├── README.md
├── dokuwiki.rules
├── etherpad-lite.rules
├── zerobin.rules
├── rutorrent.rules
├── iris.rules
├── web.server.rules
├── wordpress-block.rules
├── wordpress-minimal
├── drupal.rules
├── Scanner.rules
└── wordpress.rules


/README.md:
--------------------------------------------------------------------------------
1 | Here you will find naxsi rules provided and maintained by the community.
2 | 
3 | Naxsi's team is not involved into writting or maintaining those rules.
4 | 
5 | 


--------------------------------------------------------------------------------
/dokuwiki.rules:
--------------------------------------------------------------------------------
1 | # DokuWiki rules
2 | 
3 | BasicRule wl:1015 "mz:$BODY_VAR:usergroups";
4 | BasicRule wl:0 "mz:$BODY_VAR:wikitext";
5 | BasicRule wl:0 "mz:$BODY_VAR:summary";
6 | BasicRule wl:0 "mz:$BODY_VAR:prefix";
7 | BasicRule wl:0 "mz:$BODY_VAR:suffix";
8 | 


--------------------------------------------------------------------------------
/etherpad-lite.rules:
--------------------------------------------------------------------------------
1 | # Etherpad: Really real-time collaborative document editing http://etherpad.org
2 | BasicRule  wl:1101,1015,1013,1011,1010,1008,1001 "mz:$URL:/jserror|$BODY_VAR:errorinfo";
3 | BasicRule  wl:2 "mz:$URL_X:^/p/.*/import$|BODY";
4 | BasicRule  wl:1311 "mz:$URL_X:^/p/.*]$|URL";
5 | BasicRule  wl:1007 "mz:URL";
6 | BasicRule  wl:1315 "mz:$HEADERS_VAR:cookie";
7 | BasicRule  wl:11 "mz:$URL:/socket.io/|BODY";
8 | 


--------------------------------------------------------------------------------
/zerobin.rules:
--------------------------------------------------------------------------------
1 | # Zerobin is here in directory /paste if diffrent change $URL:/paste/ below
2 | BasicRule wl:1015 "mz:$URL:/paste/|$BODY_VAR:data";
3 | BasicRule wl:1315 "mz:$URL:/paste/|$HEADERS_VAR:cookie";
4 | BasicRule wl:1001 "mz:$URL:/paste/|$BODY_VAR:data";
5 | BasicRule wl:1009 "mz:$URL:/paste/|$BODY_VAR:data";
6 | BasicRule wl:1009 "mz:$URL:/paste/|$BODY_VAR:nickname";
7 | BasicRule wl:1001 "mz:$URL:/paste/|$BODY_VAR:nickname";
8 | BasicRule wl:1015 "mz:$URL:/paste/|$BODY_VAR:nickname";
9 | 


--------------------------------------------------------------------------------
/rutorrent.rules:
--------------------------------------------------------------------------------
 1 | BasicRule wl:1005,1010,1011,1315 "mz:$HEADERS_VAR:cookie";
 2 | BasicRule wl:1402 "mz:$HEADERS_VAR:content-type";
 3 | BasicRule wl:11 "mz:$URL:/rutorrent/php/setsettings.php|BODY";
 4 | BasicRule wl:11 "mz:$URL:/rutorrent/php/getsettings.php|BODY";
 5 | BasicRule wl:1000,1001,1015,1310,1311 "mz:$BODY_VAR:v";
 6 | BasicRule wl:1005,1008 "mz:$BODY_VAR:cookie";
 7 | BasicRule wl:1000,1100,1101,1315 "mz:$BODY_VAR:url";
 8 | BasicRule wl:1310,1311 "mz:$URL:/rutorrent/php/addtorrent.php|$ARGS_VAR:result[]|NAME";
 9 | BasicRule wl:1000,1100,1101 "mz:$ARGS_VAR:name[]";
10 | BasicRule wl:1310,1311 "mz:$URL:/rutorrent/php/addtorrent.php|$ARGS_VAR:name[]|NAME";
11 | 


--------------------------------------------------------------------------------
/iris.rules:
--------------------------------------------------------------------------------
 1 | # Web IRC client Iris for the atheme platform https://github.com/atheme-legacy/iris
