[
  {
    "path": "README.md",
    "content": "Here you will find naxsi rules provided and maintained by the community.\n\nNaxsi's team is not involved into writting or maintaining those rules.\n\n"
  },
  {
    "path": "Scanner.rules",
    "content": "MainRule  \"str:havij\" \"msg:Havij-SQL_scanner\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000312  ;\nMainRule  \"str:http://http://\" \"msg:Abnormal double http:// in HTTP header,\" \"mz:HEADERS\" \"s:$UWA:8\" id:42000310  ;\n# http://pastebin.com/NP64hTQr# http://blog.initiative-s.de/2013/09/kompromitierte-wordpress-blogs-werden-fuer-ddos-attacken-genutzt/\n# If using wp then turn off this rule\nMainRule  \"str:wordpress/\" \"msg:Wordpress-UA, probably Botnet-Attack\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000317  ;\n# https://github.com/robertdavidgraham/masscan\nMainRule  \"str:masscan/\" \"msg:MASSCAN - UA Detected\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000326  ;\n# sensepost Wiko/Nikto-Clone filescan\nMainRule  \"str:sensepostnotthere\" \"msg:SensePost Wikto-Scanner\" \"mz:URL\" \"s:$ATTACK:8\" id:42000452  ;\n# block acunetix scan\nMainRule  \"str:99999999999999999999999\" \"msg:acunetix scan nginx buffer size \" \"mz:$HEADERS_VAR:Content-length\" \"s:$UWA:8\" id:42001326  ;\nMainRule  \"str:acunetix\" \"msg:acunetix scan website \" \"mz:URL|BODY|$HEADERS_VAR:Accept|$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42001327  ;\nMainRule  \"str:acunetix/wvs\" \"msg:acunetix scan website \" \"mz:$HEADERS_VAR:Accept\" \"s:$UWA:8\" id:42001328 ;\nMainRule  \"str:webmole\" \"msg:Scanner webmole\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000159  ;\nMainRule  \"str:nlpproject.info\" \"msg:Some Scanner  nlpproject.info\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$ATTACK:8\" id:42000454  ;\nMainRule  \"str:cloudmapping\" \"msg:Cloud-Mapping-Scanner\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$ATTACK:8\" id:42000453  ;\nMainRule  \"str:sucuri\" \"msg:Sucuri Vulnerability Scaner\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000364  ;\nMainRule  \"str:brutus/\" \"msg:Brutus - Scanner\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000258  ;\nMainRule  \"str:/phpmyadmin\" \"msg:PHPMyAdmin - Scanner (2) \" \"mz:URL\" \"s:$UWA:8\" id:42000244  ;\nMainRule  \"str:/pma\" \"msg:PHPMyAdmin - Scanner\" \"mz:URL\" \"s:$UWA:8\" id:42000243  ;\nMainRule  \"str:/phppgadmin \" \"msg:PHPPgAdmin - Scanner\" \"mz:URL\" \"s:$UWA:8\" id:42000242  ;\nMainRule  \"str:/mysqldumper \" \"msg:MysqlDumper - Scanner \" \"mz:URL\" \"s:$UWA:8\" id:42000241  ;\nMainRule  \"str:apachebench\" \"msg:AB - ApacheBenchmark-Tool detected\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:4\" id:42000240  ;\nMainRule  \"str:/netsparker\" \"msg:Netsparker-Scan in Progress\" \"mz:URL\" \"s:$UWA:8\" id:42000202  ;\nMainRule  \"str:sqlmap\" \"msg:Scanner sqlmap sql injection\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000203  ;\nMainRule  \"str:mysqloit\" \"msg:Scanner Mysqloit  - Mysql Injection Takover Tool\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000200  ;\nMainRule  \"str:network-services-auditor\" \"msg:Scanner IBM NSA User Agent\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000198  ;\nMainRule  \"str:dav.pm\" \"msg:Scanner DavTest WebDav Vulnerability Scanner\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000194  ;\nMainRule  \"str:w3af\" \"msg:Scanner w3af\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000178  ;\nMainRule  \"str:http_get_vars\" \"msg:PHP-Injetion on UA\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$ATTACK:8\" id:42000174  ;\nMainRule  \"str:whisker\" \"msg:Scanner whisker\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000171  ;\nMainRule  \"str:whatweb\" \"msg:Scanner whatweb\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000151  ;\nMainRule  \"str:dirbuster\" \"msg:DirBuster Web App Scan in Progress\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$ATTACK:8,$UWA:8\" id:42000036  ;\nMainRule  \"str:gzinflate(\" \"msg:gzinflate in URI\" \"mz:URL|BODY|ARGS\" \"s:$UWA:8\" id:42000259  ;\nMainRule  \"str:/bin/sh\" \"msg:/bin/sh in URI\" \"mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie\" \"s:$UWA:8\" id:42000257  ;\nMainRule  \"str:.conf\" \"msg:possible CONF-File - Access\" \"mz:URL\" \"s:$UWA:8\" id:42000252  ;\nMainRule  \"str:.ini\" \"msg:possible INI - File - Access\" \"mz:URL\" \"s:$UWA:8\" id:42000254  ;\nMainRule  \"str:/sftp-config.json\" \"msg:SFTP-config-file access\" \"mz:URL|BODY\" \"s:$ATTACK:8,$UWA:8\" id:42000084  ;\n# https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/\n# https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d#diff-a35f2ee9e1d2d3983a3270ee10ec70bf86349c53febdeabdf104f88cb2167961R370\n# prevent php supply chain attack\nMainRule  \"str:zerodium\" \"msg:php supply chain attack \" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000085  ;\n# prevent log4j attack \n# info https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/\n# payload check https://github.com/johto89/Some-collections-for-Security-Researcher/blob/master/log4j-all-in-one.md\nMainRule  \"str:${\" \"msg:log4j attack detection \" \"mz:$HEADERS_VAR:User-Agent\" \"s:$UWA:8\" id:42000086;"
  },
  {
    "path": "dokuwiki.rules",
    "content": "# DokuWiki rules\n\nBasicRule wl:1015 \"mz:$BODY_VAR:usergroups\";\nBasicRule wl:0 \"mz:$BODY_VAR:wikitext\";\nBasicRule wl:0 \"mz:$BODY_VAR:summary\";\nBasicRule wl:0 \"mz:$BODY_VAR:prefix\";\nBasicRule wl:0 \"mz:$BODY_VAR:suffix\";\n"
  },
  {
    "path": "drupal.rules",
