AQTRONIX WebKnight Configuration

Admin 관리자 웹 인터페이스(기본 값 사용)

Admin Enabled (default: 1)
Enable the built-in admin web interface: /WebKnight/

Admin From IP

The IP addresses or ranges allowed access to the built-in admin interface.

Admin Allow Configuration Changes (default: 1)
Allow the built-in admin web interface to make changes to the configuration (IUSR needs to have change permission on the configuration files). If disabled the admin will be a reporting utility only, no changes to the configuration files will be possible (you can also remove IUSR access). This feature requires ASP classic to be installed.

Scanning Engine 필터링할 대상(기본 값 사용)

Allow Late Scanning (default: 0)
This will run the filter as a low priority filter instead of high priority. Recommended is high priority (is more secure as it precedes other ISAPI filters which might have potential buffer overflows, etc.). Requires restart of IIS!

Scan Non Secure Port (default: 1)
Scan unencrypted (HTTP) web traffic (default port 80, but can be anything else). Requires restart of IIS!

Scan Secure Port (default: 1)
Scan encrypted (HTTPS) web traffic (default port 443, but can be anything else). Requires restart of IIS!

Excluded Web Instances (default: 0)

These are the web instances excluded from scanning. Examples are Outlook Web Access web sites (starting at site instance 100).

Incident Response Handling 공격 탐지시 대응 방법(기본 값 사용)

Response Directly (default: 1)
If an attack is detected, send an immediate response to the client with a standard message. The message sent back is the contents of the denied.htm file (in the directory of the firewall)

Response Redirect (default: 0)
If an attack is detected, redirect the client to a custom url (the url specified in 'Response Redirect URL').

Response Redirect URL: (default: /denied.htm)
This is the URL the client is redirected to if 'Response Redirect' is chosen and 'Response Directly' is disabled. This can be an absolute URL (like "http://www.aqtronix.com") or a relative one (like "/denied.htm"). WebKnight의 기본 경고 페이지를 수정하려면 denied.htm을 편집

Use Response Status (default: 1)
Whenever an attack is detected, use the value in 'Response Status' as the HTTP response status that will be sent back to the client. This only works if you don't redirect the client to a custom URL.

Response Status: (default: 999 No Hacking)
This is the HTTP response status like '31337 No Hacking' or '404 Object Not Found' that is sent back to the client when an attack is detected.

Response Drop Connection (default: 1)
Whenever an attack is detected, drop the existing connection (even if keep-alive was requested).

Response Monitor IP (default: 1)
Monitor traffic coming from that IP address for a certain time-out period.

Response Monitor IP Timeout: (default: 6)
The time-out (in hours) to monitor traffic coming from that IP address.

Response Block IP (default: 0)
Block the IP address if it generates too many alerts.

Response Block IP Max Count: (default: 10)
The maximum number of alerts before being blocked in a certain amount of time.

Response Block IP Max Time: (default: 18)
The time frame in which the alerts are counted (in hours).

Response Log Only (default: 0)
If an attack is detected, only log and do not block it. If you want the firewall to go completely stealth, also disable the 'Response Headers' in 'Response Monitor'.

Logging 필터링 로그에 관한 사항(기본 값 사용)

Enabled (default: 1)
Enable or disable logging. Requires restart of firewall!

Log Directory: (default: <Path of WebKnight>\LogFiles\)
The directory where the log files will be placed. Requires restart of firewall!

Log Filename Format: (default: %y.%m.%d)
The format of the generated log file names. Syntax is C++ 'strftime': A=weekday, B=month name, d=day of month, j=day of year, m=month, U=week of year, y=year(99), Y=year(9999). Requires restart!

Use GMT (default: 1)
Log dates and times in GMT/UTC. Requires restart of firewall!

Per Process Logging (default: 0)
Make a unique log file per web server process. This is for web servers that can host the filter in more than 1 process concurrently. Requires restart of firewall!

Per Process Owner Logging (default: 1)
Make a unique log file per web server process owner. The application pool identity will be part of the log file name (recommended for IIS 7.0 SP2 and higher). Requires restart of firewall!

Log Retention: (default: 28)
The rotation period (in days) to keep the log files. Requires restart of firewall!

Syslog Enabled (default: 0)
Enable forwarding log entries to syslog server. Requires restart of firewall!

Syslog Server: (default: localhost)
The syslog server to forward the messages to. Requires restart of firewall!

Syslog Port: (default: 514)
The UDP port number of the syslog server. Requires restart of firewall!

Syslog Priority: (default: 117)
The syslog priority of the messages. Requires restart of firewall!

Log Allowed (default: 0)
In addition to logging blocked requests you can log allowed requests as well. This has high performance impact on heavy loaded systems and is not recommended!

Log Client IP (default: 1)
Log the client IP address.

Log User Name (default: 1)
Log the username the client is logged on with.

Log HTTP VIA (default: 0)
Log the 'Via:' header to have a clue where the original request came from (if the client uses 1 or more proxies). Note: you will not be able to log all used proxies (certain proxies don't have or remove this header)!

Log HTTP X FORWARDED FOR (default: 0)
Log the 'X-Forwarded-For:' header. Certain proxies (like NetCache) add this header to the request which indicate the source IP address of the request.

Log Host Header (default: 1)
Log the host header. This will log the host header of the request, so you will have a clue to what web site the request was intended.

Log User Agent (default: 0)
Log the client user agent. This can indicate what software/tool is used to perform the attack. However it is not essential information for reporting an abuse.

Connection IP 단속(기본 값 사용)

Connection Client IP Variable: (default: )
The server variable to get the client IP address. Use this if the incoming requests are coming from a CDN/reverse proxy. Examples are: HTTP_X_FORWARDED_FOR or HTTP_TRUE_CLIENT_IP. If empty, REMOTE_ADDR is used.

Change Log IP Variable (default: 0)
Adjust the web server log entries to reflect the IP address acquired from the custom IP variable.

Monitored IP Addresses (default: 0)

Monitor the traffic of certain IP addresses or ranges by logging their requests. For ranges you can use wildcards ('10.*.*.*') and CIDR notation ('10.0.0.0/8') or hyphen ('10.0.0.1-10.0.0.5').

Denied IP Addresses (default: 0)

Deny access from certain IP addresses and ranges and log their requests. For ranges you can use wildcards ('10.*.*.*') and CIDR notation ('10.0.0.0/8') or hyphen ('10.0.0.1-10.0.0.5').

Blocklists (default: 0)
Use third-party blocklists and other lists (e.g. Tor_ip_list_EXIT.csv). Create a subfolder named 'Blocklists' and place them there and restart IIS.

Connection Requests Limit (default: 0)
Limit the number of requests an IP address can make.

Connection Requests Limit Max Count: (default: 400)
The number of requests that can be made in a certain amount of time.

Connection Requests Limit Max Time: (default: 2)
The time frame in which the requests are counted (in minutes).

Excluded IP Addresses (default: 0)

Exclude certain IP addresses or ranges. This allows certain hosts to have unfiltered access to your web services. For ranges you can use wildcards ('10.*.*.*') and CIDR notation ('10.0.0.0/8') or hyphen ('10.0.0.1-10.0.0.5').

Authentication 계정, 암호, 인증 관련(기본 값 사용)

Notify Authentication (default: 1)
Register for the IIS authentication notifications. Disable for IIS 7.x running in integrated pipeline mode and global.asax issue (see KB 2605401). Requires restart of IIS!

Scan Authentication Excluded Web Instances (default: 1)
Also scan the excluded web instances in this event. Excluded web instances are not scanned by the firewall except for authentication attempts.

Blank Passwords (default: 1)
This will block authentication attempts with blank passwords.

Same Password As Username (default: 1)
This will block authentication attempts with passwords equal to the username.

Default Passwords (default: 1)

This will block authentication attempts with default and most used passwords.

System Accounts (default: 1)
This will block authentication attempts with a system critical account (like IUSR_SERVERNAME, IWAM_SERVERNAME, SYSTEM, NETWORK SERVICE, TsInternetUser...).

Account Brute Force Attack (default: 1)
This will block brute force attacks and possible account lockout Denial-of-Service. Detecting this is done by counting the authentication attempts within a certain period.

Account Brute Force Attack Max Count: (default: 5)
The maximum number an IP address is allowed to authenticate within a certain time frame.

Account Brute Force Attack Max Time: (default: 30)
The time frame (in minutes) within the number of authentication attempts are counted.

Allowed Accounts (default: 0)

Only allow authentication attempts with these accounts.

Denied Accounts (default: 0)

Block authentication attempts with these accounts.

Scan Account All Events (default: 1)
This will scan the used account (logged on user) in all other ISAPI events and possibly block the request if the account is not allowed to authenticate.

Scan Forms Authentication (default: 1)
Scan Forms Authentication attempts. The username and password are extracted using the input field name lists. Excluded Web Instances are always ignored.

Form Username Fields

The names of the input fields containing a username.

Form Password Fields

The names of the input fields containing a password.

Form Parameter Pollution (default: 1)
Prevent parameter pollution in forms used for authentication.

HTTP Version HTTP 버전 단속(기본 값 사용)

Maximum HTTP Version (default: 1)
(default: 8)
Limit the length of the HTTP version string. Every request to the web server involves specifying the HTTP version (like 'HTTP/1.1').