 2 | ### Allowed chars in the URI of WebChat Wizard "custom link" or "embed"
 3 | BasicRule  wl:1000,1315 "mz:$HEADERS_VAR:cookie";
 4 | BasicRule  wl:1015 "mz:$ARGS_VAR:channels";
 5 | BasicRule  wl:1000,1002,1005,1007,1013,1200,1205,1310,1311,1314 "mz:$ARGS_VAR:nick";
 6 | BasicRule  wl:1000,1005,1008,1013,1015,1200,1205 "mz:$URL:/|ARGS";
 7 | ### Allowed chars in Chat and Private
 8 | BasicRule  wl:0 "mz:$URL:/e/p|$BODY_VAR:c";
 9 | ### Allowed chars in nick same as are allowed in IRCD
10 | BasicRule  wl:1000,1002,1005,1007,1205,1310,1311,1314 "mz:$URL:/e/n|$BODY_VAR:nick";
11 | 


--------------------------------------------------------------------------------
/web.server.rules:
--------------------------------------------------------------------------------
1 | MainRule  "rx:^[a-zA-Z\d-]+\.[a-zA-Z]+$" "msg:HOST-Header Injection" "mz:$HEADERS_VAR:Host" "s:$ATTACK:6" id:42000465 ;
2 | MainRule  "rx:<!DOCTYPE(\s+)(%*\s*)([{}:.a-zA-Z0-9_-]*)(\s+)SYSTEM" "msg: possible XML/XXE-Exploitation atempt (Doctype)" "mz:BODY" "s:$ATTACK:8" id:42000455  ;
3 | MainRule  "str:meterpreter" "msg:Meterpreter-UA detected" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000381  ;
4 | MainRule  "str:/.git/" "msg:GIT-Homedir-Access" "mz:URL" "s:$ATTACK:8" id:42000329  ;
5 | MainRule  "str:system(" "msg:PHP_SYSTEM_CMD" "mz:URL|BODY|ARGS" "s:$ATTACK:8,$UWA:8" id:42000049  ;
6 | MainRule  "str:\n\r" "msg:HTTP - Smuggling-Attempt (NewLine in URI)" "mz:URL" "s:$EVADE:8" id:42000278  ;
7 | 


--------------------------------------------------------------------------------
/wordpress-block.rules:
--------------------------------------------------------------------------------
1 | MainRule  "str:system.multicall" "msg:Wordpress XMLRPC possible Password Brute Force" "mz:$URL:/xmlrpc.php|BODY" "s:$ATTACK:8" id:42000442  ;
2 | MainRule  "str:system.listmethods" "msg:WordPress XMLRPC Enumeration system.listMethods" "mz:$URL:/xmlrpc.php|BODY" "s:$ATTACK:8" id:42000443  ;
3 | MainRule  "str:system.getcapabilities" "msg:WordPress XMLRPC Enumeration system.getCapabilities" "mz:$URL:/xmlrpc.php|BODY" "s:$ATTACK:8" id:42000444  ;
4 | MainRule  "str:/w3tc/dbcache" "msg:WordPress TotalCache-DBCache-Access" "mz:URL" "s:$UWA:8" id:42000125  ;
5 | MainRule  "str:/uploadify/uploadify.php" "msg:WordPress Uploadify-Access" "mz:URL" "s:$ATTACK:8" id:42000126  ;
6 | MainRule  "str:/wp-content/plugins/mm-forms-community/upload/temp/" "msg:Access To mm-forms-community upload dir" "mz:URL" "s:$ATTACK:8" id:42000060  ;
7 | 


--------------------------------------------------------------------------------
/wordpress-minimal:
--------------------------------------------------------------------------------
 1 | #########                                                                 #########
 2 | ######                                                                       ######
 3 | ### Because of wordpress.rules is full of wl rules even got double.             ###
 4 | ### Thats why I start from scratch so these rules are in BETA us on own risk.   ###
 5 | ### I us not that many plugins and those I use only after I checked there code. ###
 6 | ######                                                                       ######