    "content": "####################################\n## Drupal whitelists ALPHA        ##\n####################################\n\n# some url patterns\nBasicRule wl:1000 \"mz:$URL:/modules/update/update.css|URL\";\nBasicRule wl:1000 \"mz:$URL:/misc/tableselect.js|URL\";\nBasicRule wl:1000 \"mz:$URL:/modules/contextual/images/gear-select.png|URL|$HEADERS_VAR:cookie\";\nBasicRule wl:1000 \"mz:$URL:/misc/ui/jquery.ui.sortable.min.js|URL|$HEADERS_VAR:cookie\";\nBasicRule wl:1000 \"mz:$URL:/misc/tableheader.js|URL|$HEADERS_VAR:cookie\";\nBasicRule wl:1000 \"mz:$URL:/misc/tabledrag.js|URL|$HEADERS_VAR:cookie\";\n\n# bad keywords in posts etc (update etc)\nBasicRule wl:1000 \"mz:$URL:/|$BODY_VAR:comment_confirm_delete|NAME\";\nBasicRule wl:1000 \"mz:$URL:/|$ARGS_VAR:q\";\nBasicRule wl:1000 \"mz:$URL:/|$BODY_VAR:form_id\";\nBasicRule wl:1000 \"mz:$URL:/|$HEADERS_VAR:cookie\";\nBasicRule wl:1010 \"mz:$URL:/|$ARGS_VAR:date\";\n\n# XSS because of [ and ] in POST variables\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^body|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^menu|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^path|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^comment_body|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^field_|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^type|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^modules|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^blocks|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^palette|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^regions|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^roles|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^fields|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$ARGS_VAR_X:^destination|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^filter|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^search_active_modules|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^shortcuts|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR_X:^formats|NAME\";\n\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR:status\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR:role\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR:permission\";\nBasicRule wl:1310,1311 \"mz:$URL:/|$BODY_VAR:type\";\n\n# update module\nBasicRule wl:16 \"mz:$URL:/|BODY\";\n\n# user mail \nBasicRule wl:1007,1010,1011,1013,1015,1310,1311 \"mz:$URL:/|$BODY_VAR_X:^user_mail\";\n\n# other stuff\nBasicRule wl:1007 \"mz:$URL:/|$BODY_VAR:form_build_id\";\nBasicRule wl:1007 \"mz:$URL:/|$BODY_VAR:menu[parent]\";\nBasicRule wl:1007 \"mz:$URL:/|$BODY_VAR:form_token\";\nBasicRule wl:1007 \"mz:$URL:/|$BODY_VAR:additional_settings__active_tab\";\nBasicRule wl:1007 \"mz:$URL:/|$BODY_VAR:date\";\n\nBasicRule wl:1302,1303 \"mz:$URL:/|$BODY_VAR_X:^filters\";\nBasicRule wl:1010,1011 \"mz:$URL:/|$BODY_VAR:actions_label\";\nBasicRule wl:1015 \"mz:$URL:/|$BODY_VAR:date_format_long\";\nBasicRule wl:1009,1016 \"mz:$URL:/|$ARGS_VAR:destination\";\nBasicRule wl:1016  \"mz:$URL:/|$BODY_VAR_X:^palette\";\n\n"
  },
  {
    "path": "etherpad-lite.rules",
