)|(?:\s?\/>)|(?:>")]]> finds html breaking injections including whitespace attacks xss csrf 4 \w=\/)|(?:#.+\)["\s]*>)]]> finds attribute breaking injections including whitespace attacks xss csrf 4 [\w\s]*<\/?\w{2,}>)]]> finds unquoted attribute breaking injections xss csrf 2 )))]]> finds attribute breaking injections including obfuscated attributes xss csrf 4 Detects url-, name-, JSON, and referrer-contained payload attacks xss csrf 5 Detects hash-contained xss payload attacks, setter usage and property overloading xss csrf 5 Detects self contained xss via with(), common loops and regex to string conversion xss csrf 5 \s*[,;.])]]> Detects JavaScript with(), ternary operators and XML predicate attacks xss csrf 5 Detects self-executing JavaScript functions xss csrf 5 Detects the IE octal, hex and unicode entities xss csrf 2 Detects basic directory traversal dt id lfi 5 Detects specific directory and path traversal dt id lfi 5 Detects etc/passwd inclusion attempts dt id lfi 5 Detects halfwidth/fullwidth encoded unicode HTML breaking attempts xss csrf 3 Detects possible includes and packed functions xss csrf id rfe 5 Detects JavaScript DOM/miscellaneous properties and methods xss csrf id rfe 6 Detects possible includes and typical script methods xss csrf id rfe 5 Detects JavaScript object properties and methods xss csrf id rfe 4 Detects JavaScript array properties and methods xss csrf id rfe 4 Detects JavaScript string properties and methods xss csrf id rfe 4 Detects JavaScript language constructs xss csrf id rfe 4 Detects very basic XSS probings xss csrf id rfe 3 Detects JavaScript location/document property access xss csrf 5 Detects basic obfuscated JavaScript script injections xss csrf 5 Detects obfuscated JavaScript script injections xss csrf 5 Detects JavaScript cookie stealing and redirection attempts xss csrf 4 Detects data: URL injections and common URI schemes xss rfe 5 Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution xss rfe lfi xsrf 5 Detects bindings and behavior injections xss csrf rfe 4 Detects common XSS concatenation patterns 1/2 xss csrf id rfe 4 Detects common XSS concatenation patterns 2/2 xss csrf id rfe 4 Detects possible event handlers xss csrf 4 ]*)t(?!rong))|(?:\ Detects obfuscated script tags and XML wrapped HTML xss 4 Detects attributes in closing tags (IE-only issue) xss csrf 3 )|(?:\/\*|\*\/)|(?:(?:#|--|{)$)|(?:\/{3,}.*$)|(?:)]]> Detects common comment types xss csrf id 3 )|(?:opera\s*\.\s*\w+\s*\()]]> Detects comments to exploit firefox' faulty rendering and proprietary opera attacks xss csrf id 3 Detects base href injections and XML entity injections xss csrf id 5 Detects possibly malicious html elements including some attributes xss csrf id rfe lfi 4 Detects nullbytes and HTTP response splitting id rfe xss 5 Detects MySQL comments, conditions and ch(a)r injections sqli id lfi 6 Detects conditional SQL injection attempts sqli id lfi 4 Detects classic SQL injection probings 1/2 sqli id lfi 6 Detects classic SQL injection probings 2/2 sqli id lfi 6 =]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*LIKE[+-=\s]+[\d"(])|(?:\sis\s*0\W)]]> Detects basic SQL authentication bypass attempts 1/3 sqli id lfi 7 Detects basic SQL authentication bypass attempts 2/3 sqli id lfi 7 ^=]+\d\s*(=|OR))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s]+")|(?:"\s*is\s*\w\s*\W.*")]]> Detects basic SQL authentication bypass attempts 3/3 sqli id lfi 7 "]\s*(?:UNION|SELECT|CREATE|RENAME|TRUNCATE|LOAD|ALTER|DELETE|UPDATE|INSERT|DESC))|(?:(?:SELECT|CREATE|RENAME|TRUNCATE|LOAD|ALTER|DELETE|UPDATE|INSERT|DESC)\s+(?:CONCAT|CHAR|CONCAT|LOAD_FILE|0x)\s?\(?)|(?:END\s*\);)|("\s+REGEXP\W)]]> Detects concatenated basic SQL injection and SQLLFI attempts sqli id lfi 5 Detects chained SQL injection attempts 1/2 sqli id 6 Detects chained SQL injection attempts 2/2 sqli id 6 Detects SQL benchmark and sleep injection attempts including conditional queries sqli id 4 Detects MySQL UDF injection and other data/structure manipulation attempts sqli id 6 Detects MySQL charset switch and MSSQL DoS attempts sqli id 6 Detects MySQL stored procedure/function injections sqli id 5 Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts sqli id 5 Detects MSSQL code execution and information gathering attempts sqli id 5 Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections sqli id 5 Detects MySQL comment-/space-obfuscated injections sqli id 5 )?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*".*"))|(?:;\s*\{\W*\w+\s*\()]]> Detects code injection attempts 1/3 id rfe lfi 7 Detects code injection attempts 2/3 id rfe lfi 7 Detects code injection attempts 3/3 id rfe lfi 7 Detects url injections and RFE attempts id rfe lfi 5 Detects common function declarations and special JS operators id rfe lfi 5 Detects common mail header injections id spam 5 Detects perl echo shellcode injection and LDAP vectors fli rfe 5 Detects basic DoS attempts and Apache scoreboard shared memory attacks rfe dos 5 Detects konqueror UXSS attacks, Gecko 1.9 threading directives and view-source attacks rfe dos 5 Detects unknown attack vectors based on PHPIDS Centrifuge detection xss csrf id rfe lfi 7