Repository: nbs-system/naxsi-rules
Branch: master
Commit: a4a9d1cf02c0
Files: 12
Total size: 21.1 KB

Directory structure:
gitextract_tzsvspkl/

├── README.md
├── Scanner.rules
├── dokuwiki.rules
├── drupal.rules
├── etherpad-lite.rules
├── iris.rules
├── rutorrent.rules
├── web.server.rules
├── wordpress-block.rules
├── wordpress-minimal
├── wordpress.rules
└── zerobin.rules

================================================
FILE CONTENTS
================================================

================================================
FILE: README.md
================================================
Here you will find naxsi rules provided and maintained by the community.

Naxsi's team is not involved into writting or maintaining those rules.



================================================
FILE: Scanner.rules
================================================
MainRule  "str:havij" "msg:Havij-SQL_scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000312  ;
MainRule  "str:http://http://" "msg:Abnormal double http:// in HTTP header," "mz:HEADERS" "s:$UWA:8" id:42000310  ;
# http://pastebin.com/NP64hTQr# http://blog.initiative-s.de/2013/09/kompromitierte-wordpress-blogs-werden-fuer-ddos-attacken-genutzt/
# If using wp then turn off this rule
MainRule  "str:wordpress/" "msg:Wordpress-UA, probably Botnet-Attack" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000317  ;
# https://github.com/robertdavidgraham/masscan
MainRule  "str:masscan/" "msg:MASSCAN - UA Detected" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000326  ;
# sensepost Wiko/Nikto-Clone filescan
MainRule  "str:sensepostnotthere" "msg:SensePost Wikto-Scanner" "mz:URL" "s:$ATTACK:8" id:42000452  ;
# block acunetix scan
MainRule  "str:99999999999999999999999" "msg:acunetix scan nginx buffer size " "mz:$HEADERS_VAR:Content-length" "s:$UWA:8" id:42001326  ;
MainRule  "str:acunetix" "msg:acunetix scan website " "mz:URL|BODY|$HEADERS_VAR:Accept|$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42001327  ;
MainRule  "str:acunetix/wvs" "msg:acunetix scan website " "mz:$HEADERS_VAR:Accept" "s:$UWA:8" id:42001328 ;
MainRule  "str:webmole" "msg:Scanner webmole" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000159  ;
MainRule  "str:nlpproject.info" "msg:Some Scanner  nlpproject.info" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000454  ;
MainRule  "str:cloudmapping" "msg:Cloud-Mapping-Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000453  ;
MainRule  "str:sucuri" "msg:Sucuri Vulnerability Scaner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000364  ;
MainRule  "str:brutus/" "msg:Brutus - Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000258  ;
MainRule  "str:/phpmyadmin" "msg:PHPMyAdmin - Scanner (2) " "mz:URL" "s:$UWA:8" id:42000244  ;
MainRule  "str:/pma" "msg:PHPMyAdmin - Scanner" "mz:URL" "s:$UWA:8" id:42000243  ;
MainRule  "str:/phppgadmin " "msg:PHPPgAdmin - Scanner" "mz:URL" "s:$UWA:8" id:42000242  ;
MainRule  "str:/mysqldumper " "msg:MysqlDumper - Scanner " "mz:URL" "s:$UWA:8" id:42000241  ;
MainRule  "str:apachebench" "msg:AB - ApacheBenchmark-Tool detected" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:4" id:42000240  ;
MainRule  "str:/netsparker" "msg:Netsparker-Scan in Progress" "mz:URL" "s:$UWA:8" id:42000202  ;
MainRule  "str:sqlmap" "msg:Scanner sqlmap sql injection" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000203  ;
MainRule  "str:mysqloit" "msg:Scanner Mysqloit  - Mysql Injection Takover Tool" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000200  ;
MainRule  "str:network-services-auditor" "msg:Scanner IBM NSA User Agent" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000198  ;
MainRule  "str:dav.pm" "msg:Scanner DavTest WebDav Vulnerability Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000194  ;
MainRule  "str:w3af" "msg:Scanner w3af" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000178  ;
MainRule  "str:http_get_vars" "msg:PHP-Injetion on UA" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000174  ;
MainRule  "str:whisker" "msg:Scanner whisker" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000171  ;
MainRule  "str:whatweb" "msg:Scanner whatweb" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000151  ;
MainRule  "str:dirbuster" "msg:DirBuster Web App Scan in Progress" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8,$UWA:8" id:42000036  ;
MainRule  "str:gzinflate(" "msg:gzinflate in URI" "mz:URL|BODY|ARGS" "s:$UWA:8" id:42000259  ;
MainRule  "str:/bin/sh" "msg:/bin/sh in URI" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "s:$UWA:8" id:42000257  ;
MainRule  "str:.conf" "msg:possible CONF-File - Access" "mz:URL" "s:$UWA:8" id:42000252  ;
MainRule  "str:.ini" "msg:possible INI - File - Access" "mz:URL" "s:$UWA:8" id:42000254  ;
MainRule  "str:/sftp-config.json" "msg:SFTP-config-file access" "mz:URL|BODY" "s:$ATTACK:8,$UWA:8" id:42000084  ;
# https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/
# https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d#diff-a35f2ee9e1d2d3983a3270ee10ec70bf86349c53febdeabdf104f88cb2167961R370
# prevent php supply chain attack
MainRule  "str:zerodium" "msg:php supply chain attack " "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000085  ;
# prevent log4j attack 
# info https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
# payload check https://github.com/johto89/Some-collections-for-Security-Researcher/blob/master/log4j-all-in-one.md
MainRule  "str:${" "msg:log4j attack detection " "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000086;