    "content": "# Etherpad: Really real-time collaborative document editing http://etherpad.org\nBasicRule  wl:1101,1015,1013,1011,1010,1008,1001 \"mz:$URL:/jserror|$BODY_VAR:errorinfo\";\nBasicRule  wl:2 \"mz:$URL_X:^/p/.*/import$|BODY\";\nBasicRule  wl:1311 \"mz:$URL_X:^/p/.*]$|URL\";\nBasicRule  wl:1007 \"mz:URL\";\nBasicRule  wl:1315 \"mz:$HEADERS_VAR:cookie\";\nBasicRule  wl:11 \"mz:$URL:/socket.io/|BODY\";\n"
  },
  {
    "path": "iris.rules",
    "content": "# Web IRC client Iris for the atheme platform https://github.com/atheme-legacy/iris\n### Allowed chars in the URI of WebChat Wizard \"custom link\" or \"embed\"\nBasicRule  wl:1000,1315 \"mz:$HEADERS_VAR:cookie\";\nBasicRule  wl:1015 \"mz:$ARGS_VAR:channels\";\nBasicRule  wl:1000,1002,1005,1007,1013,1200,1205,1310,1311,1314 \"mz:$ARGS_VAR:nick\";\nBasicRule  wl:1000,1005,1008,1013,1015,1200,1205 \"mz:$URL:/|ARGS\";\n### Allowed chars in Chat and Private\nBasicRule  wl:0 \"mz:$URL:/e/p|$BODY_VAR:c\";\n### Allowed chars in nick same as are allowed in IRCD\nBasicRule  wl:1000,1002,1005,1007,1205,1310,1311,1314 \"mz:$URL:/e/n|$BODY_VAR:nick\";\n"
  },
  {
    "path": "rutorrent.rules",
    "content": "BasicRule wl:1005,1010,1011,1315 \"mz:$HEADERS_VAR:cookie\";\nBasicRule wl:1402 \"mz:$HEADERS_VAR:content-type\";\nBasicRule wl:11 \"mz:$URL:/rutorrent/php/setsettings.php|BODY\";\nBasicRule wl:11 \"mz:$URL:/rutorrent/php/getsettings.php|BODY\";\nBasicRule wl:1000,1001,1015,1310,1311 \"mz:$BODY_VAR:v\";\nBasicRule wl:1005,1008 \"mz:$BODY_VAR:cookie\";\nBasicRule wl:1000,1100,1101,1315 \"mz:$BODY_VAR:url\";\nBasicRule wl:1310,1311 \"mz:$URL:/rutorrent/php/addtorrent.php|$ARGS_VAR:result[]|NAME\";\nBasicRule wl:1000,1100,1101 \"mz:$ARGS_VAR:name[]\";\nBasicRule wl:1310,1311 \"mz:$URL:/rutorrent/php/addtorrent.php|$ARGS_VAR:name[]|NAME\";\n"
  },
  {
    "path": "web.server.rules",
    "content": "MainRule  \"rx:^[a-zA-Z\\d-]+\\.[a-zA-Z]+$\" \"msg:HOST-Header Injection\" \"mz:$HEADERS_VAR:Host\" \"s:$ATTACK:6\" id:42000465 ;\nMainRule  \"rx:<!DOCTYPE(\\s+)(%*\\s*)([{}:.a-zA-Z0-9_-]*)(\\s+)SYSTEM\" \"msg: possible XML/XXE-Exploitation atempt (Doctype)\" \"mz:BODY\" \"s:$ATTACK:8\" id:42000455  ;\nMainRule  \"str:meterpreter\" \"msg:Meterpreter-UA detected\" \"mz:$HEADERS_VAR:User-Agent\" \"s:$ATTACK:8\" id:42000381  ;\nMainRule  \"str:/.git/\" \"msg:GIT-Homedir-Access\" \"mz:URL\" \"s:$ATTACK:8\" id:42000329  ;\nMainRule  \"str:system(\" \"msg:PHP_SYSTEM_CMD\" \"mz:URL|BODY|ARGS\" \"s:$ATTACK:8,$UWA:8\" id:42000049  ;\nMainRule  \"str:\\n\\r\" \"msg:HTTP - Smuggling-Attempt (NewLine in URI)\" \"mz:URL\" \"s:$EVADE:8\" id:42000278  ;\n"
  },
  {
    "path": "wordpress-block.rules",