Allowed HTTP Versions (default: 1)

Only allow these HTTP versions. An empty line means you allow the HTTP version 0.9 (no http version)

URL Scanning URL 주소 필터링

RFC Compliant Url (default: 1) 한글 사용시 Disable
Check if the URL is RFC compliant. If it is not the request will be blocked.

RFC Compliant HTTP Url (default: 1) 한글 사용시 Disable
Check if the HTTP URL is RFC compliant. This will block authentication and fragments in the HTTP url (absolute URLs only).

Url Bad Parser (default: 1)
Detect url parsing errors by clients.

Use Url Raw Scan (default: 1)
Besides using the default scanning, also use the raw scanning capability to scan the URL before the web server decodes the URL (with built-in decoding engine).

Url Encoding Exploits (default: 1)
Do not allow encoding exploits (embedded encoding...) in the URL.

Url Parent Path (default: 1)
Deny parent path ('..') attempt in the requested url.

Url Trailing Dot In Dir (default: 1)
Deny a trailing dot in a directory name. This will block all requests with './'.

Url Backslash (default: 1)
Deny backward slashes ('\') in the url.

Url Alternate Stream (default: 0)
This will block all requests with a ':' in the url.

Url Escaping (default: 1)
Do not allow '%' in the url after decoding. This will block encoding exploits (embedded encoding) in the url.

Url Running Multiple CGI (default: 1)
Do not allow using the ampersand ('&') in a url. This can be used to run multiple CGI applications.

Maximum Url (default: 1)
(default: 1024)
Limit the length of the url (more precisely everything in the url before the '?'). Certain attacks involve long urls. You should not allow urls longer than the longest path your operating system allows.

Url Characters (default: 1)
(default: ?#;)
Additional characters to block. If a requested url contains one of these, the request will be blocked.

Url High Bit Shellcode (default: 1) 한글 사용시 Disable
Do not allow high bit shellcode (ascii>127). This will restrict the web sites to US-ASCII only and block characters not in this character set. Not recommended on non-US-English web sites. This will also block Unicode/UTF-8 and MBCS in the URL.

Url Special Whitespace (default: 1)
Do not allow carriage return, line feed, form feed, backspace and tabulator characters.

Denied Url Sequences (default: 1) 아래 아이템을 필터(Block 사용시 여의치 않으면 해당 아이템을 제거)

/scripts
/iishelp
/iisadmin
/msadc
/printers
/samples
/iisadmpwd
/_vti_aut
/_vti_bin
/_vti_rpc
/_vti_pvt
/admcgi
/admisapi
/_private
/_vti_cnf
/_vti_log
/_vti_script
/_vti_txt
/_mem_bin
/ftp only
/ftp_only
/ftp-only
/system32
/adsamples
/pbserver
/rpc
/cfdocs
/cfdocs/exampleapp
/cfdocs/snippets
/cfdocs/expeval
/cfdocs/examples
/cfappman
/cfide/administrator
/siteserver
/advworks
/ssi/envout.bat
/cgi-bin
/cgi-local
/cgi-win
/htbin
/cgibin
/cgis
/cgi
/test-cgi
/ows-bin/
/bin/
/sbin/
/etc/
/database/
/databases/
/dbase/
/db/
/storedb/
/fpdb/
/log/
/logs/
/logfile/
/logfiles/
/logger/
/server_stats/
/trafficlog/
/weblog/
/weblogs/
/webstats/
/wstats/
/wusage/
/wwwlog/
/wwwstats/
/mall_log_files/
/admin
/admin_/
/_admin/
/srchadm/
/admnlogin
/adminlogin
/siteadmin
/w3perl/admin
/webaccess/
/account/
/administrator/
/config/
/fpadmin/
/srchadm/
/admin_files
/passwords/
/etc/passwd
/exchange
/exchweb
/public
/exadmin
/hit_tracker/
/hitmatic/
/counter/
/c/
/d/
/doc-html/
/ftp/
/htdocs/
/install/
/intranet/
/jdbc/
/msql/
/odbc/
/oracle/
/private/
/sql/
/temp/
/tmp/
/test/
/webdriver
 /http/1.
/glimpse
/aglimpse
/htmlscript
/info2www
/nph-test-cgi
/nph-publish
/view-source
/w3-msql
/www-sql
/level/*/exec/
/nessus_is_probing_you_
/~root
/handler
/backup
/filemail
/plusmail
/ultraboard
/empower
/pals-cgi
/htgrep
/.nsconfig
/catinfo
/sweditservlet
/cybercop
/webcart/
/rmp_query
/rpm_query
/servlet/servletexec
/admin-serv/config/admpw
/c32web.exe/changeadminpassword
/graphics/sml3com
/jsp/snp/*.snp
_authchangeurl
/dbadmin
/myadmin
/mysqladmin
/mysql-admin
/phpadmin
/phpmyadmin
/fckeditor
slurpconfirm404
/thisdoesnotexistahaha.
/xmlrpc.
/powershell
/./
/.
/.config
/.git
/.hg
/.svn
/cvs/entries
/.ht
/.7z
/.bash_history
/access_log
/access_logs/
/fck/editor
/fck_2010/editor/filemanager/connectors/asp/connector.asp
/acunetix-wvs-test-for-some-inexistent-file
/none_existing_page
/random_file_name
/c99
/c100
/r57
/0day
/0d4y
/4dm1n
/shell
/upload
/upfile
/upimage
/fileupload
/server-status
/server-info
/notified-lac_compliance
.php\
.asp/
.asp\
.aspx/
.aspx\
 Result:
/psdscpullserver.svc
data:
base64
charset=
mhtml:
/cgi-perl
/gitweb.perl
/perl
/perl/
/perl/-e
/perl5/
/perl-status

Block the request when the url contains one or more of these sequences.

Denied Url Regular Expressions (default: 1)

Block the request if the url matches one of these regular expressions. 'Key' is the name of the rule (will be logged). 'Value' is the regex pattern used to find matches (CAtlRegExp syntax).

Allowed Url Starts (default: 1)

Only allow these character sequences a url may start with.

Url Requests Limit (default: 0)
Limit the number of requests to a specific URL (except the root '/'). This can help in combating DDoS attacks on specific pages.

Url Requests Limit Max Count: (default: 3000)
The number of requests that can be made in a certain amount of time.

Url Requests Limit Max Time: (default: 2)
The time frame in which the requests are counted (in seconds).

Excluded Urls (default: 0)

Ignore certain urls from scanning. Once the url is determined to be one of these urls (after OnReadRawData event), the request will not be scanned by the firewall. These urls are case sensitive and special characters need to be encoded as it would appear in the HTTP request line.

Mapped Path 웹서버 경로 단속

Parent Path (default: 1) 부모 경로를 쓰는 소스가 있다면 Disable
Deny parent path ('..') attempt in the mapped path.

Special Whitespace (default: 1)
Do not allow carriage return, line feed, form feed, backspace and tabulator characters.

Escaping (default: 1)
Deny encoding exploits in the mapped path by blocking '%'.

Dot In Path (default: 0)
Deny a dot in the path (except for the filename).

Multiple Colons (default: 1)
Deny more than 1 colon (':') in the path.

Characters (default: 1)
(default: *?"<>|$^#+=~;)
Deny the request if one or more of these characters are present in the mapped path.

Allowed Paths (default: 1) 아래 경로를 필터(Block 사용시 해당 경로가 있으면 제거하거나 수정)

Only allow mapped paths which start with one of these.

Requested File 파일 단속

Use Filename Raw Scan (default: 1)
Besides using the default scanning, also use the raw scanning capability to scan the requested file before the web server decodes the URL (with built-in decoding engine).

Filename Characters (default: 1)
(default: \:/*?"<>|$^#+=~;)
Deny the request if the filename contains one of these characters.

Default Document (default: 0)
Deny default document requests. The client can only request a specific file, not a directory.

Denied Files (default: 1) 아래 파일 이름을 필터(Block 사용시 필요하면 해당 아이템 제거)