 7 | #########                                                                 #########
 8 | ### HEADERS
 9 | BasicRule  wl:1001,1315 "mz:$HEADERS_VAR:cookie";
10 | ###	Theme customize
11 | BasicRule  wl:1001,1015,1310,1311 "mz:$URL_X:^/.*$|$BODY_VAR_X:^customized$|BODY";
12 | ###	Widget customize
13 | BasicRule  wl:1001,1015,1310,1311 "mz:$URL_X:^/.*$|$BODY_VAR_X:^partials$|BODY";
14 | ### oEmbed API
15 | BasicRule  wl:1000,1009,1101 "mz:$URL_X:^/.*wp-json/oembed/1.0/embed|$ARGS_VAR_X:^url$";
16 | BasicRule  wl:1009,1101 "mz:$URL_X:^/.*wp-json/oembed/1.0/embed|ARGS";
17 | BasicRule  wl:1009,1101 "mz:ARGS";
18 | ###	Trackbacks
19 | BasicRule  wl:1005,1008,1010,1011,1015,1016,1100,1101,1400 "mz:$URL_X:^/.*trackback$/|BODY";
20 | BasicRule  wl:1005,1008,1010,1011,1015,1016,1100,1101,1400 "mz:BODY";
21 | BasicRule  wl:1008,1010,1011,1015,1016,1100,1101,1400 "mz:$URL_X:^/.*trackback$/|$BODY_VAR_X:^excerpt$";
22 | BasicRule  wl:1008,1010,1011,1015,1016,1100,1101,1400 "mz:$BODY_VAR:excerpt";
23 | BasicRule  wl:1101 "mz:$URL_X:^/.*trackback$/|$BODY_VAR_X:^url$";
24 | BasicRule  wl:1005 "mz:$URL_X:^/.*trackback$/|$BODY_VAR_X:^title$";
25 | BasicRule  wl:1101 "mz:$BODY_VAR:url";
26 | BasicRule  wl:1005 "mz:$BODY_VAR:title";
27 | 


--------------------------------------------------------------------------------
/drupal.rules:
--------------------------------------------------------------------------------
 1 | ####################################
 2 | ## Drupal whitelists ALPHA        ##
 3 | ####################################
 4 | 
 5 | # some url patterns
 6 | BasicRule wl:1000 "mz:$URL:/modules/update/update.css|URL";
 7 | BasicRule wl:1000 "mz:$URL:/misc/tableselect.js|URL";
 8 | BasicRule wl:1000 "mz:$URL:/modules/contextual/images/gear-select.png|URL|$HEADERS_VAR:cookie";
 9 | BasicRule wl:1000 "mz:$URL:/misc/ui/jquery.ui.sortable.min.js|URL|$HEADERS_VAR:cookie";
10 | BasicRule wl:1000 "mz:$URL:/misc/tableheader.js|URL|$HEADERS_VAR:cookie";
11 | BasicRule wl:1000 "mz:$URL:/misc/tabledrag.js|URL|$HEADERS_VAR:cookie";
12 | 
13 | # bad keywords in posts etc (update etc)
14 | BasicRule wl:1000 "mz:$URL:/|$BODY_VAR:comment_confirm_delete|NAME";
15 | BasicRule wl:1000 "mz:$URL:/|$ARGS_VAR:q";
16 | BasicRule wl:1000 "mz:$URL:/|$BODY_VAR:form_id";
17 | BasicRule wl:1000 "mz:$URL:/|$HEADERS_VAR:cookie";
18 | BasicRule wl:1010 "mz:$URL:/|$ARGS_VAR:date";
19 | 
20 | # XSS because of [ and ] in POST variables
21 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^body|NAME";
22 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^menu|NAME";
23 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^path|NAME";
24 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^comment_body|NAME";
25 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^field_|NAME";
26 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^type|NAME";
27 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^modules|NAME";
28 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^blocks|NAME";
29 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^palette|NAME";
30 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^regions|NAME";
31 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^roles|NAME";
32 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^fields|NAME";