    "content": "MainRule  \"str:system.multicall\" \"msg:Wordpress XMLRPC possible Password Brute Force\" \"mz:$URL:/xmlrpc.php|BODY\" \"s:$ATTACK:8\" id:42000442  ;\nMainRule  \"str:system.listmethods\" \"msg:WordPress XMLRPC Enumeration system.listMethods\" \"mz:$URL:/xmlrpc.php|BODY\" \"s:$ATTACK:8\" id:42000443  ;\nMainRule  \"str:system.getcapabilities\" \"msg:WordPress XMLRPC Enumeration system.getCapabilities\" \"mz:$URL:/xmlrpc.php|BODY\" \"s:$ATTACK:8\" id:42000444  ;\nMainRule  \"str:/w3tc/dbcache\" \"msg:WordPress TotalCache-DBCache-Access\" \"mz:URL\" \"s:$UWA:8\" id:42000125  ;\nMainRule  \"str:/uploadify/uploadify.php\" \"msg:WordPress Uploadify-Access\" \"mz:URL\" \"s:$ATTACK:8\" id:42000126  ;\nMainRule  \"str:/wp-content/plugins/mm-forms-community/upload/temp/\" \"msg:Access To mm-forms-community upload dir\" \"mz:URL\" \"s:$ATTACK:8\" id:42000060  ;\n"
  },
  {
    "path": "wordpress-minimal",
    "content": "#########                                                                 #########\n######                                                                       ######\n### Because of wordpress.rules is full of wl rules even got double.             ###\n### Thats why I start from scratch so these rules are in BETA us on own risk.   ###\n### I us not that many plugins and those I use only after I checked there code. ###\n######                                                                       ######\n#########                                                                 #########\n### HEADERS\nBasicRule  wl:1001,1315 \"mz:$HEADERS_VAR:cookie\";\n###\tTheme customize\nBasicRule  wl:1001,1015,1310,1311 \"mz:$URL_X:^/.*$|$BODY_VAR_X:^customized$|BODY\";\n###\tWidget customize\nBasicRule  wl:1001,1015,1310,1311 \"mz:$URL_X:^/.*$|$BODY_VAR_X:^partials$|BODY\";\n### oEmbed API\nBasicRule  wl:1000,1009,1101 \"mz:$URL_X:^/.*wp-json/oembed/1.0/embed|$ARGS_VAR_X:^url$\";\nBasicRule  wl:1009,1101 \"mz:$URL_X:^/.*wp-json/oembed/1.0/embed|ARGS\";\nBasicRule  wl:1009,1101 \"mz:ARGS\";\n###\tTrackbacks\nBasicRule  wl:1005,1008,1010,1011,1015,1016,1100,1101,1400 \"mz:$URL_X:^/.*trackback$/|BODY\";\nBasicRule  wl:1005,1008,1010,1011,1015,1016,1100,1101,1400 \"mz:BODY\";\nBasicRule  wl:1008,1010,1011,1015,1016,1100,1101,1400 \"mz:$URL_X:^/.*trackback$/|$BODY_VAR_X:^excerpt$\";\nBasicRule  wl:1008,1010,1011,1015,1016,1100,1101,1400 \"mz:$BODY_VAR:excerpt\";\nBasicRule  wl:1101 \"mz:$URL_X:^/.*trackback$/|$BODY_VAR_X:^url$\";\nBasicRule  wl:1005 \"mz:$URL_X:^/.*trackback$/|$BODY_VAR_X:^title$\";\nBasicRule  wl:1101 \"mz:$BODY_VAR:url\";\nBasicRule  wl:1005 \"mz:$BODY_VAR:title\";\n"
  },
  {
    "path": "wordpress.rules",
    "content": "# WordPress naxsi rules\n\n### HEADERS\nBasicRule wl:1000,1001,1005,1007,1010,1011,1013,1100,1101,1200,1308,1309,1310,1311,1315 \"mz:$HEADERS_VAR:cookie\";\n# xmlrpc\nBasicRule wl:1402 \"mz:$HEADERS_VAR:content-type\";\n\n### simple BODY (POST)\nBasicRule wl:1001,1015,1009,1311,1310,1101,1016 \"mz:$URL:/|$BODY_VAR:customized\";\n# comments\nBasicRule wl:1000,1010,1011,1013,1015,1200,1310,1311 \"mz:$BODY_VAR:post_title\";\nBasicRule wl:1000 \"mz:$BODY_VAR:original_publish\";\nBasicRule wl:1000 \"mz:$BODY_VAR:save\";\nBasicRule wl:1008,1010,1011,1013,1015 \"mz:$BODY_VAR:sk2_my_js_payload\";\nBasicRule