid05.swf
 http://acnc.com/img/raid/swf/raid06.swf

# ---------------------------------------------------------------
# Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# Configuration contained in this file should be customized
# for your specific requirements before deployment.
#
# Next to each rule there is a description of what it does. Each
# location where customization is needed is marked with "TODO". It
# is recommended that you:
#
# 1) Keep a copy of the original file. This will allow you to use
# the "diff" command to quickly see the changes. It will also
# make upgrades to future rule sets easier.
#
# 2) Document your changes thoroughly.
#
# You are advised to start with ModSecurity in detection mode only.
# Switch to protection when you are comfortable with your rule set.
# For maximum protection monitor your logs on daily basis (or
# better).
#
# TODO You may want to provide an error friendly message to your
# users when you start rejecting requests. You can do this using
# the Apache ErrorDocument directive. You should also add
# mod_unique_id to your configuration and display the unique
# request ID on the error page. This would allow your users to
# report the request ID back to you so that you can investigate
# the false positive (if that's what it is). A nice error page
# usually reduces the impact of false positives on the users.
#
# The drawback of this user friendly approach is that it is
# easier for the attackers to figure out there is an web
# application firewall protecting the application.
#
# ErrorDocument 403 /path/to/error_document.php
#
# For more information see
#  http://httpd.apache.org/docs-2.0/custom-error.html
## -- Configuration ----------------------------------------------------------
# Turn ModSecurity on ("On"), set to monitoring only
# ("DetectionOnly") or turn off ("Off").
#
SecRuleEngine On
# Define which part of the HTTP transaction to inspect.
#
# Inspecting request body (SecRequestBodyAccess) should probably be always set
# to "on". Only very high volume sites that never use POST requests might want
# to set it to "off" to optimize performance.
#
# Inspecting response body is useful for monitoring for information leaks,
# or for signs of intrusion. However, it does require all responses to be
# buffered in memory. For most sites this should not be a problem, but special
# care must be taken to avoid buffering file downloads (through
# MIME type selection, as shown below).
#
# TODO If you decide to enable output filtering make sure to
# review the list of scanned MIME types. If pages of the types specified
# for outbound inspection are smaller than 512K in you application
# (which is usually the case) you may reduce the SecResponseBodyLimit
# to protect from potential denial of service attacks.
#
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 524288
# Initiate XML Processor in case of xml content-type
#
# TODO Uncomment this rule if you wish to parse
# text/xml requests using the XML parser. Note
# that this may cause considerable overhead in processing
# text/xml requests.
#SecRule REQUEST_HEADERS:Content-Type "text/xml" \
#"phase:1,pass,nolog,ctl:requestBodyProcessor=XML"
# What to do when an error is encountered.
#
# The default is to log the error and let the request go through.
# This is a reasonable setting to start with because you do not
# want to reject legitimate requests with an untuned rule set.
#
# If, after monitoring the performance of the rule set after a
# sufficient period, you determine the rules never (or rarely
# trigger on legitimate requests) you can change to something
# else, such as "log,deny,status:500". You can also leave the
# default setting here as is, but use per rule action configuration
# to only configure some rules to reject requests, leaving most
# of them to work in detection mode.
#
#SecDefaultAction "phase:2,log,pass,status:500"
# Set web server identification string
#
# TODO In case you use Apache, you may want specify a simple server signature
# instead of the detailed Apache default signature that list most modules
# used on the specific Apache deployment:
# "Apache/2.2.0 (Fedora)"
#
SecServerSignature "Apache/2.2.0 (Fedora)"