33 | BasicRule wl:1310,1311 "mz:$URL:/|$ARGS_VAR_X:^destination|NAME";
34 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^filter|NAME";
35 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^search_active_modules|NAME";
36 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^shortcuts|NAME";
37 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^formats|NAME";
38 | 
39 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR:status";
40 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR:role";
41 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR:permission";
42 | BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR:type";
43 | 
44 | # update module
45 | BasicRule wl:16 "mz:$URL:/|BODY";
46 | 
47 | # user mail 
48 | BasicRule wl:1007,1010,1011,1013,1015,1310,1311 "mz:$URL:/|$BODY_VAR_X:^user_mail";
49 | 
50 | # other stuff
51 | BasicRule wl:1007 "mz:$URL:/|$BODY_VAR:form_build_id";
52 | BasicRule wl:1007 "mz:$URL:/|$BODY_VAR:menu[parent]";
53 | BasicRule wl:1007 "mz:$URL:/|$BODY_VAR:form_token";
54 | BasicRule wl:1007 "mz:$URL:/|$BODY_VAR:additional_settings__active_tab";
55 | BasicRule wl:1007 "mz:$URL:/|$BODY_VAR:date";
56 | 
57 | BasicRule wl:1302,1303 "mz:$URL:/|$BODY_VAR_X:^filters";
58 | BasicRule wl:1010,1011 "mz:$URL:/|$BODY_VAR:actions_label";
59 | BasicRule wl:1015 "mz:$URL:/|$BODY_VAR:date_format_long";
60 | BasicRule wl:1009,1016 "mz:$URL:/|$ARGS_VAR:destination";
61 | BasicRule wl:1016  "mz:$URL:/|$BODY_VAR_X:^palette";
62 | 
63 | 


--------------------------------------------------------------------------------
/Scanner.rules:
--------------------------------------------------------------------------------
 1 | MainRule  "str:havij" "msg:Havij-SQL_scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000312  ;
 2 | MainRule  "str:http://http://" "msg:Abnormal double http:// in HTTP header," "mz:HEADERS" "s:$UWA:8" id:42000310  ;
 3 | # http://pastebin.com/NP64hTQr# http://blog.initiative-s.de/2013/09/kompromitierte-wordpress-blogs-werden-fuer-ddos-attacken-genutzt/
 4 | # If using wp then turn off this rule
 5 | MainRule  "str:wordpress/" "msg:Wordpress-UA, probably Botnet-Attack" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000317  ;
 6 | # https://github.com/robertdavidgraham/masscan
 7 | MainRule  "str:masscan/" "msg:MASSCAN - UA Detected" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000326  ;
 8 | # sensepost Wiko/Nikto-Clone filescan
 9 | MainRule  "str:sensepostnotthere" "msg:SensePost Wikto-Scanner" "mz:URL" "s:$ATTACK:8" id:42000452  ;
10 | # block acunetix scan
11 | MainRule  "str:99999999999999999999999" "msg:acunetix scan nginx buffer size " "mz:$HEADERS_VAR:Content-length" "s:$UWA:8" id:42001326  ;
12 | MainRule  "str:acunetix" "msg:acunetix scan website " "mz:URL|BODY|$HEADERS_VAR:Accept|$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42001327  ;
13 | MainRule  "str:acunetix/wvs" "msg:acunetix scan website " "mz:$HEADERS_VAR:Accept" "s:$UWA:8" id:42001328 ;
14 | MainRule  "str:webmole" "msg:Scanner webmole" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000159  ;
15 | MainRule  "str:nlpproject.info" "msg:Some Scanner  nlpproject.info" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000454  ;