wl:1001,1009,1005,1016,1100,1101,1310 \"mz:$BODY_VAR:url\";\nBasicRule wl:1009,1100,1101 \"mz:$BODY_VAR:referredby\";\nBasicRule wl:1009,1100,1101 \"mz:$BODY_VAR:_wp_original_http_referer\";\nBasicRule wl:1000,1001,1005,1008,1007,1009,1010,1011,1013,1015,1016,1100,1101,1200,1302,1303,1310,1311,1315,1400 \"mz:$BODY_VAR:comment\";\nBasicRule wl:1100,1101 \"mz:$BODY_VAR:redirect_to\";\nBasicRule wl:1000,1009,1315 \"mz:$BODY_VAR:_wp_http_referer\";\nBasicRule wl:1000 \"mz:$BODY_VAR:action\";\nBasicRule wl:1001,1013 \"mz:$BODY_VAR:blogname\";\nBasicRule wl:1015,1013 \"mz:$BODY_VAR:blogdescription\";\nBasicRule wl:1015 \"mz:$BODY_VAR:date_format_custom\";\nBasicRule wl:1015 \"mz:$BODY_VAR:date_format\";\nBasicRule wl:1015 \"mz:$BODY_VAR:tax_input%5bpost_tag%5d\";\nBasicRule wl:1015 \"mz:$BODY_VAR:tax_input[post_tag]\";\nBasicRule wl:1100,1101 \"mz:$BODY_VAR:siteurl\";\nBasicRule wl:1100,1101 \"mz:$BODY_VAR:home\";\nBasicRule wl:1000,1015 \"mz:$BODY_VAR:submit\";\n# news content matches pretty much everything\nBasicRule wl:0 \"mz:$BODY_VAR:content\";\nBasicRule wl:1000 \"mz:$BODY_VAR:delete_option\";\nBasicRule wl:1000 \"mz:$BODY_VAR:prowl-msg-message\";\nBasicRule wl:1100,1101 \"mz:$BODY_VAR:_url\";\nBasicRule wl:1001,1009 \"mz:$BODY_VAR:c2c_text_replace%5btext_to_replace%5d\";\nBasicRule wl:1200 \"mz:$BODY_VAR:ppn_post_note\";\nBasicRule wl:1100,1101 \"mz:$BODY_VAR:author\";\nBasicRule wl:1001,1015 \"mz:$BODY_VAR:excerpt\";\nBasicRule wl:1015 \"mz:$BODY_VAR:catslist\";\nBasicRule wl:1005,1008,1009,1010,1011,1015,1315 \"mz:$BODY_VAR:cookie\";\nBasicRule wl:1101 \"mz:$BODY_VAR:googleplus\";\nBasicRule wl:1007 \"mz:$BODY_VAR:name\";\nBasicRule wl:1007 \"mz:$BODY_VAR:action\";\nBasicRule wl:1100,1101 \"mz:$BODY_VAR:attachment%5burl%5d\";\nBasicRule wl:1100,1101 \"mz:$BODY_VAR:attachment_url\";\nBasicRule wl:1001,1009,1100,1101,1302,1303,1310,1311 \"mz:$BODY_VAR:html\";\nBasicRule wl:1015 \"mz:$BODY_VAR:title\";\nBasicRule wl:1001,1009,1015 \"mz:$BODY_VAR:recaptcha_challenge_field\";\nBasicRule wl:1011 \"mz:$BODY_VAR:pwd\";\nBasicRule wl:1000 \"mz:$BODY_VAR:excerpt\";\n\n### BODY|NAME\nBasicRule wl:1000 \"mz:$BODY_VAR:delete_option|NAME\";\nBasicRule wl:1000 \"mz:$BODY_VAR:from|NAME\";\n\n### Simple ARGS (GET)\n# WP login screen\nBasicRule wl:1100,1101 \"mz:$ARGS_VAR:redirect_to\";\nBasicRule wl:1000,1009 \"mz:$ARGS_VAR:_wp_http_referer\";\nBasicRule wl:1000 \"mz:$ARGS_VAR:wp_http_referer\";\nBasicRule wl:1000 \"mz:$ARGS_VAR:action\";\nBasicRule wl:1000 \"mz:$ARGS_VAR:action2\";\n# load and load[] GET variable\nBasicRule wl:1000,1015 \"mz:$ARGS_VAR:load\";\nBasicRule wl:1000,1015 \"mz:$ARGS_VAR:load[]\";\nBasicRule wl:1015 \"mz:$ARGS_VAR:q\";\nBasicRule wl:1000,1015 \"mz:$ARGS_VAR:load%5b%5d\";\n\n### URL\nBasicRule wl:1000 \"mz:URL|$URL:/wp-admin/update-core.php\";\nBasicRule wl:1000 \"mz:URL|$URL:/wp-admin/update.php\";\nBasicRule wl:1000 \"mz:$URL:/wp-includes/js/imgareaselect/imgareaselect.css|URL\";\nBasicRule