{ "version": "1.0.0", "last_updated": "2025-12-10", "description": "VMPFence WAF Rules - Comprehensive Security Patterns", "total_rules": 146, "rules": [ { "rule_id": "CMD-INJECT-FREE", "enabled": 1, "category": "COMMAND_INJECTION", "severity": 2, "pattern": "/(;[\\s]*(?:ls|cat|whoami|id|pwd|uname|wget|curl|rm|chmod|mv|cp|kill|ps|nc|netcat|bash|sh)\\b|\\|[\\s]*(?:ls|cat|whoami|id|pwd|uname)\\b|`[^`]+`|\\$\\([^)]+\\))/i", "description": "Basic command injection detection - Shell metacharacters (;, |, backticks, $()`) and common Unix commands", "version": "1.0", "score": 100, "action": "block", "whitelist": 0 }, { "rule_id": "CMD-INJECT-PREMIUM", "enabled": 1, "category": "COMMAND_INJECTION", "severity": 2, "pattern": "/exec\\s*\\(|shell_exec\\s*\\(|passthru\\s*\\(|system\\s*\\(|popen\\s*\\(|proc_open\\s*\\(|`.*(?:cat|ls|wget|curl|nc|bash|sh|python|perl|ruby|php)/i", "description": "Advanced command injection detection - PHP execution functions and complex command chains (Premium)", "version": "1.0", "score": 100, "action": "block", "whitelist": 0 }, { "rule_id": "LDAP-INJECT-001", "enabled": 1, "category": "LDAP_INJECTION", "severity": 2, "pattern": "/(\\*\\)\\(uid=|\\*\\)\\(cn=|\\*\\)\\(mail=|\\(\\|\\(|\\)\\(|\\)\\)\\(|\\(\\&\\(|[a-zA-Z0-9]+\\*)/i", "description": "LDAP injection detection - Prevents LDAP filter manipulation attacks (Premium)", "version": "1.0", "score": 100, "action": "block", "whitelist": 0 }, { "rule_id": "LFI-001", "enabled": 1, "category": "LFI", "severity": 4, "pattern": "/(\\.\\.[\\/\\\\]|etc[\\/\\\\]passwd|boot\\.ini|win\\.ini)/i", "description": "Detects local file inclusion attempts like ../ traversal, /etc/passwd access", "version": "1.0", "score": 100, "action": "block", "whitelist": 0 }, { "rule_id": "NULL-BYTE-001", "enabled": 1, "category": "NULL_BYTE", "severity": 2, "pattern": "/(%00|\\\\x00|\\\\0)/i", "description": "Null byte injection attempt - often used to bypass file extension checks", "version": "1.0", "score": 100, "action": "block", "whitelist": 0 }, { "rule_id": "RCE-001-ENTERPRISE", "enabled": 1, "category": "RCE", "severity": 4, "pattern": "/(eval\\(|exec\\(|system\\(|passthru\\(|shell_exec\\()/i", "description": "Remote code execution detection - Dangerous PHP functions (Enterprise Tier)", "version": "1.0", "score": 100, "action": "block", "whitelist": 0 }, { "rule_id": "RCE-PARAM-NAMES", "enabled": 1, "category": "RCE", "severity": 2, "pattern": "/(eval|exec|system|shell_exec|passthru|proc_open|popen)/i", "description": "Detects dangerous PHP function names used as parameter names", "version": "1.0", "score": 100, "action": "block", "whitelist": 0 }, { "rule_id": "RFI-001", "enabled": 1, "category": "RFI", "severity": 4, "pattern": "/(http:\\/\\/|https:\\/\\/|ftp:\\/\\/|php:\\/\\/|data:\\/\\/|expect:\\/\\/)/i", "description": "Detects remote file inclusion using protocol wrappers like php://, data://, http://", "version": "1.0", "score": 100, "action": "block", "whitelist": 0 }, { "rule_id": "SQL-001-FREE", "enabled": 1, "category": "SQLI", "severity": 3, "pattern": "/(union.*select|select.*from|insert.*into|drop.*table|delete.*from|'\\s*or\\s*'|'\\s*or\\s*\\d+=\\d+|or\\s+\\d+=\\d+)/i", "description": "SQL injection detection - Common patterns: UNION SELECT, OR 1=1, INSERT INTO, DROP TABLE (Free Tier)", "version": "1.0", "score": 100, "action": "block", "whitelist": 0 }, { "rule_id": "TEST-FREE-001", "enabled": 1, "category": "XSS", "severity": 2, "pattern": "