================================================
FILE: dokuwiki.rules
================================================
# DokuWiki rules

BasicRule wl:1015 "mz:$BODY_VAR:usergroups";
BasicRule wl:0 "mz:$BODY_VAR:wikitext";
BasicRule wl:0 "mz:$BODY_VAR:summary";
BasicRule wl:0 "mz:$BODY_VAR:prefix";
BasicRule wl:0 "mz:$BODY_VAR:suffix";


================================================
FILE: drupal.rules
================================================
####################################
## Drupal whitelists ALPHA        ##
####################################

# some url patterns
BasicRule wl:1000 "mz:$URL:/modules/update/update.css|URL";
BasicRule wl:1000 "mz:$URL:/misc/tableselect.js|URL";
BasicRule wl:1000 "mz:$URL:/modules/contextual/images/gear-select.png|URL|$HEADERS_VAR:cookie";
BasicRule wl:1000 "mz:$URL:/misc/ui/jquery.ui.sortable.min.js|URL|$HEADERS_VAR:cookie";
BasicRule wl:1000 "mz:$URL:/misc/tableheader.js|URL|$HEADERS_VAR:cookie";
BasicRule wl:1000 "mz:$URL:/misc/tabledrag.js|URL|$HEADERS_VAR:cookie";

# bad keywords in posts etc (update etc)
BasicRule wl:1000 "mz:$URL:/|$BODY_VAR:comment_confirm_delete|NAME";
BasicRule wl:1000 "mz:$URL:/|$ARGS_VAR:q";
BasicRule wl:1000 "mz:$URL:/|$BODY_VAR:form_id";
BasicRule wl:1000 "mz:$URL:/|$HEADERS_VAR:cookie";
BasicRule wl:1010 "mz:$URL:/|$ARGS_VAR:date";

# XSS because of [ and ] in POST variables
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^body|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^menu|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^path|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^comment_body|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^field_|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^type|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^modules|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^blocks|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^palette|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^regions|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^roles|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^fields|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$ARGS_VAR_X:^destination|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^filter|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^search_active_modules|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^shortcuts|NAME";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR_X:^formats|NAME";

BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR:status";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR:role";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR:permission";
BasicRule wl:1310,1311 "mz:$URL:/|$BODY_VAR:type";