arp.exe
at.exe
atmadm.exe
attrib.exe
cacls.exe
chkdsk.exe
chkntfs.exe
cipher.exe
cluster.exe
cmd.exe
comp.exe
date.exe
debug.exe
diskcomp.com
diskcopy.com
diskperf.exe
doskey.exe
edlin.exe
exe2bin.exe
expand.exe
fc.exe
find.exe
findstr.exe
forcedos.exe
format.exe
ftp.exe
graphics.com
hostname.exe
ipconfig.exe
ipxroute.exe
label.exe
loadfix.exe
mem.exe
mode.com
mountvol.exe
nbtstat.exe
net.exe
netsh.exe
netstat.exe
nslookup.exe
pathping.exe
ping.exe
rcp.exe
replace.exe
rexec.exe
route.exe
rsh.exe
runas.exe
rundll.exe
rundll32.exe
runonce.exe
setver.exe
subst.exe
tcmsetup.exe
telnet.exe
tftp.exe
time.exe
winnt.exe
winnt32.exe
xcopy.exe
cscript.exe
wscript.exe
bitsadmin.exe
powershell.exe
wmic.exe
web.config
command.com
cmd1.exe
root.exe
shell.exe
iisreset.exe
formmail.
mailform.
nc.exe
netcat.exe
sumthin
whisker.ida
whisker.idc
whisker.idq
whisker.htw
whisker.htr
carbo.dll
ctguestb.idc
details.idc
w3proxy.dll
sam._
sensepost.exe
achg.htr
anot.htr
adctest.asp
ism.dll
bdir.htr
codebrws.asp
form_jscript.asp
form_vbscript.asp
servervariables_jscript.asp
fpcount.exe
_vti_inf.html
postinfo.html
fp30reg.dll
fp4areg.dll
shtml.dll
shtml.exe
fpsrvadm.exe
fpremadm.exe
fpadmin.htm
fpadmcgi.exe
cfgwiz.exe
authors.pwd
author.exe
author.dll
administrators.pwd
access.cnf
service.cnf
service.pwd
service.stp
services.cnf
svcacl.cnf
users.pwd
writeto.cnf
dvwssr.dll
getdrvs.exe
global.asa
$data
msadcs.dll
newdsn.exe
search97.vts
viewcode.
showcode.
site.csc
srch.htm
uploadn.asp
logonfrm.asp
cgimail.exe
quickstore.cfg
bigconf.cgi
storemgr.pw
admin.pw
test.
password.php3
password.txt
passwd.txt
passwd.php
passwd.php3
submit.cgi
ss.cfg
ncl_items.html
stat_what.log
easylog.html
analyse.cgi
admin.cgi
admin.php
admin.pl
access-options.txt
access.log
access-log
awebvisit.stat
dan_o.dat
hits.txt
log.htm
log.html
logfile
logfile.htm
logfile.html
logfile.txt
logger.html
stat.htm
stats.htm
stats.html
stats.txt
webaccess.htm
whois_raw.cgi
localstart.asp
.asa.
.asp.
.asax.
.aspx.
trace.axd
webplus
websendmail
dcboard.cgi
dcforum.cgi
mmstdod.cgi
cvsweb.cgi
php.cgi
maillist.pl
perl.exe
rguest.exe
rwwwshell.pl
textcounter.pl
uploader.exe
webhits.exe
webgais
finger
perlshop.cgi
pfdisplay.cgi
args.bat
at-admin.cgi
bnbform.cgi
wais.pl
wguest.exe
classifieds.cgi
environ.pl
filemail.pl
man.sh
snork.bat
blat.exe
day5datacopier.cgi
day5datanotifier.cgi
hsx.cgi
s.cgi
yabb.cgi
post-query
visadmin.exe
dumpenv.pl
snorkerz.cmd
win-c-sample.exe
w3tvars.pm
lwgate
flexform
www-admin.pl
sendform.cgi
ppdscgi.exe
upload.pl
anyform2
machineinfo
bb-hist.sh
pals-cgi
webspirs.cgi
tstisapi.dll
testisapi.dll
sendmessage.cgi
lastlines.cgi
zml.cgi
ads.cgi
postinfo.asp
repost.asp
queryhit.htm
counter.exe
cached_feed.cgi
shopping_cart.mdb
password.mdb
check.txt
checks.txt
mylog.phtml
mlog.phtml
convert.bas
cpshost.dll
smssend.php
txt2html.cgi
console.exe
sojourn.cgi
ftp.pl
poll_it_ssi_v2.0.cgi
source.asp
guestbook.pl
import.txt
count.cgi
catalog.nsf
domcfg.nsf
domlog.nsf
log.nsf
names.nsf
windmail.exe
quikstore.cfg
order.log
webdist.cgi
ws_ftp.ini
jdkrqnotify.exe
infosrch.cgi
code.php3
search.vts
ax-admin.cgi
axs.cgi
cachemgr.cgi
dfire.cgi
web-map.cgi
responder.cgi
read.php3
violation.php3
get32.exe
cgitest.exe
ftpsavecsp.dll
ftpsavecvp.dll
ftpsave.dll
contextadmin.html
architext_query.pl
wwwboard.pl
db_mysql.inc
cs.exe
bizdb1-search.cgi
bb-hostsvc.sh
pscoerrpage.htm
gwweb.exe
openview5.exe
rpcproxy.dll
read_dump.php
backdoor
cfcache.map
exprcalc.cfm
beaninfo.cfm
application.cfm
getfile.cfm
addcontent.cfm
fileexists.cfm
evaluate.cfm
displayopenedfile.cfm
mainframeset.cfm
cfmlsyntaxcheck.cfm
onrequestend.cfm
startstop.html
gettempdirectory.cfm
copy of 
 - copy.
nul
lpt1
lpt2
lpt3
lpt4
aux
prn
com1
com2
com3
com4
wget
uname
echo
kill
chmod
chgrp
chsh
gcc
g++
python
tclsh
nasm
traceroute
nmap
lsof
inetd.conf
motd
shadow
httpd.conf
error_log.php
htaccess.txt
awstats.pl
log.phtml
ipn_log.txt
vbseocp.php
mime.types
fck_about.html
robots9.txt
sqldnxlpo.html
thumbs.db
ehthumbs.db
desktop.ini
.ds_store
cmdasp.asp
shell.php
r57shell.php
~.aspx
nst.php
nstview.php
perl.php
tmp.php
1nj3ct0r.php
.php.
phpinfo.php
timthumb.php
upload
soapcaller.bs
.sql.
testproxy.
psexec
composer.lock
.php~.
cmd.php
command.php

Deny the filenames/CGI applications being accessed or run.

Monitored Files (default: 0)

Monitor access to these files.

Allowed Extensions (default: 0)

Only allow requests for files with these extensions.

Denied Extensions (default: 1)

Deny requests for files with these extensions.

Extension Requests Limit (default: 0)
Limit the number of requests an IP address can make to certain file extensions.

Extension Requests Limit Max Count: (default: 200)
The number of requests that can be made in a certain amount of time.

Extension Requests Limit Max Time: (default: 4)
The time frame in which the requests are counted (in minutes).

Limit Extensions

Limit the number of requests to these file extensions.

Robots 검색 엔진 단속(기본 값 사용)

Allow Bots Robots File (default: 1)
Allow requests for the file 'robots.txt', even for blocked robots. This is recommended because if the file robots.txt cannot be obtained, the robot thinks it has access and you have no other way to tell the robot that it is not allowed.

Dynamic Robots (default: 0)
Requests for robots.txt are executed by a dynamic robots file.

Dynamic Robots File: (default: robots.asp)
The file that gets executed when requesting robots.txt. A sample of such a dynamic file (robots.asp) is included with the installation.

Deny Bots All (default: 0)
Deny requests from all bots. This is done by looking at the requests for the robots.txt file. Blocking is done by the combination of IP address and User Agent.

Deny Bots Bad (default: 1)
Deny requests from bad bots. Add the bot trap urls to your robots.txt file (you can find a sample robots.txt with this installation). Now, to lure a bad bot into those urls, add these urls with hidden anchors in your web site (<a href=/badbottrap/></a>). Blocking is done by the combination of IP address and User Agent.

Deny Bots BotTraps

Lowercase and no ending slash preferred to catch all the bad bots. Add these urls to your robots.txt: User-agent: * Disallow: /badbottrap/

Deny Bots Aggressive (default: 0)
Deny aggressive bots doing more than a certain amount of requests in a certain amount of time after their initial request for robots.txt.

Deny Bots Aggressive Max Count: (default: 180)
The amount of requests to block the bot.

Deny Bots Aggressive Max Time: (default: 3)
The time frame in which the requests are counted (in minutes).

Deny Bots Timeout: (default: 36)
The time-out (in hours) to block the bots. Blocking is done by looking at the IP address and User Agent.

Block Bots Data Mining Commercial (default: 0)
Blocks commercial datamining robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Data Mining Public (default: 0)
Blocks non-profit or public datamining robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Download Managers (default: 0)
Blocks download managers. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Email Harvesting (default: 1)
Blocks email harvesting robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Guestbook Spammers (default: 1)
Blocks guestbook spamming robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Hack Tools (default: 1)
Blocks certain hacking tools. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Image Downloaders (default: 0)
Blocks image download tools/robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Indexing (default: 0)
Blocks indexing robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Monitoring (default: 0)
Blocks monitoring robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Offline Browsers (default: 0)
Blocks offline browsers. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Other Bad (default: 1)
Blocks other bad robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Trademark (default: 0)
Blocks copyright/trademark robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Validation Tools (default: 0)
Blocks certain validation tools. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Link Checking (default: 0)
Blocks URL checking utilities. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Browsers (default: 0)
Blocks browsers. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Media Players (default: 0)
Blocks media players. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Proxies (default: 0)
Blocks proxy servers. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Adware (default: 0)
Blocks adware. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Browser Extensions (default: 0)
Blocks browser extensions. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Spyware (default: 0)
Blocks spyware. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Editing (default: 0)
Blocks web/html editing software. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots News Feed (default: 0)
Blocks news feed utilities. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Search Engines (default: 0)
Blocks search engines. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Filtering Software (default: 0)
Blocks filtering software. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Software Component (default: 0)
Blocks certain software components. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots Translation (default: 0)
Blocks translation robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Block Bots SEO (default: 0)
Blocks search engine optimization tools and services. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Headers 헤더 값 단속(기본 값 사용)

Denied Headers (default: 1)

Block the request if any of these headers are present.

Header SQL Injection (default: 0)
Do not allow SQL injection in the headers sent to the web server.