16 | MainRule  "str:cloudmapping" "msg:Cloud-Mapping-Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000453  ;
17 | MainRule  "str:sucuri" "msg:Sucuri Vulnerability Scaner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000364  ;
18 | MainRule  "str:brutus/" "msg:Brutus - Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000258  ;
19 | MainRule  "str:/phpmyadmin" "msg:PHPMyAdmin - Scanner (2) " "mz:URL" "s:$UWA:8" id:42000244  ;
20 | MainRule  "str:/pma" "msg:PHPMyAdmin - Scanner" "mz:URL" "s:$UWA:8" id:42000243  ;
21 | MainRule  "str:/phppgadmin " "msg:PHPPgAdmin - Scanner" "mz:URL" "s:$UWA:8" id:42000242  ;
22 | MainRule  "str:/mysqldumper " "msg:MysqlDumper - Scanner " "mz:URL" "s:$UWA:8" id:42000241  ;
23 | MainRule  "str:apachebench" "msg:AB - ApacheBenchmark-Tool detected" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:4" id:42000240  ;
24 | MainRule  "str:/netsparker" "msg:Netsparker-Scan in Progress" "mz:URL" "s:$UWA:8" id:42000202  ;
25 | MainRule  "str:sqlmap" "msg:Scanner sqlmap sql injection" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000203  ;
26 | MainRule  "str:mysqloit" "msg:Scanner Mysqloit  - Mysql Injection Takover Tool" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000200  ;
27 | MainRule  "str:network-services-auditor" "msg:Scanner IBM NSA User Agent" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000198  ;
28 | MainRule  "str:dav.pm" "msg:Scanner DavTest WebDav Vulnerability Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000194  ;
29 | MainRule  "str:w3af" "msg:Scanner w3af" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000178  ;
30 | MainRule  "str:http_get_vars" "msg:PHP-Injetion on UA" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000174  ;
31 | MainRule  "str:whisker" "msg:Scanner whisker" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000171  ;
32 | MainRule  "str:whatweb" "msg:Scanner whatweb" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000151  ;
33 | MainRule  "str:dirbuster" "msg:DirBuster Web App Scan in Progress" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8,$UWA:8" id:42000036  ;
34 | MainRule  "str:gzinflate(" "msg:gzinflate in URI" "mz:URL|BODY|ARGS" "s:$UWA:8" id:42000259  ;
35 | MainRule  "str:/bin/sh" "msg:/bin/sh in URI" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "s:$UWA:8" id:42000257  ;
36 | MainRule  "str:.conf" "msg:possible CONF-File - Access" "mz:URL" "s:$UWA:8" id:42000252  ;
37 | MainRule  "str:.ini" "msg:possible INI - File - Access" "mz:URL" "s:$UWA:8" id:42000254  ;
38 | MainRule  "str:/sftp-config.json" "msg:SFTP-config-file access" "mz:URL|BODY" "s:$ATTACK:8,$UWA:8" id:42000084  ;
39 | # https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/
40 | # https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d#diff-a35f2ee9e1d2d3983a3270ee10ec70bf86349c53febdeabdf104f88cb2167961R370
41 | # prevent php supply chain attack
42 | MainRule  "str:zerodium" "msg:php supply chain attack " "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000085  ;
43 | # prevent log4j attack 
44 | # info https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
45 | # payload check https://github.com/johto89/Some-collections-for-Security-Researcher/blob/master/log4j-all-in-one.md