# update module
BasicRule wl:16 "mz:$URL:/|BODY";

# user mail 
BasicRule wl:1007,1010,1011,1013,1015,1310,1311 "mz:$URL:/|$BODY_VAR_X:^user_mail";

# other stuff
BasicRule wl:1007 "mz:$URL:/|$BODY_VAR:form_build_id";
BasicRule wl:1007 "mz:$URL:/|$BODY_VAR:menu[parent]";
BasicRule wl:1007 "mz:$URL:/|$BODY_VAR:form_token";
BasicRule wl:1007 "mz:$URL:/|$BODY_VAR:additional_settings__active_tab";
BasicRule wl:1007 "mz:$URL:/|$BODY_VAR:date";

BasicRule wl:1302,1303 "mz:$URL:/|$BODY_VAR_X:^filters";
BasicRule wl:1010,1011 "mz:$URL:/|$BODY_VAR:actions_label";
BasicRule wl:1015 "mz:$URL:/|$BODY_VAR:date_format_long";
BasicRule wl:1009,1016 "mz:$URL:/|$ARGS_VAR:destination";
BasicRule wl:1016  "mz:$URL:/|$BODY_VAR_X:^palette";



================================================
FILE: etherpad-lite.rules
================================================
# Etherpad: Really real-time collaborative document editing http://etherpad.org
BasicRule  wl:1101,1015,1013,1011,1010,1008,1001 "mz:$URL:/jserror|$BODY_VAR:errorinfo";
BasicRule  wl:2 "mz:$URL_X:^/p/.*/import$|BODY";
BasicRule  wl:1311 "mz:$URL_X:^/p/.*]$|URL";
BasicRule  wl:1007 "mz:URL";
BasicRule  wl:1315 "mz:$HEADERS_VAR:cookie";
BasicRule  wl:11 "mz:$URL:/socket.io/|BODY";


================================================
FILE: iris.rules
================================================
# Web IRC client Iris for the atheme platform https://github.com/atheme-legacy/iris
### Allowed chars in the URI of WebChat Wizard "custom link" or "embed"
BasicRule  wl:1000,1315 "mz:$HEADERS_VAR:cookie";
BasicRule  wl:1015 "mz:$ARGS_VAR:channels";
BasicRule  wl:1000,1002,1005,1007,1013,1200,1205,1310,1311,1314 "mz:$ARGS_VAR:nick";
BasicRule  wl:1000,1005,1008,1013,1015,1200,1205 "mz:$URL:/|ARGS";
### Allowed chars in Chat and Private
BasicRule  wl:0 "mz:$URL:/e/p|$BODY_VAR:c";
### Allowed chars in nick same as are allowed in IRCD
BasicRule  wl:1000,1002,1005,1007,1205,1310,1311,1314 "mz:$URL:/e/n|$BODY_VAR:nick";


================================================
FILE: rutorrent.rules
================================================
BasicRule wl:1005,1010,1011,1315 "mz:$HEADERS_VAR:cookie";
BasicRule wl:1402 "mz:$HEADERS_VAR:content-type";
BasicRule wl:11 "mz:$URL:/rutorrent/php/setsettings.php|BODY";
BasicRule wl:11 "mz:$URL:/rutorrent/php/getsettings.php|BODY";
BasicRule wl:1000,1001,1015,1310,1311 "mz:$BODY_VAR:v";
BasicRule wl:1005,1008 "mz:$BODY_VAR:cookie";
BasicRule wl:1000,1100,1101,1315 "mz:$BODY_VAR:url";
BasicRule wl:1310,1311 "mz:$URL:/rutorrent/php/addtorrent.php|$ARGS_VAR:result[]|NAME";
BasicRule wl:1000,1100,1101 "mz:$ARGS_VAR:name[]";
BasicRule wl:1310,1311 "mz:$URL:/rutorrent/php/addtorrent.php|$ARGS_VAR:name[]|NAME";