Header Encoding Exploits (default: 0)
Do not allow encoding exploits (embedded encoding...) in the headers sent to the web server.

Header Directory Traversal (default: 1)
Do not allow directory traversal (parent path) in the headers sent to the web server. This will block any '..' preceding or following a slash ('/' or '\').

Header High Bit Shellcode (default: 0)
Do not allow high bit shellcode (ascii>127). This will restrict the web sites to US-ASCII only and block characters not in this character set. Not recommended for non-US-English web sites.

Maximum Header Length (default: 0)
(default: 8192)
The maximum length of a single header.

Max Headers (default: 1)

Sec-WebSocket-Key:=128
Lock-Token:=1024
Destination:=1024
Content-Transfer-Encoding:=128
Content-Language:=256
Content-Encoding:=128
BITS-Packet-Type:=64
Max-Forwards:=32
Host:=256
Expires:=64
DNT:=1
Cookie:=4095
If-Modified-Since:=64
Content-Range:=256
Allow:=512
Sec-WebSocket-Version:=32
Forwarded:=9000
Connection:=256
BITS-Supported-Protocols:=4095
Version:=128
Upgrade:=256
Title:=9000
Message-id:=1024
Unless-Modified-Since:=64
UA-pixels:=15
TE:=128
Referer:=4095
Pragma:=256
Ms-Echo-Request:=128
Accept-Ranges:=128
Vary:=128
UA-Voice:=5
UA-OS:=128
UA-color:=32
Content-Location:=1024
BITS-Session-Id:=1024
Sec-WebSocket-Extensions:=256
PassportConfig:=4000
If-Unmodified-Since:=64
If-Range:=4000
If-None-Match:=256
BITS-Response-DataFile-Name:=1024
UA-CPU:=32
Trailer:=128
HTTP2-Settings:=16384
Depth:=64
Content-Base:=1024
Authorization:=5120
X-Forwarded-For:=8190
User-Agent:=320
SOAPAction:=4095
Public:=4000
Proxy-Authorization:=4000
Orig-Uri:=1024
Content-Id:=1024
Date:=64
Accept-Charset:=1024
Sec-WebSocket-Protocol:=256
PassportURLs:=4000
Derived-From:=9000
Accept-Language:=356
Accept-Encoding:=256
Proxy-Connection:=256
If:=4095
BITS-Original-Request-URL:=1024
Origin:=1024
Timeout:=1024
Proxy-Support:=4000
Overwrite:=64
Mime-Version:=128
Content-MD5:=4000
Content-Disposition:=256
Via:=9000
Translate:=256
Expect:=256
Content-Name:=512
BITS-Request-DataFile-Name:=1024
Transfer-Encoding:=128
Ms-Echo-Reply:=128
Charge-To:=512
Cache-Control:=256
Accept:=1024
Uri:=1024
Range:=256
If-Match:=256
From:=321
Content-Type:=256
Content-Description:=1000
BITS-Protocol:=1024

Limit the length of request headers. You can specify a header and a maximum length.

Denied Header Sequences (default: 1)

cmd.exe
root.exe
system32
cscript.exe
wscript.exe
bitsadmin.exe
powershell.exe
wmic.exe
web.config
xp_cmdshell
cirestriction=none
cihilitetype=full
ciwebhitsfile
<object
<iframe
<link
<applet
<embed
<script
<form
<style
urn:schemas-microsoft-com:time
urn:schemas-microsoft-com:vml
urn:schemas-microsoft-com:xml-data
<meta
<svg
<base
<input
<maction
<frameset
<!--#exec
<!doctype
<!entity
<!attlist
@import
-o-link
-o-link-source
<animate
<handler
<listener
<?xml-stylesheet
<onevent
<stylesheet
<eval
<vmlframe
<scriptlet
<import
<?import
view-source:
<event-source
<html
<body
<area
<math
javascript:
behavior:
animationend
animationiteration
animationstart
onabort
onactivate
onafterprint
onafterupdate
onautocomplete
onautocompleteerror
onbeforeactivate
onbeforecopy
onbeforecut
onbeforepaste
onbeforedeactivate
onbeforeeditfocus
onbeforeprint
onbeforeunload
onbeforeupdate
onbegin
onblur
onbounce
oncancel
oncanplay
oncanplaythrough
oncellchange
onchange
onclick
onclose
oncontextmenu
oncontrolselect
oncopy
oncuechange
oncut
ondataavailable
ondatasetchanged
ondatasetcomplete
ondblclick
ondeactivate
ondevicelight
ondevicemotion
ondeviceorientation
ondeviceproximity
ondragdrop
ondrag
ondragend
ondragenter
ondragexit
ondragleave
ondragover
ondragstart
ondrop
ondurationchange
onemptied
onend
onended
onerror
onerrorupdate
onfilterchange
onfinish
onfocus
onfocusin
onfocusout
onformchange
onforminput
onhaschange
onhashchange
onhelp
oninput
oninvalid
onkeydown
onkeypress
onkeyup
onlanguagechange
onlayoutcomplete
onload
onloadeddata
onloadedmetadata
onloadstart
onlosecapture
onmediacomplete
onmediaerror
onmessage
onmousedown
onmouseenter
onmouseleave
onmousemove
onmouseout
onmouseover
onmouseup
onmousewheel
onmove
onmoveend
onmovestart
onoffline
ononline
onoutofsync
onopen
onpagehide
onpageshow
onpaste
onpause
onplay
onplaying
onpopstate
onprogress
onpropertychange
onratechange
onreadystatechange
onredo
onrepeat
onreset
onresize
onresizeend
onresizestart
onresume
onreverse
onrowenter
onrowexit
onrowsdelete
onrowsinserted
onscroll
onsearch
onseek
onseeked
onseeking
onselect
onselectionchange
onselectstart
onshow
onsort
onstalled
onstart
onstop
onstorage
onsubmit
onsuspend
onsyncrestored
ontimeerror
ontimeupdate
ontouchcancel
ontouchend
ontouchmove
ontouchstart
ontoggle
ontrackchange
onundo
onunload
onurlflip
onuserproximity
onvolumechange
onwheel
onwaiting
seeksegmenttime
transitionend
style=
<isindex
formaction
&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a
expression(
domattrmodified
domcharacterdatamodified
domfocusin
domfocusout
dommousescroll
domnodeinserted
domnodeinsertedintodocument
domnoderemoved
domnoderemovedfromdocument
domsubtreemodified
fromcharcode
onfullscreenchange
onsvgload
onsvgunload
onvisibilitychange
activexobject
vbscript:
cf_setdatasourceusername()
cf_setdatasourcepassword()
cf_iscoldfusiondatasource()
cfusion_getodbcdsn()
cfusion_dbconnections_flush()
cfusion_encrypt()
cfusion_setodbcini()
cfusion_settings_refresh()
cfusion_verifymail()
includedir=
_phplib[libdir]
<?php
data://
expect://
glob://
ogg://
phar://
php://
rar://
ssh2://
zlib://
phpinfo()
base64_decode(
eval(
exec(
system(
passthru(
${echo
${exit
cookie: =
shell.txt
/shell.
/bin/
/bin/bash
/dev/
/etc/
/etc/passwd
/proc/
/proc/self/environ
/tmp/
/usr/
/var/
http://www.w3.org/1999/xlink
http://www.w3.org/2000/svg
http://www.w3.org/1999/xhtml
http://www.w3.org/2001/xml-events
http://www.w3.org/1999/XSL/Transform
http://www.wapforum.org/2001/wml
http://www.w3.org/TR/WD-xsl
&tab;
&newline;
\o00
\x00
\u0000
filesystemobject
processstartinfo
frombase64string
$_get
$_post
$_cookies
$_request
$http_cookie_vars
$http_get_vars
$http_post_vars
&colon;
en;q=0.5"accept-encoding:"gzip
name: user-agent
nopnopnopjmp0x9mb
seckey: fuckpassport
() {
id: mozilla/4.0 (compatible; msie 6.0; windows nt 5.2; .net clr 1.0.3705;)
awk 'begin
/inet/tcp
/inet/udp
perl -mio
io::socket::
/bin/sh
ruby -rsocket
¼script

Block the request if any of the character sequences are present in the headers.