46 | MainRule  "str:${" "msg:log4j attack detection " "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000086;


--------------------------------------------------------------------------------
/wordpress.rules:
--------------------------------------------------------------------------------
  1 | # WordPress naxsi rules
  2 | 
  3 | ### HEADERS
  4 | BasicRule wl:1000,1001,1005,1007,1010,1011,1013,1100,1101,1200,1308,1309,1310,1311,1315 "mz:$HEADERS_VAR:cookie";
  5 | # xmlrpc
  6 | BasicRule wl:1402 "mz:$HEADERS_VAR:content-type";
  7 | 
  8 | ### simple BODY (POST)
  9 | BasicRule wl:1001,1015,1009,1311,1310,1101,1016 "mz:$URL:/|$BODY_VAR:customized";
 10 | # comments
 11 | BasicRule wl:1000,1010,1011,1013,1015,1200,1310,1311 "mz:$BODY_VAR:post_title";
 12 | BasicRule wl:1000 "mz:$BODY_VAR:original_publish";
 13 | BasicRule wl:1000 "mz:$BODY_VAR:save";
 14 | BasicRule wl:1008,1010,1011,1013,1015 "mz:$BODY_VAR:sk2_my_js_payload";
 15 | BasicRule wl:1001,1009,1005,1016,1100,1101,1310 "mz:$BODY_VAR:url";
 16 | BasicRule wl:1009,1100,1101 "mz:$BODY_VAR:referredby";
 17 | BasicRule wl:1009,1100,1101 "mz:$BODY_VAR:_wp_original_http_referer";
 18 | BasicRule wl:1000,1001,1005,1008,1007,1009,1010,1011,1013,1015,1016,1100,1101,1200,1302,1303,1310,1311,1315,1400 "mz:$BODY_VAR:comment";
 19 | BasicRule wl:1100,1101 "mz:$BODY_VAR:redirect_to";
 20 | BasicRule wl:1000,1009,1315 "mz:$BODY_VAR:_wp_http_referer";
 21 | BasicRule wl:1000 "mz:$BODY_VAR:action";
 22 | BasicRule wl:1001,1013 "mz:$BODY_VAR:blogname";
 23 | BasicRule wl:1015,1013 "mz:$BODY_VAR:blogdescription";
 24 | BasicRule wl:1015 "mz:$BODY_VAR:date_format_custom";
 25 | BasicRule wl:1015 "mz:$BODY_VAR:date_format";
 26 | BasicRule wl:1015 "mz:$BODY_VAR:tax_input%5bpost_tag%5d";
 27 | BasicRule wl:1015 "mz:$BODY_VAR:tax_input[post_tag]";
 28 | BasicRule wl:1100,1101 "mz:$BODY_VAR:siteurl";
 29 | BasicRule wl:1100,1101 "mz:$BODY_VAR:home";
 30 | BasicRule wl:1000,1015 "mz:$BODY_VAR:submit";
 31 | # news content matches pretty much everything
 32 | BasicRule wl:0 "mz:$BODY_VAR:content";
 33 | BasicRule wl:1000 "mz:$BODY_VAR:delete_option";
 34 | BasicRule wl:1000 "mz:$BODY_VAR:prowl-msg-message";
 35 | BasicRule wl:1100,1101 "mz:$BODY_VAR:_url";
 36 | BasicRule wl:1001,1009 "mz:$BODY_VAR:c2c_text_replace%5btext_to_replace%5d";
 37 | BasicRule wl:1200 "mz:$BODY_VAR:ppn_post_note";
 38 | BasicRule wl:1100,1101 "mz:$BODY_VAR:author";
 39 | BasicRule wl:1001,1015 "mz:$BODY_VAR:excerpt";
 40 | BasicRule wl:1015 "mz:$BODY_VAR:catslist";
 41 | BasicRule wl:1005,1008,1009,1010,1011,1015,1315 "mz:$BODY_VAR:cookie";
 42 | BasicRule wl:1101 "mz:$BODY_VAR:googleplus";
 43 | BasicRule wl:1007 "mz:$BODY_VAR:name";
 44 | BasicRule wl:1007 "mz:$BODY_VAR:action";
 45 | BasicRule wl:1100,1101 "mz:$BODY_VAR:attachment%5burl%5d";
 46 | BasicRule wl:1100,1101 "mz:$BODY_VAR:attachment_url";
 47 | BasicRule wl:1001,1009,1100,1101,1302,1303,1310,1311 "mz:$BODY_VAR:html";
 48 | BasicRule wl:1015 "mz:$BODY_VAR:title";
 49 | BasicRule wl:1001,1009,1015 "mz:$BODY_VAR:recaptcha_challenge_field";
 50 | BasicRule wl:1011 "mz:$BODY_VAR:pwd";
 51 | BasicRule wl:1000 "mz:$BODY_VAR:excerpt";
 52 | 
 53 | ### BODY|NAME
 54 | BasicRule wl:1000 "mz:$BODY_VAR:delete_option|NAME";
 55 | BasicRule wl:1000 "mz:$BODY_VAR:from|NAME";
 56 | 
 57 | ### Simple ARGS (GET)