================================================
FILE: web.server.rules
================================================
MainRule  "rx:^[a-zA-Z\d-]+\.[a-zA-Z]+$" "msg:HOST-Header Injection" "mz:$HEADERS_VAR:Host" "s:$ATTACK:6" id:42000465 ;
MainRule  "rx:<!DOCTYPE(\s+)(%*\s*)([{}:.a-zA-Z0-9_-]*)(\s+)SYSTEM" "msg: possible XML/XXE-Exploitation atempt (Doctype)" "mz:BODY" "s:$ATTACK:8" id:42000455  ;
MainRule  "str:meterpreter" "msg:Meterpreter-UA detected" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000381  ;
MainRule  "str:/.git/" "msg:GIT-Homedir-Access" "mz:URL" "s:$ATTACK:8" id:42000329  ;
MainRule  "str:system(" "msg:PHP_SYSTEM_CMD" "mz:URL|BODY|ARGS" "s:$ATTACK:8,$UWA:8" id:42000049  ;
MainRule  "str:\n\r" "msg:HTTP - Smuggling-Attempt (NewLine in URI)" "mz:URL" "s:$EVADE:8" id:42000278  ;


================================================
FILE: wordpress-block.rules
================================================
MainRule  "str:system.multicall" "msg:Wordpress XMLRPC possible Password Brute Force" "mz:$URL:/xmlrpc.php|BODY" "s:$ATTACK:8" id:42000442  ;
MainRule  "str:system.listmethods" "msg:WordPress XMLRPC Enumeration system.listMethods" "mz:$URL:/xmlrpc.php|BODY" "s:$ATTACK:8" id:42000443  ;
MainRule  "str:system.getcapabilities" "msg:WordPress XMLRPC Enumeration system.getCapabilities" "mz:$URL:/xmlrpc.php|BODY" "s:$ATTACK:8" id:42000444  ;
MainRule  "str:/w3tc/dbcache" "msg:WordPress TotalCache-DBCache-Access" "mz:URL" "s:$UWA:8" id:42000125  ;
MainRule  "str:/uploadify/uploadify.php" "msg:WordPress Uploadify-Access" "mz:URL" "s:$ATTACK:8" id:42000126  ;
MainRule  "str:/wp-content/plugins/mm-forms-community/upload/temp/" "msg:Access To mm-forms-community upload dir" "mz:URL" "s:$ATTACK:8" id:42000060  ;


================================================
FILE: wordpress-minimal
================================================
#########                                                                 #########
######                                                                       ######
### Because of wordpress.rules is full of wl rules even got double.             ###
### Thats why I start from scratch so these rules are in BETA us on own risk.   ###
### I us not that many plugins and those I use only after I checked there code. ###
######                                                                       ######
#########                                                                 #########
### HEADERS
BasicRule  wl:1001,1315 "mz:$HEADERS_VAR:cookie";
###	Theme customize
BasicRule  wl:1001,1015,1310,1311 "mz:$URL_X:^/.*$|$BODY_VAR_X:^customized$|BODY";
###	Widget customize
BasicRule  wl:1001,1015,1310,1311 "mz:$URL_X:^/.*$|$BODY_VAR_X:^partials$|BODY";
### oEmbed API
BasicRule  wl:1000,1009,1101 "mz:$URL_X:^/.*wp-json/oembed/1.0/embed|$ARGS_VAR_X:^url$";
BasicRule  wl:1009,1101 "mz:$URL_X:^/.*wp-json/oembed/1.0/embed|ARGS";
BasicRule  wl:1009,1101 "mz:ARGS";
###	Trackbacks
BasicRule  wl:1005,1008,1010,1011,1015,1016,1100,1101,1400 "mz:$URL_X:^/.*trackback$/|BODY";
BasicRule  wl:1005,1008,1010,1011,1015,1016,1100,1101,1400 "mz:BODY";
BasicRule  wl:1008,1010,1011,1015,1016,1100,1101,1400 "mz:$URL_X:^/.*trackback$/|$BODY_VAR_X:^excerpt$";
BasicRule  wl:1008,1010,1011,1015,1016,1100,1101,1400 "mz:$BODY_VAR:excerpt";
BasicRule  wl:1101 "mz:$URL_X:^/.*trackback$/|$BODY_VAR_X:^url$";
BasicRule  wl:1005 "mz:$URL_X:^/.*trackback$/|$BODY_VAR_X:^title$";
BasicRule  wl:1101 "mz:$BODY_VAR:url";
BasicRule  wl:1005 "mz:$BODY_VAR:title";


================================================
FILE: wordpress.rules
================================================
# WordPress naxsi rules