Denied Header Regular Expressions (default: 1)

JSFuck payload=[+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}]
XSS style=(\b|\n|[\f\v"'`/])style(\b|\n|[\f\v])*=
Host Header IPv6 (Worm propagation)=^(.+\n)?host:(\b)*[\[]
Command ping=ping((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?((\d(\d)?(\d)?[.]\d(\d)?(\d)?[.]\d(\d)?(\d)?[.]\d(\d)?(\d)?)|((\h)*:(\h)*:(\h)*)|(localhost)|((\a)+[.]\a(\a)+))
XSS background=(\b|\n|[\f\v"'`/])background(\b|\n|[\f\v])*=
XSS javascript=((J|j[\\]?)|(&#((0*(74)|(106))|(X|x0*(4|6A|a)));?))((A|a[\\]?)|(&#((0*(65)|(97))|(X|x0*(4|61)));?))((V|v[\\]?)|(&#((0*(86)|(118))|(X|x0*(5|76)));?))((A|a[\\]?)|(&#((0*(65)|(97))|(X|x0*(4|61)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((C|c[\\]?)|(&#((0*(67)|(99))|(X|x0*(4|63)));?))((R|r[\\]?)|(&#((0*(82)|(114))|(X|x0*(5|72)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((P|p[\\]?)|(&#((0*(80)|(112))|(X|x0*(5|70)));?))((T|t[\\]?)|(&#((0*(84)|(116))|(X|x0*(5|74)));?))((:[\\]?)|(&#((0*58)|(X|x0*3A|a));?))
href http=(\b|\n|[\f\v"'`/])href(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http
Command wget http=wget((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?http
XSS srcdoc=(\b|\n|[\f\v"'`/])srcdoc(\b|\n|[\f\v])*=
ASP Directive=<%@.+?%>
Command curl http=curl((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?http
XSS livescript=((L|l[\\]?)|(&#((0*(76)|(108))|(X|x0*(4|6C|c)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((V|v[\\]?)|(&#((0*(86)|(118))|(X|x0*(5|76)));?))((E|e[\\]?)|(&#((0*(69)|(101))|(X|x0*(4|65)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((C|c[\\]?)|(&#((0*(67)|(99))|(X|x0*(4|63)));?))((R|r[\\]?)|(&#((0*(82)|(114))|(X|x0*(5|72)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((P|p[\\]?)|(&#((0*(80)|(112))|(X|x0*(5|70)));?))((T|t[\\]?)|(&#((0*(84)|(116))|(X|x0*(5|74)));?))((:[\\]?)|(&#((0*58)|(X|x0*3A|a));?))
XSS name dataurl=(\b|\n|[\f\v"'`/])name(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*dataurl
XSS xmlns:xlink=xmlns(\b|\n|[\f\v])*:(\b|\n|[\f\v])*xlink
src http=(\b|\n|[\f\v"'`/])src(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http
Browser Unicode ASCII Obfuscation=\\u00\h\h
XSS xlink:actuate=xlink(\b|\n|[\f\v])*:(\b|\n|[\f\v])*actuate
Command lwp-download http=lwp-download((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?http
XSS JavaScript OnEvent=(\b|\n|[\f\v"'`/])on(\c)+(\b|\n|[\f\v])*=
XSS dynsrc=(\b|\n|[\f\v"'`/])dynsrc(\b|\n|[\f\v])*=
XSS handler=(\b|\n|[\f\v"'`/])handler(\b|\n|[\f\v])*=
XSS data=(\b|\n|[\f\v"'`/])data(\b|\n|[\f\v])*=
XSS xmlns svg=(\b|\n|[\f\v"'`/])xmlns(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http://www.w3.org/2000/svg
XSS srcset=(\b|\n|[\f\v"'`/])srcset(\b|\n|[\f\v])*=
XSS poster=(\b|\n|[\f\v"'`/])poster(\b|\n|[\f\v])*=
href=(\b|\n|[\f\v"'`/])href(\b|\n|[\f\v])*=
ASP Page=<%@(\b|\n|[\f\v])*page
Host Header IPv4 (Worm propagation)=^(.+\n)?host:(\b)*\d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?
XSS vbscript=((V|v[\\]?)|(&#((0*(86)|(118))|(X|x0*(5|76)));?))((B|b[\\]?)|(&#((0*(66)|(98))|(X|x0*(4|62)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((C|c[\\]?)|(&#((0*(67)|(99))|(X|x0*(4|63)));?))((R|r[\\]?)|(&#((0*(82)|(114))|(X|x0*(5|72)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((P|p[\\]?)|(&#((0*(80)|(112))|(X|x0*(5|70)));?))((T|t[\\]?)|(&#((0*(84)|(116))|(X|x0*(5|74)));?))((:[\\]?)|(&#((0*58)|(X|x0*3A|a));?))
XSS datasrc=(\b|\n|[\f\v"'`/])datasrc(\b|\n|[\f\v])*=
XSS dataformatas=(\b|\n|[\f\v"'`/])dataformatas(\b|\n|[\f\v])*=
XSS dirname=(\b|\n|[\f\v"'`/])dirname(\b|\n|[\f\v])*=
XSS xmlns xhtml=(\b|\n|[\f\v"'`/])xmlns(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http://www.w3.org/1999/xhtml
XSS xmlns xlink=(\b|\n|[\f\v"'`/])xmlns(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http://www.w3.org/1999/xlink
Command fetch http=fetch((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?http
sandbox=(\b|\n|[\f\v"'`/])sandbox(\b|\n|[\f\v])*=
XSS xlink:href=xlink(\b|\n|[\f\v])*:(\b|\n|[\f\v])*href
src=(\b|\n|[\f\v"'`/])src(\b|\n|[\f\v])*=
XSS expression=((E|e[\\]?)|(&#((0*(69)|(101))|(X|x0*(4|65)));?))((X|x[\\]?)|(&#((0*(88)|(120))|(X|x0*(5|78)));?))((P|p[\\]?)|(&#((0*(80)|(112))|(X|x0*(5|70)));?))((R|r[\\]?)|(&#((0*(82)|(114))|(X|x0*(5|72)));?))((E|e[\\]?)|(&#((0*(69)|(101))|(X|x0*(4|65)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((O|o[\\]?)|(&#((0*(79)|(111))|(X|x0*(4|6F|f)));?))((N|n[\\]?)|(&#((0*(78)|(110))|(X|x0*(4|6E|e)));?))(\b|\n|[\f\v])*\(
XSS lowsrc=(\b|\n|[\f\v"'`/])lowsrc(\b|\n|[\f\v])*=

Block the request if the headers match one of these regular expressions. 'Key' is the name of the rule (will be logged). 'Value' is the regex pattern used to find matches (CAtlRegExp syntax).

Host 호스트, 호스트 헤더 값 단속

RFC Compliant Host Header (default: 1) 한글 사용시 Disable
Block the HTTP 1.1 request if it does not include a 'Host:' header (RFC compliant).

Allowed Host Headers (default: 0)

Allow these hostname headers ('Host:') in requests and deny all others.

Denied Host Headers (default: 1)

Deny these hostname headers ('Host:') in requests.

Allow Denied Host Access (default: 1)

Add an exclusion to the denied hostname headers by allowing access from these IP addresses. For ranges you can use wildcards ('10.*.*.*') and CIDR notation ('10.0.0.0/8') or hyphen ('10.0.0.1-10.0.0.5').

Excluded Host Headers (default: 0)

Exclude these host headers, recommended if you want to exclude scanning requests for certain web sites. Requests with these Host headers will not be scanned. Example: 'www.example.com'.

Content Type 요청 Content Type을 단속(기본 값 사용)

Allowed Content Types (default: 1)

Deny the request when the Content-Type is not in this list. If for instance you want to enable all multipart types simply add 'multipart/'. This way you effectively enable 'multipart/form-data', 'multipart/mixed',...

Denied Content Types (default: 1)

Deny the request when the Content-Type is in this list. Examples are 'application/' (will block all application content-types), 'application/octet-stream', 'application/*' , ...

Content Type Max Length (default: 1)

Block the request when it contains an entity larger than what is allowed for that content-type.

Maximum Content Length (default: 1)
(default: 5300642)
Limit the value of the Content-Length header in a request. This allows you to limit the number of bytes sent to the server in requests.

Allowed Transfer Encodings (default: 1)

Deny the request when the Transfer-Encoding is not in this list.

Denied Transfer Encodings (default: 0)

Deny the request when the Transfer-Encoding is in this list.

Cookie 쿠키 단속(기본 값 사용)

Cookie HttpOnly (default: 0)
Sets the HttpOnly attribute in the cookie. This prevents JavaScript from accessing the cookie.

Cookie Secure (default: 0)
Sets the Secure attribute in the cookie when the site is accessed over HTTPS. This prevents the browser from sending the cookie over non-HTTPS connections.

Cookie SQL Injection (default: 1)
Deny SQL injection in the 'Cookie:' header. This can be useful if your website is using a database and you are using cookies for storing information related to the database.

Cookie Encoding Exploits (default: 0)
Do not allow encoding exploits (embedded encoding...) in cookies (in the 'Cookie:' header).

Cookie Directory Traversal (default: 0)
Do not allow directory traversal (parent path) in the cookie sent to the web server. This will block any '..' preceding or following a slash ('/' or '\').

Cookie High Bit Shellcode (default: 0)
Do not allow high bit shellcode (ascii>127). This will restrict the web sites to US-ASCII only and block characters not in this character set. Not recommended for non-US-English web sites.

Cookie Special Whitespace (default: 1)
Do not allow carriage return, line feed, form feed, backspace and tabulator characters.

Cookie Parameter Pollution (default: 1)
Do not allow parameter pollution (multiple parameters with the same name).

Cookie Parameter Name Require Regular Expression (default: 1)
(default: ^[a-zA-Z0-9_\.\-$]+$)
Require the parameter name to match this regular expression (CAtlRegExp syntax).

Cookie Input Validation (default: 1)
Validate user input. Use the admin interface to configure validators.

Maximum Cookie Variable Length (default: 1)
(default: 1024)
The maximum length of a variable in the cookies.

Denied Cookie Sequences (default: 1)

Block the request if any of the character sequences are present in the cookie.

User Agent 브라우징 단속(기본 값 사용)

User Agent Empty (default: 1)
Deny the request if the user agent is empty or not present.