wl:1002 \"mz:$URL_X:/wp-content/uploads/[0-9]{4}/[0-9]{2}/[^/]+\\.jpg$|URL\";\n# URL|ARGS\nBasicRule wl:1015 \"mz:$URL:/wp-admin/load-styles.php|$ARGS_VAR:dashicons,admin-bar,wp-admin,buttons,wp-auth-check\";\nBasicRule wl:1000 \"mz:$URL:/wp-admin/about.php|$ARGS_VAR:updated\";\nBasicRule wl:1009 \"mz:$URL:/wp-admin/customize.php|$ARGS_VAR:return\";\n# URL|BODY\nBasicRule wl:1009,1100,1101 \"mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_http_referer\";\nBasicRule wl:1016 \"mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect\";\nBasicRule wl:11 \"mz:$URL:/xmlrpc.php|BODY\";\nBasicRule wl:11,16 \"mz:$URL:/wp-cron.php|BODY\";\nBasicRule wl:2 \"mz:$URL:/wp-admin/async-upload.php|BODY\";\n# URL|BODY|NAME\nBasicRule wl:1100,1101 \"mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_original_http_referer|NAME\";\nBasicRule wl:1000 \"mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect|NAME\";\nBasicRule wl:1000 \"mz:$URL:/wp-admin/user-edit.php|$BODY_VAR:from|NAME\";\nBasicRule wl:1100,1101 \"mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:attachment%5burl%5d|NAME\";\nBasicRule wl:1100,1101 \"mz:$URL:/wp-admin/post.php|$BODY_VAR:attachment_url|NAME\";\nBasicRule wl:1000 \"mz:$URL:/wp-admin/plugins.php|$BODY_VAR:verify-delete|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/wp-admin/post.php|$BODY_VAR:post_category[]|NAME\";\nBasicRule wl:1311 \"mz:$URL:/wp-admin/post.php|$BODY_VAR:post_category|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/wp-admin/post.php|$BODY_VAR:tax_input[post_tag]|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/wp-admin/post.php|$BODY_VAR:newtag[post_tag]|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/wp-admin/users.php|$BODY_VAR:users[]|NAME\";\nBasicRule wl:1000 \"mz:$URL:/wp-admin/update-core.php|$BODY_VAR:Update%2BTranslations|NAME\";\nBasicRule wl:1000 \"mz:$URL:/wp-admin/update-core.php|$BODY_VAR:Update%2BNow|NAME\";\n# URL|ARGS|NAME\nBasicRule wl:1310,1311 \"mz:$URL:/wp-admin/load-scripts.php|$ARGS_VAR:load[]|NAME\";\nBasicRule wl:1000 \"mz:$URL:/wp-admin/users.php|$ARGS_VAR:delete_count|NAME\";\nBasicRule wl:1000 \"mz:$URL:/wp-admin/users.php|$ARGS_VAR:update|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/wp-admin/customize.php|$ARGS_VAR:autofocus[control]|NAME\";\n\n# plain WP site\nBasicRule wl:1000 \"mz:URL|$URL:/wp-admin/update-core.php\";\nBasicRule wl:1000 \"mz:URL|$URL:/wp-admin/update.php\";\n# URL|BODY\nBasicRule wl:1009,1100,1101 \"mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_http_referer\";\nBasicRule wl:1016 \"mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect\";\nBasicRule wl:11 \"mz:$URL:/xmlrpc.php|BODY\";\nBasicRule wl:11,16 \"mz:$URL:/wp-cron.php|BODY\";\n# URL|BODY|NAME\nBasicRule wl:1100,1101 \"mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_original_http_referer|NAME\";\nBasicRule wl:1000 \"mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect|NAME\";\nBasicRule