### HEADERS
BasicRule wl:1000,1001,1005,1007,1010,1011,1013,1100,1101,1200,1308,1309,1310,1311,1315 "mz:$HEADERS_VAR:cookie";
# xmlrpc
BasicRule wl:1402 "mz:$HEADERS_VAR:content-type";

### simple BODY (POST)
BasicRule wl:1001,1015,1009,1311,1310,1101,1016 "mz:$URL:/|$BODY_VAR:customized";
# comments
BasicRule wl:1000,1010,1011,1013,1015,1200,1310,1311 "mz:$BODY_VAR:post_title";
BasicRule wl:1000 "mz:$BODY_VAR:original_publish";
BasicRule wl:1000 "mz:$BODY_VAR:save";
BasicRule wl:1008,1010,1011,1013,1015 "mz:$BODY_VAR:sk2_my_js_payload";
BasicRule wl:1001,1009,1005,1016,1100,1101,1310 "mz:$BODY_VAR:url";
BasicRule wl:1009,1100,1101 "mz:$BODY_VAR:referredby";
BasicRule wl:1009,1100,1101 "mz:$BODY_VAR:_wp_original_http_referer";
BasicRule wl:1000,1001,1005,1008,1007,1009,1010,1011,1013,1015,1016,1100,1101,1200,1302,1303,1310,1311,1315,1400 "mz:$BODY_VAR:comment";
BasicRule wl:1100,1101 "mz:$BODY_VAR:redirect_to";
BasicRule wl:1000,1009,1315 "mz:$BODY_VAR:_wp_http_referer";
BasicRule wl:1000 "mz:$BODY_VAR:action";
BasicRule wl:1001,1013 "mz:$BODY_VAR:blogname";
BasicRule wl:1015,1013 "mz:$BODY_VAR:blogdescription";
BasicRule wl:1015 "mz:$BODY_VAR:date_format_custom";
BasicRule wl:1015 "mz:$BODY_VAR:date_format";
BasicRule wl:1015 "mz:$BODY_VAR:tax_input%5bpost_tag%5d";
BasicRule wl:1015 "mz:$BODY_VAR:tax_input[post_tag]";
BasicRule wl:1100,1101 "mz:$BODY_VAR:siteurl";
BasicRule wl:1100,1101 "mz:$BODY_VAR:home";
BasicRule wl:1000,1015 "mz:$BODY_VAR:submit";
# news content matches pretty much everything
BasicRule wl:0 "mz:$BODY_VAR:content";
BasicRule wl:1000 "mz:$BODY_VAR:delete_option";
BasicRule wl:1000 "mz:$BODY_VAR:prowl-msg-message";
BasicRule wl:1100,1101 "mz:$BODY_VAR:_url";
BasicRule wl:1001,1009 "mz:$BODY_VAR:c2c_text_replace%5btext_to_replace%5d";
BasicRule wl:1200 "mz:$BODY_VAR:ppn_post_note";
BasicRule wl:1100,1101 "mz:$BODY_VAR:author";
BasicRule wl:1001,1015 "mz:$BODY_VAR:excerpt";
BasicRule wl:1015 "mz:$BODY_VAR:catslist";
BasicRule wl:1005,1008,1009,1010,1011,1015,1315 "mz:$BODY_VAR:cookie";
BasicRule wl:1101 "mz:$BODY_VAR:googleplus";
BasicRule wl:1007 "mz:$BODY_VAR:name";
BasicRule wl:1007 "mz:$BODY_VAR:action";
BasicRule wl:1100,1101 "mz:$BODY_VAR:attachment%5burl%5d";
BasicRule wl:1100,1101 "mz:$BODY_VAR:attachment_url";
BasicRule wl:1001,1009,1100,1101,1302,1303,1310,1311 "mz:$BODY_VAR:html";
BasicRule wl:1015 "mz:$BODY_VAR:title";
BasicRule wl:1001,1009,1015 "mz:$BODY_VAR:recaptcha_challenge_field";
BasicRule wl:1011 "mz:$BODY_VAR:pwd";
BasicRule wl:1000 "mz:$BODY_VAR:excerpt";