User Agent Non RFC (default: 1)
Deny the request if the user agent is not RFC compliant.

User Agent SQL Injection (default: 1)
Do not allow SQL injection in the user agent.

User Agent High Bit Shellcode (default: 0)
Deny high bit shell code in the user agent. This will block ASCII>127 and possibly blocking non US-ASCII web browsers user agent strings.

User Agent Special Whitespace (default: 1)
Do not allow carriage return, line feed, form feed, backspace and tabulator characters.

Require User Agent Character (default: 0)
(default: /-._)
Deny the request if the user agent does not contain at least one of these characters.

User Agent Current Date (default: 1)

Deny the request if the user agent contains the current date in one of these formats. Syntax is C++ 'strftime': A=weekday, B=month name, d=day of month, j=day of year, m=month, U=week of year, y=year(99), Y=year(9999).

User Agent Switching (default: 1)
Deny the request if the user agent is changing too much coming from a single IP address.

User Agent Switching Max Count: (default: 30)
The maximum number of different user agents in a certain amount of time.

User Agent Switching Max Time: (default: 5)
The time frame in which the user agents are counted (in minutes).

Denied User Agents (default: 0)

Deny the request for these user agent strings.

Denied User Agent Sequences (default: 0)

Deny the request if the user agent contains one of these character sequences.

Excluded User Agents (default: 0)

Exclude the request from being scanned when the User-Agent header is one of these.

Referrer HTTP 리퍼러 제한

Use Referrer Scanning (default: 1)
Scan the referrer URL. Enabling this allows the other checks in this section.

Referrer URL RFC Compliant (default: 1) 한글 사용시 Disable
The referrer URL has to be RFC compliant.

Referrer URL RFC HTTPCompliant (default: 1) 한글 사용시 Disable
The referrer URL has to be HTTP RFC compliant (no authentication and no fragment).

Referrer Bad Parser (default: 1)
Detect url parsing errors by clients.

Referrer SQL Injection (default: 1)
Do not allow SQL injection in the referrer URL sent to the web server.

Referrer Encoding Exploits (default: 0)
Deny encoding exploits and embedded encoding in the referrer URL.

Referrer High Bit Shellcode (default: 0)
Deny high bit shell code in the referrer URL. This will block ASCII>127 in the referrer URL and possibly blocking non US-ASCII web sites from linking to your site.

Referrer Special Whitespace (default: 1)
Do not allow carriage return, line feed, form feed, backspace and tabulator characters.

Allowed Referrer Starts (default: 1)

Only allow these character sequences a referrer url may start with.

Referrer Characters (default: 0)
(default: )
Deny certain characters in the referrer URL.

Denied Referrers (default: 1)

Deny certain referrer urls. This will match urls exactly.

Denied Referrer Sequences (default: 1)

Deny these character sequences in the referrer URL.

Hot Linking 타 사이트에서 직접링크 제한(기본 값 사용)

Referrer Hot Linking (default: 0)
Scan hot linking (also called direct linking, inline linking) to certain urls or file extensions from certain domains.

Referrer Hot Linking Urls

The urls hot linking to is denied. This can also be used to prevent cross-site request forgery (CSRF) on those urls if Blank Referrer is set to blocked.

Referrer Hot Linking File Extensions

The file extensions hot linking to is denied.

Referrer Hot Linking Allow Domains (default: 1)

Only allow certain domains to use hot linking. The domains (FQDN) or IP addresses that are allowed to use hot linking. You do not need to add your own domain to this list, see setting: "Use Host Header".

Referrer Hot Linking Deny Domains (default: 0)

Deny certain domains to use hot linking. The domains (FQDN) or IP addresses that are denied to use hot linking.

Referrer Hot Linking Use Host Header (default: 1)
Allow the Host header domain to use hot linking. This is allowing the local web site to refer to itself without needing to add the domain names to the allowed list above.

Referrer Hot Linking Blank Referrer (default: 0)
Deny requests with no referrer to the protected file extensions or urls. This will block some leeching tools but also some proxy servers and browsers with additional security applications that remove the referrer header.

Methods 메소드 단속(기본 값 사용)

Allowed Verbs (default: 1)

Only allow these request methods (HTTP verbs).

Denied Verbs (default: 0)

Deny these request methods (HTTP verbs).

Denied Payload (default: 1)

Deny payloads (entity body) for these request methods (HTTP verbs).These request methods are denied receiving a payload.

Querystring 쿼리 문자열 단속

Use Querystring Raw Scan (default: 1)
Besides using the default scanning, also use the raw scanning capability to scan the querystring before the web server decodes the URL (with built-in decoding engine).

Querystring SQL Injection (default: 1)
Do not allow SQL injection in the querystring.

Querystring Encoding Exploits (default: 1)
Do not allow encoding exploits (embedded encoding...) in the querystring.

Querystring Directory Traversal (default: 1)
Do not allow directory traversal in the querystring. This will block any '..' preceding or following a slash ('/' or '\').

Querystring High Bit Shellcode (default: 0)
Do not allow high bit shellcode (ascii>127). This will restrict the web sites to US-ASCII only and block characters not in this character set. Not recommended for non-US-English web sites.

Querystring Special Whitespace (default: 1)
Do not allow carriage return, line feed, form feed, backspace and tabulator characters.

Querystring Parameter Pollution (default: 1)
Do not allow parameter pollution (multiple parameters with the same name).

Querystring Parameter Name Require Regular Expression (default: 1)
(default: ^[a-zA-Z0-9_\.\-]+$)
Require the parameter name to match this regular expression (CAtlRegExp syntax).

Querystring Input Validation (default: 1)
Validate user input. Use the admin interface to configure validators.

Maximum Querystring (default: 1)
(default: 1024)
Limit the length of the querystring (everything after the '?' in a url).

Maximum Querystring Variable Length (default: 1)
(default: 2048)
The maximum length of a variable in the querystring.

Denied Querystring Sequences (default: 1) 아래 문자열을 필터(Block 사용시 필요하면 해당 문자열을 제거)

Block the request if any of these sequences are present in the querystring.

Denied Querystring Regular Expressions (default: 1)

JSFuck payload=[+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}]
XSS style=(\b|\n|[\f\v"'`/])style(\b|\n|[\f\v])*=
Command ping=ping((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?((\d(\d)?(\d)?[.]\d(\d)?(\d)?[.]\d(\d)?(\d)?[.]\d(\d)?(\d)?)|((\h)*:(\h)*:(\h)*)|(localhost)|((\a)+[.]\a(\a)+))
XSS background=(\b|\n|[\f\v"'`/])background(\b|\n|[\f\v])*=
XSS javascript=((J|j[\\]?)|(&#((0*(74)|(106))|(X|x0*(4|6A|a)));?))((A|a[\\]?)|(&#((0*(65)|(97))|(X|x0*(4|61)));?))((V|v[\\]?)|(&#((0*(86)|(118))|(X|x0*(5|76)));?))((A|a[\\]?)|(&#((0*(65)|(97))|(X|x0*(4|61)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((C|c[\\]?)|(&#((0*(67)|(99))|(X|x0*(4|63)));?))((R|r[\\]?)|(&#((0*(82)|(114))|(X|x0*(5|72)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((P|p[\\]?)|(&#((0*(80)|(112))|(X|x0*(5|70)));?))((T|t[\\]?)|(&#((0*(84)|(116))|(X|x0*(5|74)));?))((:[\\]?)|(&#((0*58)|(X|x0*3A|a));?))
href http=(\b|\n|[\f\v"'`/])href(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http
Command wget http=wget((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?http
XSS srcdoc=(\b|\n|[\f\v"'`/])srcdoc(\b|\n|[\f\v])*=
ASP Directive=<%@.+?%>
Command curl http=curl((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?http
XSS livescript=((L|l[\\]?)|(&#((0*(76)|(108))|(X|x0*(4|6C|c)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((V|v[\\]?)|(&#((0*(86)|(118))|(X|x0*(5|76)));?))((E|e[\\]?)|(&#((0*(69)|(101))|(X|x0*(4|65)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((C|c[\\]?)|(&#((0*(67)|(99))|(X|x0*(4|63)));?))((R|r[\\]?)|(&#((0*(82)|(114))|(X|x0*(5|72)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((P|p[\\]?)|(&#((0*(80)|(112))|(X|x0*(5|70)));?))((T|t[\\]?)|(&#((0*(84)|(116))|(X|x0*(5|74)));?))((:[\\]?)|(&#((0*58)|(X|x0*3A|a));?))
XSS name dataurl=(\b|\n|[\f\v"'`/])name(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*dataurl
XSS xmlns:xlink=xmlns(\b|\n|[\f\v])*:(\b|\n|[\f\v])*xlink
src http=(\b|\n|[\f\v"'`/])src(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http
Browser Unicode ASCII Obfuscation=\\u00\h\h
XSS xlink:actuate=xlink(\b|\n|[\f\v])*:(\b|\n|[\f\v])*actuate
Command lwp-download http=lwp-download((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?http
XSS JavaScript OnEvent=(\b|\n|[\f\v"'`/])on(\c)+(\b|\n|[\f\v])*=
XSS dynsrc=(\b|\n|[\f\v"'`/])dynsrc(\b|\n|[\f\v])*=
XSS handler=(\b|\n|[\f\v"'`/])handler(\b|\n|[\f\v])*=
XSS data=(\b|\n|[\f\v"'`/])data(\b|\n|[\f\v])*=
XSS xmlns svg=(\b|\n|[\f\v"'`/])xmlns(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http://www.w3.org/2000/svg
XSS srcset=(\b|\n|[\f\v"'`/])srcset(\b|\n|[\f\v])*=
XSS poster=(\b|\n|[\f\v"'`/])poster(\b|\n|[\f\v])*=
href=(\b|\n|[\f\v"'`/])href(\b|\n|[\f\v])*=
ASP Page=<%@(\b|\n|[\f\v])*page
XSS vbscript=((V|v[\\]?)|(&#((0*(86)|(118))|(X|x0*(5|76)));?))((B|b[\\]?)|(&#((0*(66)|(98))|(X|x0*(4|62)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((C|c[\\]?)|(&#((0*(67)|(99))|(X|x0*(4|63)));?))((R|r[\\]?)|(&#((0*(82)|(114))|(X|x0*(5|72)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((P|p[\\]?)|(&#((0*(80)|(112))|(X|x0*(5|70)));?))((T|t[\\]?)|(&#((0*(84)|(116))|(X|x0*(5|74)));?))((:[\\]?)|(&#((0*58)|(X|x0*3A|a));?))
XSS datasrc=(\b|\n|[\f\v"'`/])datasrc(\b|\n|[\f\v])*=
XSS dataformatas=(\b|\n|[\f\v"'`/])dataformatas(\b|\n|[\f\v])*=
XSS dirname=(\b|\n|[\f\v"'`/])dirname(\b|\n|[\f\v])*=
XSS xmlns xhtml=(\b|\n|[\f\v"'`/])xmlns(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http://www.w3.org/1999/xhtml
XSS xmlns xlink=(\b|\n|[\f\v"'`/])xmlns(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http://www.w3.org/1999/xlink
Command fetch http=fetch((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?http
sandbox=(\b|\n|[\f\v"'`/])sandbox(\b|\n|[\f\v])*=
XSS charset=(\b|\n|[\f\v"'`/])charset(\b|\n|[\f\v])*=
XSS xlink:href=xlink(\b|\n|[\f\v])*:(\b|\n|[\f\v])*href
src=(\b|\n|[\f\v"'`/])src(\b|\n|[\f\v])*=
XSS expression=((E|e[\\]?)|(&#((0*(69)|(101))|(X|x0*(4|65)));?))((X|x[\\]?)|(&#((0*(88)|(120))|(X|x0*(5|78)));?))((P|p[\\]?)|(&#((0*(80)|(112))|(X|x0*(5|70)));?))((R|r[\\]?)|(&#((0*(82)|(114))|(X|x0*(5|72)));?))((E|e[\\]?)|(&#((0*(69)|(101))|(X|x0*(4|65)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((O|o[\\]?)|(&#((0*(79)|(111))|(X|x0*(4|6F|f)));?))((N|n[\\]?)|(&#((0*(78)|(110))|(X|x0*(4|6E|e)));?))(\b|\n|[\f\v])*\(
XSS lowsrc=(\b|\n|[\f\v"'`/])lowsrc(\b|\n|[\f\v])*=