## -- File uploads configuration -----------------------------------------------
# Temporary file storage path.
#
# TODO Change the temporary folder setting to a path where only
# the web server has access.
#
SecUploadDir /tmp
# Whether or not to keep the stored files.
#
# In most cases you don't want to keep the uploaded files (especially
# when there is a lot of them). It may be useful to change the setting
# to "RelevantOnly", in which case the files uploaded in suspicious
# requests will be stored.
#
SecUploadKeepFiles Off
# Inspect uploaded files.
#
# TODO If there is a danger of attack through uploaded files then it
# is possible to configure an external script to inspect each file
# before it is seen by the application. An example script is
# included with ModSecurity (/util/modsec-clamscan.pl).
#
# Inspecting uploaded files is especially important in a hosting,
# community or blogging environments where uploading files is permitted.
#
# NOTE the t:none action is required in order not to process the files names
# passed to the script based on previously defined actions in a
# SecDefaultAction directive.
#
# SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" \
# "t:none"
## -- Logging ----------------------------------------------------------------
# Whether to log requests to the forensic log.
#
# By default, only requests that trigger a ModSecurity events (as detected
# by) or a serer error are logged ("RelevantOnly"). This is a reasonable
# setting. Full logging can be set by using # "on". If the system is used
# for protection only and no logging is desired (not reccomended) logging can
# be turned of using "off"
#
# NOTE It is also possible to configure forensic logging on the
# per request basis using the "auditlog" and "noauditlog" rule
# actions.
#
# TODO The default rule set logs requests that generate a 404 "file not found"
# response. These events are interesting, but may log a lot of information.
# you may consider removing it by setting SecAuditLogRelevantStatus
# to "^(?:5|4\d[^4])".
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^[45]"
# Log files structure
#
# You can select to log all events to a single log file (set SecAuditLogType to
# "Serial") or to log each request to a separate file (set it to "Concurrent").
# The former is usually easier to use, but if full logging is required or if
# the protected system supports a large transaction volume the later may
# be a better option.
#
# TODO Set the SecAuditLog (for "Serial" logging) or SecAuditLogStorageDir (for
# "Concurrent" logging).
#
# TODO If you change from "Serial" to "Concurrent" uncomment the
# SecAuditLogStorageDir directive and make sure the direcory specified
# exists and has write permissions for the Apache user.
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log
# SecAuditLogStorageDir logs/modsec_audit
# Select what portions of the request to log
#
# Modify the string by adding any of the letter below to it:
# A - audit log header (mandatory)
# B - request headers
# C - request body (present only if the request body exists and ModSecurity is
# configured to intercept it)
# E - intermediary response body (present only if ModSecurity is configured to
# intercept response bodies, and if the audit log engine is configured to
# record it). Intermediary response body is the same as the actual response
# body unless ModSecurity intercepts the intermediary response body, in
# which case the actual response body will contain the error message
# (either the Apache default error message, or the ErrorDocument page).
# F - final response headers (excluding the Date and Server headers, which are
# always added by Apache in the late stage of content delivery).
# H - audit log trailer
# I - This part is a replacement for part C. It will log the same data as C in
# all cases except when multipart/form-data encoding in used. In this case
# it will log a fake application/x-www-form-urlencoded body that contains
# the information about parameters but not about the files. This is handy
# if you don't want to have (often large) files stored in your audit logs.
# Z - final boundary, signifies the end of the entry (mandatory)
SecAuditLogParts "ABIFHZ"
# Create a separate log to monitor performance.
#
# TODO Performance monitoring only works with Apache 2.x. You need
# to add mod_unique_id and mod_logio to your configuration. Then
# uncomment the following two lines.
#
# LogFormat "%V %h %t %{UNIQUE_ID}e \"%r\" %>s %X | %I %O | %<{mod_security-time1}n %<{mod_security-time2}n %<{mod_security-time3}n %D" mperformance
# CustomLog logs/modsec_performance.log mperformance
# Custom application access log.
#
# TODO You should consider creating a custom access log. It could contain
# the performance metrics from above, but should also record the
# session ID for every request. That would make it possible to
# list all requests performed as part of a session.
#
# One custom log should be used per application but if you want
# multiple applications to share one log file make sure each
# line includes a unique application ID (unless the hostname is
# sufficient for differentiation).
## -- Tuning and debugging
# This section include tuning and debugging directives that usually require no
# modifications unless
# Parameters separator
#
# Specifies which character to use as separator for
# application/x-www-form-urlencoded content.
# Defaults to "&". Applications are sometimes (very rarely) written to use
# a semicolon (";").
#
# NOTE Changing the value for this directive has significant influence on how
# ModSecurity works. Make the change only if you are absolutely sure it
# is required.
SecArgumentSeparator "&"