### BODY|NAME
BasicRule wl:1000 "mz:$BODY_VAR:delete_option|NAME";
BasicRule wl:1000 "mz:$BODY_VAR:from|NAME";

### Simple ARGS (GET)
# WP login screen
BasicRule wl:1100,1101 "mz:$ARGS_VAR:redirect_to";
BasicRule wl:1000,1009 "mz:$ARGS_VAR:_wp_http_referer";
BasicRule wl:1000 "mz:$ARGS_VAR:wp_http_referer";
BasicRule wl:1000 "mz:$ARGS_VAR:action";
BasicRule wl:1000 "mz:$ARGS_VAR:action2";
# load and load[] GET variable
BasicRule wl:1000,1015 "mz:$ARGS_VAR:load";
BasicRule wl:1000,1015 "mz:$ARGS_VAR:load[]";
BasicRule wl:1015 "mz:$ARGS_VAR:q";
BasicRule wl:1000,1015 "mz:$ARGS_VAR:load%5b%5d";

### URL
BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update-core.php";
BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update.php";
BasicRule wl:1000 "mz:$URL:/wp-includes/js/imgareaselect/imgareaselect.css|URL";
BasicRule wl:1002 "mz:$URL_X:/wp-content/uploads/[0-9]{4}/[0-9]{2}/[^/]+\.jpg$|URL";
# URL|ARGS
BasicRule wl:1015 "mz:$URL:/wp-admin/load-styles.php|$ARGS_VAR:dashicons,admin-bar,wp-admin,buttons,wp-auth-check";
BasicRule wl:1000 "mz:$URL:/wp-admin/about.php|$ARGS_VAR:updated";
BasicRule wl:1009 "mz:$URL:/wp-admin/customize.php|$ARGS_VAR:return";
# URL|BODY
BasicRule wl:1009,1100,1101 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_http_referer";
BasicRule wl:1016 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect";
BasicRule wl:11 "mz:$URL:/xmlrpc.php|BODY";
BasicRule wl:11,16 "mz:$URL:/wp-cron.php|BODY";
BasicRule wl:2 "mz:$URL:/wp-admin/async-upload.php|BODY";
# URL|BODY|NAME
BasicRule wl:1100,1101 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_original_http_referer|NAME";
BasicRule wl:1000 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect|NAME";
BasicRule wl:1000 "mz:$URL:/wp-admin/user-edit.php|$BODY_VAR:from|NAME";
BasicRule wl:1100,1101 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:attachment%5burl%5d|NAME";
BasicRule wl:1100,1101 "mz:$URL:/wp-admin/post.php|$BODY_VAR:attachment_url|NAME";
BasicRule wl:1000 "mz:$URL:/wp-admin/plugins.php|$BODY_VAR:verify-delete|NAME";
BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:post_category[]|NAME";
BasicRule wl:1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:post_category|NAME";
BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:tax_input[post_tag]|NAME";
BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:newtag[post_tag]|NAME";
BasicRule wl:1310,1311 "mz:$URL:/wp-admin/users.php|$BODY_VAR:users[]|NAME";
BasicRule wl:1000 "mz:$URL:/wp-admin/update-core.php|$BODY_VAR:Update%2BTranslations|NAME";
BasicRule wl:1000 "mz:$URL:/wp-admin/update-core.php|$BODY_VAR:Update%2BNow|NAME";
# URL|ARGS|NAME
BasicRule wl:1310,1311 "mz:$URL:/wp-admin/load-scripts.php|$ARGS_VAR:load[]|NAME";
BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:delete_count|NAME";
BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:update|NAME";
BasicRule wl:1310,1311 "mz:$URL:/wp-admin/customize.php|$ARGS_VAR:autofocus[control]|NAME";