Block the request if the querystring matches one of these regular expressions. 'Key' is the name of the rule (will be logged). 'Value' is the regex pattern used to find matches (CAtlRegExp syntax).

Excluded Querystrings (default: 0)
Ignore certain querystrings from scanning. Once the querystring is determined to be one of these querystrings (after OnReadRawData event), the request will not be scanned by the firewall. CAUTION: if attackers know these querystrings they can avoid detection!

Exclude these querystrings from being scanned. These are full querystrings, case sensitive and special characters need to be encoded as it would appear in the HTTP request line.

Post Postdata 단속

Post RFC Compliant (default: 1)
Entities have to be accompanied by a content-type header and encoded correctly and content-length or transfer-encoding.

Postdata SQL Injection (default: 1)
Do not allow SQL injection in the data (e.g. postdata) sent to the web server.

Postdata Encoding Exploits (default: 1)
Do not allow encoding exploits (embedded encoding...) in the data (e.g. postdata) sent to the web server.

Postdata Directory Traversal (default: 1)
Do not allow directory traversal (parent path) in the data (e.g. postdata) sent to the web server. This will block any '..' preceding or following a slash ('/' or '\').

Postdata High Bit Shellcode (default: 0) 한글 사용시 Disable
Do not allow high bit shellcode (ascii>127). This will restrict the web sites to US-ASCII only and block characters not in this character set. Not recommended for non-US-English web sites.

Postdata Parameter Pollution (default: 1)
Do not allow parameter pollution (multiple parameters with the same name).

Postdata Parameter Name Require Regular Expression (default: 1)
(default: ^[a-zA-Z0-9_\.\-$]+$)
Require the parameter name to match this regular expression (CAtlRegExp syntax).

Postdata Input Validation (default: 1)
Validate user input. Use the admin interface to configure validators.

Maximum Postdata Variable Length (default: 1)
(default: 2048)
The maximum length of a variable in the data.

Denied Post Sequences (default: 1) BLOCKED이 잘나는 부분

Block the request if any of these character sequences are present in the data (i.e. postdata).

Denied Post Regular Expressions (default: 1)

JSFuck payload=[+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}][+!\[\](){}]
XSS style=(\b|\n|[\f\v"'`/])style(\b|\n|[\f\v])*=
Command ping=ping((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?((\d(\d)?(\d)?[.]\d(\d)?(\d)?[.]\d(\d)?(\d)?[.]\d(\d)?(\d)?)|((\h)*:(\h)*:(\h)*)|(localhost)|((\a)+[.]\a(\a)+))
XSS background=(\b|\n|[\f\v"'`/])background(\b|\n|[\f\v])*=
XSS javascript=((J|j[\\]?)|(&#((0*(74)|(106))|(X|x0*(4|6A|a)));?))((A|a[\\]?)|(&#((0*(65)|(97))|(X|x0*(4|61)));?))((V|v[\\]?)|(&#((0*(86)|(118))|(X|x0*(5|76)));?))((A|a[\\]?)|(&#((0*(65)|(97))|(X|x0*(4|61)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((C|c[\\]?)|(&#((0*(67)|(99))|(X|x0*(4|63)));?))((R|r[\\]?)|(&#((0*(82)|(114))|(X|x0*(5|72)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((P|p[\\]?)|(&#((0*(80)|(112))|(X|x0*(5|70)));?))((T|t[\\]?)|(&#((0*(84)|(116))|(X|x0*(5|74)));?))((:[\\]?)|(&#((0*58)|(X|x0*3A|a));?))
href http=(\b|\n|[\f\v"'`/])href(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http
Command wget http=wget((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?http
XSS srcdoc=(\b|\n|[\f\v"'`/])srcdoc(\b|\n|[\f\v])*=
ASP Directive=<%@.+?%>
Command curl http=curl((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?http
XSS livescript=((L|l[\\]?)|(&#((0*(76)|(108))|(X|x0*(4|6C|c)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((V|v[\\]?)|(&#((0*(86)|(118))|(X|x0*(5|76)));?))((E|e[\\]?)|(&#((0*(69)|(101))|(X|x0*(4|65)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((C|c[\\]?)|(&#((0*(67)|(99))|(X|x0*(4|63)));?))((R|r[\\]?)|(&#((0*(82)|(114))|(X|x0*(5|72)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((P|p[\\]?)|(&#((0*(80)|(112))|(X|x0*(5|70)));?))((T|t[\\]?)|(&#((0*(84)|(116))|(X|x0*(5|74)));?))((:[\\]?)|(&#((0*58)|(X|x0*3A|a));?))
XSS name dataurl=(\b|\n|[\f\v"'`/])name(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*dataurl
XSS xmlns:xlink=xmlns(\b|\n|[\f\v])*:(\b|\n|[\f\v])*xlink
src http=(\b|\n|[\f\v"'`/])src(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http
Browser Unicode ASCII Obfuscation=\\u00\h\h
XSS xlink:actuate=xlink(\b|\n|[\f\v])*:(\b|\n|[\f\v])*actuate
Command lwp-download http=lwp-download((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?http
XSS JavaScript OnEvent=(\b|\n|[\f\v"'`/])on(\c)+(\b|\n|[\f\v])*=
XSS dynsrc=(\b|\n|[\f\v"'`/])dynsrc(\b|\n|[\f\v])*=
XSS handler=(\b|\n|[\f\v"'`/])handler(\b|\n|[\f\v])*=
XSS data=(\b|\n|[\f\v"'`/])data(\b|\n|[\f\v])*=
XSS xmlns svg=(\b|\n|[\f\v"'`/])xmlns(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http://www.w3.org/2000/svg
XSS srcset=(\b|\n|[\f\v"'`/])srcset(\b|\n|[\f\v])*=
XSS poster=(\b|\n|[\f\v"'`/])poster(\b|\n|[\f\v])*=
href=(\b|\n|[\f\v"'`/])href(\b|\n|[\f\v])*=
ASP Page=<%@(\b|\n|[\f\v])*page
XSS vbscript=((V|v[\\]?)|(&#((0*(86)|(118))|(X|x0*(5|76)));?))((B|b[\\]?)|(&#((0*(66)|(98))|(X|x0*(4|62)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((C|c[\\]?)|(&#((0*(67)|(99))|(X|x0*(4|63)));?))((R|r[\\]?)|(&#((0*(82)|(114))|(X|x0*(5|72)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((P|p[\\]?)|(&#((0*(80)|(112))|(X|x0*(5|70)));?))((T|t[\\]?)|(&#((0*(84)|(116))|(X|x0*(5|74)));?))((:[\\]?)|(&#((0*58)|(X|x0*3A|a));?))
XSS datasrc=(\b|\n|[\f\v"'`/])datasrc(\b|\n|[\f\v])*=
XSS dataformatas=(\b|\n|[\f\v"'`/])dataformatas(\b|\n|[\f\v])*=
XSS dirname=(\b|\n|[\f\v"'`/])dirname(\b|\n|[\f\v])*=
XSS xmlns xhtml=(\b|\n|[\f\v"'`/])xmlns(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http://www.w3.org/1999/xhtml
XSS xmlns xlink=(\b|\n|[\f\v"'`/])xmlns(\b|\n|[\f\v])*=(\b|\n|[\f\v])*("|')*http://www.w3.org/1999/xlink
Command fetch http=fetch((\b)+-(\w)?(\b[a-zA-Z0-9/\\]+)?)*(\b)+(\")?http
sandbox=(\b|\n|[\f\v"'`/])sandbox(\b|\n|[\f\v])*=
XSS charset=(\b|\n|[\f\v"'`/])charset(\b|\n|[\f\v])*=
XSS xlink:href=xlink(\b|\n|[\f\v])*:(\b|\n|[\f\v])*href
src=(\b|\n|[\f\v"'`/])src(\b|\n|[\f\v])*=
XSS expression=((E|e[\\]?)|(&#((0*(69)|(101))|(X|x0*(4|65)));?))((X|x[\\]?)|(&#((0*(88)|(120))|(X|x0*(5|78)));?))((P|p[\\]?)|(&#((0*(80)|(112))|(X|x0*(5|70)));?))((R|r[\\]?)|(&#((0*(82)|(114))|(X|x0*(5|72)));?))((E|e[\\]?)|(&#((0*(69)|(101))|(X|x0*(4|65)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((S|s[\\]?)|(&#((0*(83)|(115))|(X|x0*(5|73)));?))((I|i[\\]?)|(&#((0*(73)|(105))|(X|x0*(4|69)));?))((O|o[\\]?)|(&#((0*(79)|(111))|(X|x0*(4|6F|f)));?))((N|n[\\]?)|(&#((0*(78)|(110))|(X|x0*(4|6E|e)));?))(\b|\n|[\f\v])*\(
XSS lowsrc=(\b|\n|[\f\v"'`/])lowsrc(\b|\n|[\f\v])*=

