Looks like firewall rules not working

#1

Hello.
I setup two same firewall rules for my 2 domains.

(http.request.uri.query contains "eval") or (http.request.uri.query contains "javascript") or (http.request.uri.query contains "base64_encode")

At 1 domain all works fine and I see Error 1020 when try something like domain/?swp_debug=eval
But at other domain this rule not working.

0 Likes

#2

Which is the other domain and can you post a screenshot of the rules for that domain?

0 Likes

#3

Hello. Sure.
Full rule is:
(http.request.uri.query contains "eval") or (http.request.uri.query contains "javascript") or (http.request.uri.query contains "base64_encode") or (http.request.uri.query contains "GLOBALS") or (http.request.uri.query contains "REQUEST") or (http.request.uri.query contains "boot.ini") or (http.request.uri.query contains "etc/passwd") or (http.request.uri.query contains "self/environ") or (http.request.uri.query contains "md5") or (http.request.method eq "PURGE") or (http.referer contains "semalt.com") or (http.referer contains "todaperfeita") or (http.request.uri.query contains "phpinfo") or (http.request.uri.query contains "sqlpatch") or (http.request.uri.query contains "163data") or (http.request.uri.query contains "amazonaws") or (http.request.uri.query contains "colocrossing") or (http.request.uri.query contains "crimea") or (http.request.uri.query contains "g00g1e") or (http.request.uri.query contains "justhost") or (http.request.uri.query contains "kanagawa") or (http.request.uri.query contains "loopia") or (http.request.uri.query contains "masterhost") or (http.request.uri.query contains "onlinehome") or (http.request.uri.query contains "poneytel") or (http.request.uri.query contains "sprintdatacenter") or (http.request.uri.query contains "reverse.softlayer") or (http.request.uri.query contains "safenet") or (http.request.uri.query contains "ttnet") or (http.request.uri.query contains "woodpecker") or (http.request.uri.query contains "wowrack") or (http.referer contains "hoodia") or (http.referer contains "huronriveracres") or (http.referer contains "impotence") or (http.referer contains "levitra") or (http.referer contains "libido") or (http.referer contains "lipitor") or (http.referer contains "phentermin") or (http.referer contains "sandyauer") or (http.referer contains "tramadol") or (http.referer contains "troyhamby") or (http.referer contains "ultram") or (http.referer contains "unicauca") or (http.referer contains "valium") or (http.referer contains "viagra") or (http.referer contains "vicodin") or (http.referer contains "xanax") or (http.referer contains "ypxaieo") or (http.referer contains "101raccoon.ru") or (http.referer contains "28n2gl3wfyb0.ru") or (http.referer contains "627ad6438b58439cad1fc8cf6d67a92e.com") or (http.referer contains "6ab9743d0152486387559b4abaa02ada.com") or (http.referer contains "a342ae9750004b14b55f7310eff0ab65.com") or (http.referer contains "aa08daf7e13b6345e09e92f771507fa5f4.com") or (http.referer contains "aa14ab57a3339c4064bd9ae6fad7495b5f.com") or (http.referer contains "aa625d84f1587749c1ab011d6f269f7d64.com") or (http.referer contains "aa81bf391151884adfa3dd677e41f94be1.com") or (http.referer contains "aa8780bb28a1de4eb5bff33c28a218a930.com") or (http.referer contains "aa8b68101d388c446389283820863176e7.com") or (http.referer contains "aa9bd78f328a6a41279d0fad0a88df1901.com") or (http.referer contains "aa9d046aab36af4ff182f097f840430d51.com") or (http.referer contains "aaa38852e886ac4af1a3cff9b47cab6272.com") or (http.referer contains "aab94f698f36684c5a852a2ef272e031bb.com") or (http.referer contains "aac500b7a15b2646968f6bd8c6305869d7.com") or (http.referer contains "aac52006ec82a24e08b665f4db2b5013f7.com") or (http.referer contains "aad1f4acb0a373420d9b0c4202d38d94fa.com") or (http.referer contains "asrv-a.akamoihd.net") or (http.referer contains "asrvrep-a.akamaihd.net") or (http.referer contains "bestpriceninja.com") or (http.referer contains "bronzeaid-a.akamaihd.net") or (http.request.method eq "PATCH") or (http.request.method eq "DELETE") or (http.request.method eq "OPTIONS") or (http.request.method eq "PUT") or (http.request.method eq "PURGE") or (http.request.uri.query eq "debug=") or (http.request.uri.query contains "load_options") or (http.request.uri.query contains "swp_debug")

First website is: http://antonovich-design.ae/
Second website: https://payments.com.ua/

0 Likes

#4

Appears to work for me

0 Likes

#5

The check for the method can be shortened to

(http.request.method in {"PURGE" "PUT" "OPTIONS" "DELETE" "PATCH"})
0 Likes