wl:1000 \"mz:$URL:/wp-admin/user-edit.php|$BODY_VAR:from|NAME\";\nBasicRule wl:1100,1101 \"mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:attachment%5burl%5d|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-auth-check]|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-check-locked-posts][]|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-refresh-post-lock][post_id]|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-refresh-post-lock][lock]|NAME\";\nBasicRule wl:1310,1311 \"mz:$URL:/wp-admin/update-core.php|$BODY_VAR:checked[]|NAME\";\n# URL|ARGS|NAME\nBasicRule wl:1310,1311 \"mz:$URL:/wp-admin/load-scripts.php|$ARGS_VAR:load[]|NAME\";\nBasicRule wl:1000 \"mz:$URL:/wp-admin/users.php|$ARGS_VAR:delete_count|NAME\";\nBasicRule wl:1000 \"mz:$URL:/wp-admin/users.php|$ARGS_VAR:update|NAME\";\n\n### Plugins\n#WP Minify\nBasicRule wl:1015 \"mz:$URL:/wp-content/plugins/bwp-minify/min/|$ARGS_VAR:f\";\n#Jetpack Infinite Scroll\nBasicRule wl:1310,1311 \"mz:$BODY_VAR:scripts[]|NAME\";\nBasicRule wl:1310,1311 \"mz:$BODY_VAR:styles[]|NAME\";\nBasicRule wl:1310,1311 \"mz:$BODY_VAR_X:^query_args\\[.*\\]|NAME\";\nBasicRule wl:1000 \"mz:$BODY_VAR:query_args[update_post_term_cache]|NAME\";\nBasicRule wl:1000 \"mz:$BODY_VAR:query_args[update_post_meta_cache]|NAME\";\n#UpdraftPlus\nBasicRule wl:1000 \"mz:$URL:/wp-content/plugins/updraftplus/includes/select2/select2.min.css|URL\";\nBasicRule wl:1000 \"mz:$URL:/wp-content/plugins/updraftplus/includes/select2/select2.min.js|URL\";\n#WP plugin updates\nBasicRule wl:1315 \"mz:$ARGS_VAR:query|$URL:/wp-json/jetpack/v4/jitm\";\n#Jetpack Google Fonts\nBasicRule wl:1001 \"mz:$URL_X:^/wp-content/plugins/jetpack/css/.*|URL\";\n#WooCommerce\nBasicRule wl:1000 \"mz:$URL:/wp-content/plugins/woocommerce/assets/js/select2/select2.full.min.js|URL\";\nBasicRule wl:1000 \"mz:$URL:/wp-content/plugins/woocommerce/assets/js/selectWoo/selectWoo.full.min.js|URL\";\nBasicRule wl:1000 \"mz:$URL:/wp-content/plugins/woocommerce/assets/js/stupidtable/stupidtable.min.js|URL\";\n#WPML\nBasicRule wl:1000 \"mz:$URL:/wp-content/plugins/sitepress-multilingual-cms/lib/select2/select2.min.js|URL\";\n#Yoast SEO\nBasicRule wl:1000 \"mz:$URL:/wp-content/plugins/wordpress-seo/js/dist/select2/select2.full.min.js|URL\";\nBasicRule wl:1000 \"mz:$URL:/wp-content/plugins/wordpress-seo/css/dist/select2/select2.min.css|URL\";\n"
  },
  {
    "path": "zerobin.rules",
    "content": "# Zerobin is here in directory /paste if diffrent change $URL:/paste/ below\nBasicRule wl:1015 \"mz:$URL:/paste/|$BODY_VAR:data\";\nBasicRule wl:1315 \"mz:$URL:/paste/|$HEADERS_VAR:cookie\";\nBasicRule wl:1001 \"mz:$URL:/paste/|$BODY_VAR:data\";\nBasicRule wl:1009 \"mz:$URL:/paste/|$BODY_VAR:data\";\nBasicRule wl:1009 \"mz:$URL:/paste/|$BODY_VAR:nickname\";\nBasicRule wl:1001 \"mz:$URL:/paste/|$BODY_VAR:nickname\";\nBasicRule wl:1015 \"mz:$URL:/paste/|$BODY_VAR:nickname\";\n"
  }
]