 58 | # WP login screen
 59 | BasicRule wl:1100,1101 "mz:$ARGS_VAR:redirect_to";
 60 | BasicRule wl:1000,1009 "mz:$ARGS_VAR:_wp_http_referer";
 61 | BasicRule wl:1000 "mz:$ARGS_VAR:wp_http_referer";
 62 | BasicRule wl:1000 "mz:$ARGS_VAR:action";
 63 | BasicRule wl:1000 "mz:$ARGS_VAR:action2";
 64 | # load and load[] GET variable
 65 | BasicRule wl:1000,1015 "mz:$ARGS_VAR:load";
 66 | BasicRule wl:1000,1015 "mz:$ARGS_VAR:load[]";
 67 | BasicRule wl:1015 "mz:$ARGS_VAR:q";
 68 | BasicRule wl:1000,1015 "mz:$ARGS_VAR:load%5b%5d";
 69 | 
 70 | ### URL
 71 | BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update-core.php";
 72 | BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update.php";
 73 | BasicRule wl:1000 "mz:$URL:/wp-includes/js/imgareaselect/imgareaselect.css|URL";
 74 | BasicRule wl:1002 "mz:$URL_X:/wp-content/uploads/[0-9]{4}/[0-9]{2}/[^/]+\.jpg$|URL";
 75 | # URL|ARGS
 76 | BasicRule wl:1015 "mz:$URL:/wp-admin/load-styles.php|$ARGS_VAR:dashicons,admin-bar,wp-admin,buttons,wp-auth-check";
 77 | BasicRule wl:1000 "mz:$URL:/wp-admin/about.php|$ARGS_VAR:updated";
 78 | BasicRule wl:1009 "mz:$URL:/wp-admin/customize.php|$ARGS_VAR:return";
 79 | # URL|BODY
 80 | BasicRule wl:1009,1100,1101 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_http_referer";
 81 | BasicRule wl:1016 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect";
 82 | BasicRule wl:11 "mz:$URL:/xmlrpc.php|BODY";
 83 | BasicRule wl:11,16 "mz:$URL:/wp-cron.php|BODY";
 84 | BasicRule wl:2 "mz:$URL:/wp-admin/async-upload.php|BODY";
 85 | # URL|BODY|NAME
 86 | BasicRule wl:1100,1101 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_original_http_referer|NAME";
 87 | BasicRule wl:1000 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect|NAME";
 88 | BasicRule wl:1000 "mz:$URL:/wp-admin/user-edit.php|$BODY_VAR:from|NAME";
 89 | BasicRule wl:1100,1101 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:attachment%5burl%5d|NAME";
 90 | BasicRule wl:1100,1101 "mz:$URL:/wp-admin/post.php|$BODY_VAR:attachment_url|NAME";
 91 | BasicRule wl:1000 "mz:$URL:/wp-admin/plugins.php|$BODY_VAR:verify-delete|NAME";
 92 | BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:post_category[]|NAME";
 93 | BasicRule wl:1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:post_category|NAME";
 94 | BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:tax_input[post_tag]|NAME";
 95 | BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:newtag[post_tag]|NAME";
 96 | BasicRule wl:1310,1311 "mz:$URL:/wp-admin/users.php|$BODY_VAR:users[]|NAME";
 97 | BasicRule wl:1000 "mz:$URL:/wp-admin/update-core.php|$BODY_VAR:Update%2BTranslations|NAME";
 98 | BasicRule wl:1000 "mz:$URL:/wp-admin/update-core.php|$BODY_VAR:Update%2BNow|NAME";
 99 | # URL|ARGS|NAME
100 | BasicRule wl:1310,1311 "mz:$URL:/wp-admin/load-scripts.php|$ARGS_VAR:load[]|NAME";
101 | BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:delete_count|NAME";
102 | BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:update|NAME";
103 | BasicRule wl:1310,1311 "mz:$URL:/wp-admin/customize.php|$ARGS_VAR:autofocus[control]|NAME";
104 | 
105 | # plain WP site
106 | BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update-core.php";
107 | BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update.php";