# Selects the cookie format that will be used in the current configuration
# context.
#
# Possible values are:
# 0 - use version 0 (Netscape) cookies. This is what most applications use.
# It is the default value.
# 1 - use version 1 cookies.
SecCookieFormat 0
# Maximum size of the request body to keep in memory
#
# A higher value requires more server memory while a lower number would slow
# the server due to additional disk access. By default the limit is 128 KB:
SecRequestBodyInMemoryLimit 131072
# Whether to send ModSecurity messages to a separate debug log.
#
# Debug messages are very useful for, well, debugging. The default
# setting here copies (they always appear in the Apache error log)
# only the most important messages (errors and warnings).
#
# NOTE Debug logging is generally very slow. You should never
# use values greater than "3" in production.
#
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 3
# Path where persistent data (e.g. IP address data, session data, etc) is to
# be stored. Must be writable by the web server user.
#
# TODO It is advisable to create a directory structure for ModSecurity such as
# /var/log/msa and create sub directories for SecDataDir, SecTmpDir,
# SecUploadDir, SecAuditLog and SecAuditLogStorageDir
# underneath it and set the permission for read and write only by the
# Apache user.
SecDataDir /tmp
# Configures the directory where temporary files will be created.
SecTmpDir /tmp
# Loades the variable collection relating to the requested resource
# NOTE: We will not initiate a collection if there was an error (To prevent overloading)
SecRule RESPONSE_STATUS "!^(?:30[12]|[45]\d\d)$" "phase:3,pass,nolog,initcol:resource=%{REQUEST_FILENAME}"

# ---------------------------------------------------------------
# Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# TODO While some of the pattern groups such as command injection are usually
# safe of false positives, other pattern groups such as SQL injection and
# XSS may require setting exceptions and therefore are set to log only by
# default.
#
# Start ModSecurity in monitoring only mode and check whether your
# application requires exceptions for a specific URL, Pattern or source IP
# before moving to blocking mode.
SecDefaultAction "log,pass,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
# Session fixation
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
"capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation. Matched signature <%{TX.0}>',,id:'950009',severity:'2'"
# Blind SQL injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\.user)|c(?:onstraint_type|harindex)|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',,id:'950007',severity:'2'"
#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:benchmark|encode)\b" \
# "chain,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',,id:'950903',severity:'2'"
#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "[\\(\)\%#]\|--"
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',,id:'950904',severity:'2'"
# SQL injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?ecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction|open(?:rowset|query)|1\s*=\s*1|dbms_java)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|(?:having|or|and)\b\s+(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"])\s*[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',,id:'950001',severity:'2'"
#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \
# "chain,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',,id:'950905',severity:'2'"
#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "[\\(\)\%#]\|--"
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',,id:'950906',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',,id:'950908',severity:'2'"
# XSS
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha)s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage|script|meta)\b|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
"capture,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',,id:'950004',severity:'2'"
# file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',,id:'950005',severity:'2'"
# Command access
SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Access. Matched signature <%{TX.0}>',,id:'950002',severity:'2'"
# Command injection
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/(Cookie|Referer|X-OS-Prefs)/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?te)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?te)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',,id:'950006',severity:'2'"
SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:User-Agent" \
"\bwget\b" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',,id:'950907',severity:'2'"
# Coldfusion injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags. Matched signature <%{TX.0}>',,id:'950008',severity:'2'"
# LDAP injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'LDAP Injection Attack. Matched signature <%{TX.0}>',,id:'950010',severity:'2'"
# SSI injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'SSI injection Attack. Matched signature <%{TX.0}>',,id:'950011',severity:'2'"
# PHP injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'PHP Injection Attack. Matched signature <%{TX.0}>',,id:'950013',severity:'2'"
# HTTP Response Splitting
SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \
"t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack. Matched signature <%{TX.0}>',,id:'950910',severity:'1'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack. Matched signature <%{TX.0}>',,id:'950911',severity:'1'"
# UPDF XSS
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',,id:'950018',severity:'2'"
# Email Injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "[\n\r]\s*(?:to|bcc|cc)\s*:.*?\@" \
"t:none,t:lowercase,t:urlDecode,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Email Injection Attack. Matched signature <%{TX.0}>',,id:'950019',severity:'2'"

#LoadModule security2_module modules/mod_security2/mod_security2.so