# plain WP site
BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update-core.php";
BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update.php";
# URL|BODY
BasicRule wl:1009,1100,1101 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_http_referer";
BasicRule wl:1016 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect";
BasicRule wl:11 "mz:$URL:/xmlrpc.php|BODY";
BasicRule wl:11,16 "mz:$URL:/wp-cron.php|BODY";
# URL|BODY|NAME
BasicRule wl:1100,1101 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_original_http_referer|NAME";
BasicRule wl:1000 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect|NAME";
BasicRule wl:1000 "mz:$URL:/wp-admin/user-edit.php|$BODY_VAR:from|NAME";
BasicRule wl:1100,1101 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:attachment%5burl%5d|NAME";
BasicRule wl:1310,1311 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-auth-check]|NAME";
BasicRule wl:1310,1311 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-check-locked-posts][]|NAME";
BasicRule wl:1310,1311 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-refresh-post-lock][post_id]|NAME";
BasicRule wl:1310,1311 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-refresh-post-lock][lock]|NAME";
BasicRule wl:1310,1311 "mz:$URL:/wp-admin/update-core.php|$BODY_VAR:checked[]|NAME";
# URL|ARGS|NAME
BasicRule wl:1310,1311 "mz:$URL:/wp-admin/load-scripts.php|$ARGS_VAR:load[]|NAME";
BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:delete_count|NAME";
BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:update|NAME";

### Plugins
#WP Minify
BasicRule wl:1015 "mz:$URL:/wp-content/plugins/bwp-minify/min/|$ARGS_VAR:f";
#Jetpack Infinite Scroll
BasicRule wl:1310,1311 "mz:$BODY_VAR:scripts[]|NAME";
BasicRule wl:1310,1311 "mz:$BODY_VAR:styles[]|NAME";
BasicRule wl:1310,1311 "mz:$BODY_VAR_X:^query_args\[.*\]|NAME";
BasicRule wl:1000 "mz:$BODY_VAR:query_args[update_post_term_cache]|NAME";
BasicRule wl:1000 "mz:$BODY_VAR:query_args[update_post_meta_cache]|NAME";
#UpdraftPlus
BasicRule wl:1000 "mz:$URL:/wp-content/plugins/updraftplus/includes/select2/select2.min.css|URL";
BasicRule wl:1000 "mz:$URL:/wp-content/plugins/updraftplus/includes/select2/select2.min.js|URL";
#WP plugin updates
BasicRule wl:1315 "mz:$ARGS_VAR:query|$URL:/wp-json/jetpack/v4/jitm";
#Jetpack Google Fonts
BasicRule wl:1001 "mz:$URL_X:^/wp-content/plugins/jetpack/css/.*|URL";
#WooCommerce
BasicRule wl:1000 "mz:$URL:/wp-content/plugins/woocommerce/assets/js/select2/select2.full.min.js|URL";
BasicRule wl:1000 "mz:$URL:/wp-content/plugins/woocommerce/assets/js/selectWoo/selectWoo.full.min.js|URL";
BasicRule wl:1000 "mz:$URL:/wp-content/plugins/woocommerce/assets/js/stupidtable/stupidtable.min.js|URL";
#WPML
BasicRule wl:1000 "mz:$URL:/wp-content/plugins/sitepress-multilingual-cms/lib/select2/select2.min.js|URL";
#Yoast SEO
BasicRule wl:1000 "mz:$URL:/wp-content/plugins/wordpress-seo/js/dist/select2/select2.full.min.js|URL";
BasicRule wl:1000 "mz:$URL:/wp-content/plugins/wordpress-seo/css/dist/select2/select2.min.css|URL";


================================================
FILE: zerobin.rules
================================================
# Zerobin is here in directory /paste if diffrent change $URL:/paste/ below
BasicRule wl:1015 "mz:$URL:/paste/|$BODY_VAR:data";
BasicRule wl:1315 "mz:$URL:/paste/|$HEADERS_VAR:cookie";
BasicRule wl:1001 "mz:$URL:/paste/|$BODY_VAR:data";
BasicRule wl:1009 "mz:$URL:/paste/|$BODY_VAR:data";
BasicRule wl:1009 "mz:$URL:/paste/|$BODY_VAR:nickname";
BasicRule wl:1001 "mz:$URL:/paste/|$BODY_VAR:nickname";
BasicRule wl:1015 "mz:$URL:/paste/|$BODY_VAR:nickname";