108 | # URL|BODY
109 | BasicRule wl:1009,1100,1101 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_http_referer";
110 | BasicRule wl:1016 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect";
111 | BasicRule wl:11 "mz:$URL:/xmlrpc.php|BODY";
112 | BasicRule wl:11,16 "mz:$URL:/wp-cron.php|BODY";
113 | # URL|BODY|NAME
114 | BasicRule wl:1100,1101 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_original_http_referer|NAME";
115 | BasicRule wl:1000 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect|NAME";
116 | BasicRule wl:1000 "mz:$URL:/wp-admin/user-edit.php|$BODY_VAR:from|NAME";
117 | BasicRule wl:1100,1101 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:attachment%5burl%5d|NAME";
118 | BasicRule wl:1310,1311 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-auth-check]|NAME";
119 | BasicRule wl:1310,1311 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-check-locked-posts][]|NAME";
120 | BasicRule wl:1310,1311 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-refresh-post-lock][post_id]|NAME";
121 | BasicRule wl:1310,1311 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-refresh-post-lock][lock]|NAME";
122 | BasicRule wl:1310,1311 "mz:$URL:/wp-admin/update-core.php|$BODY_VAR:checked[]|NAME";
123 | # URL|ARGS|NAME
124 | BasicRule wl:1310,1311 "mz:$URL:/wp-admin/load-scripts.php|$ARGS_VAR:load[]|NAME";
125 | BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:delete_count|NAME";
126 | BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:update|NAME";
127 | 
128 | ### Plugins
129 | #WP Minify
130 | BasicRule wl:1015 "mz:$URL:/wp-content/plugins/bwp-minify/min/|$ARGS_VAR:f";
131 | #Jetpack Infinite Scroll
132 | BasicRule wl:1310,1311 "mz:$BODY_VAR:scripts[]|NAME";
133 | BasicRule wl:1310,1311 "mz:$BODY_VAR:styles[]|NAME";
134 | BasicRule wl:1310,1311 "mz:$BODY_VAR_X:^query_args\[.*\]|NAME";
135 | BasicRule wl:1000 "mz:$BODY_VAR:query_args[update_post_term_cache]|NAME";
136 | BasicRule wl:1000 "mz:$BODY_VAR:query_args[update_post_meta_cache]|NAME";
137 | #UpdraftPlus
138 | BasicRule wl:1000 "mz:$URL:/wp-content/plugins/updraftplus/includes/select2/select2.min.css|URL";
139 | BasicRule wl:1000 "mz:$URL:/wp-content/plugins/updraftplus/includes/select2/select2.min.js|URL";
140 | #WP plugin updates
141 | BasicRule wl:1315 "mz:$ARGS_VAR:query|$URL:/wp-json/jetpack/v4/jitm";
142 | #Jetpack Google Fonts
143 | BasicRule wl:1001 "mz:$URL_X:^/wp-content/plugins/jetpack/css/.*|URL";
144 | #WooCommerce
145 | BasicRule wl:1000 "mz:$URL:/wp-content/plugins/woocommerce/assets/js/select2/select2.full.min.js|URL";
146 | BasicRule wl:1000 "mz:$URL:/wp-content/plugins/woocommerce/assets/js/selectWoo/selectWoo.full.min.js|URL";
147 | BasicRule wl:1000 "mz:$URL:/wp-content/plugins/woocommerce/assets/js/stupidtable/stupidtable.min.js|URL";
148 | #WPML
149 | BasicRule wl:1000 "mz:$URL:/wp-content/plugins/sitepress-multilingual-cms/lib/select2/select2.min.js|URL";
150 | #Yoast SEO
151 | BasicRule wl:1000 "mz:$URL:/wp-content/plugins/wordpress-seo/js/dist/select2/select2.full.min.js|URL";
152 | BasicRule wl:1000 "mz:$URL:/wp-content/plugins/wordpress-seo/css/dist/select2/select2.min.css|URL";
153 | 


--------------------------------------------------------------------------------