Block the request if the postdata matches one of these regular expressions. 'Key' is the name of the rule (will be logged). 'Value' is the regex pattern used to find matches (CAtlRegExp syntax).

Post Log Length: (default: 1024)
Log this amount of bytes of the post data when it is triggering an alert. Set this to zero to disable logging sensitive post data.

Global Filter Capabilities 전역필터 설정(기본 값 사용)

Is Installed As Global Filter (default: 1)
Register for the OnReadRawData event (required for scanning the Post in IIS 5). This event can only be called if the filter is installed as a global filter. If this is not the case then the filter will fail to load. For IIS 6, you need to run in IIS 5.0 Isolation mode. Use ISAPI extension instead for IIS6 (Worker Process mode) and IIS7+. Requires restart of IIS!

Is Installed In Web Proxy (default: 0)
Is the firewall installed in ISA Server or Forefront TMG. Requires restart!

Slow Header Attack (default: 1)
Do not allow slow header attack. This is a DoS where headers are sent separately with long time intervals. This is only supported in ISAPI filter.

Slow Post Attack (default: 1)
Do not allow slow POST attack. This is a DoS where postdata is sent in small packets with long time intervals. This is only supported in ISAPI filter.

Response Monitor 서버, 클라이언트간 응답에 관한 설정(기본 값 사용)

Response Headers (default: 1)

Add, change or remove headers from the HTTP response. Use an empty value to remove the header.

Log HTTP Client Errors (default: 1)
Log HTTP client side errors like '404 Not Found'. These errors start with a '4'.

HTTP Client Errors (default: 1)
Block the IP address if it generates too many HTTP client errors.

HTTP Client Errors Max Count: (default: 100)
The maximum number of HTTP client errors that can be made in a certain amount of time.

HTTP Client Errors Max Time: (default: 10)
The time frame in which the errors are counted (in minutes).

Log HTTP Server Errors (default: 1)
Log HTTP server side errors like '501 Not Implemented'. These errors start with a '5'.

HTTP Server Errors (default: 1)
Block the IP address if it generates too many HTTP server errors.

HTTP Server Errors Max Count: (default: 10)
The maximum number of HTTP server errors that can be made in a certain amount of time.

HTTP Server Errors Max Time: (default: 10)
The time frame in which the errors are counted (in minutes).

Information Disclosure (default: 1)

Deny certain information disclosures in text sent from the webserver to the client. 'Key' is the name of the rule (will be logged). 'Value' is the regex pattern used to find matches (CAtlRegExp syntax).

SQL Injection SQL 명령어 제한

SQL Injection Keywords BLOCKED이 잘 나는 부분, 쿼리문이나 프로시저에서 어쩔 수 없다면 해당 아이템을 제거

'
`
;
--
/*
*/
/*!
/*!0
select 
select(
insert 
insert(
update 
update(
delete 
delete(
drop 
drop(
alter 
alter(
create 
create(
backup 
backup(
inner join
from 
from(
where 
where(
group by
having 
having(
order by
union 
union(
intersect 
intersect(
except 
except(
case when
exists 
exists(
 table 
not in(
 in(
shutdown
kill 
declare
openrowset
opendatasource
pwdencrypt
msdasql
sqloledb
quotename
isnull
xtype
varchar
cast(
chr(
char(
char(124)
char(9)
char(94)
char(32)
char(85)
char(60)
char(62)
charindex(
concat(
concat_ws(
convert(
substring(
substr(
left(
mid(
right(
length(
locate(
instr(
textpos(
all(
any(
some(
avg(
count(
max(
min(
sum(
cursor
fetch next
allocate
raiserror
exec
=!(
dbo.
master..
tempdb..
@@version
@@servername
@@servicename
@@fetch_status
syslogins
sysxlogins
sysdatabases
sysobjects
syscomments
syscolumns
sysname
systypes
system_user
db_name
db_id
information_schema
is_member
is_srvrolemember
object_id
object_name
col_length
col_name
column_name
table_name
0x31303235343830303536
' or '
'or '
'or'
' or'
" or "
"or "
"or"
" or"
or 1 --
or 1--
or 1=
' and '
'and '
'and'
' and'
" and "
"and "
"and"
" and"
and 1 --
and 1--
and 1=
' xor '
'xor '
'xor'
' xor'
" xor "
"xor "
"xor"
" xor"
xor 1 --
xor 1--
xor 1=
' like '
'like '
'like'
' like'
" like "
"like "
"like"
" like"
1 like 1
' between '
'between '
'between'
' between'
" between "
"between "
"between"
" between"
1 between 1 and 1
'='
'<'
'>'
'<>'
'!='
'<='
'>='
'!<'
'!>'
'+'
'&'
'<=>'
1'='1
"="
"<"
">"
"<>"
"!="
"<="
">="
"!<"
"!>"
"+"
"<=>"
1"="1
1<1
1>1
1<>1
1!=1
1<=1
1>=1
1!<1
1!>1
1<=>1
||
&&
'a=0
'0=a
'0x
'sql
[sqlinjection]
[sql injection]
[sqli]
id='
'0having'
'0having'='0having'
WCRTESTINPUT
benchmark(
database()
schema()
dbms_pipe.receive_message
ascii(
bin(
hex(
ord(
load_file(
load data infile
utf_file(
name_const(
getdate(
sysdate(
now()
user()
version()
sleep(
pg_sleep(
waitfor
waitfor delay
@@datadir
@@hostname
if(
ifnull(
nullif(
coalesce(
greatest(
interval(
is null
is not null
isnull(
least(
strcmp(
encode(
encrypt(
decode(
decrypt(
compress(
md5(
sha(
sha1(
sha2(
sha256(
extractvalue(
updatexml(
collate database_default
collate sql_
collate windows_
xp_
sp_
xp_cmdshell
xp_reg
xp_servicecontrol
xp_setsqlsecurity
xp_readerrorlog
xp_controlqueueservice
xp_createprivatequeue
xp_decodequeuecommand
xp_deleteprivatequeue
xp_deletequeue
xp_displayqueuemesgs
xp_dsinfo
xp_mergelineages
xp_readpkfromqueue
xp_readpkfromvarbin
xp_repl_encrypt
xp_resetqueue
xp_sqlinventory
xp_unpackcab
xp_sprintf
xp_displayparamstmt
xp_enumresult
xp_showcolv
xp_updatecolvbm
xp_execresultset
xp_printstatements
xp_peekqueue
xp_proxiedmetadata
xp_displayparamstmt
xp_availablemedia
xp_enumdsn
xp_filelist
sp_password
sp_adduser
sp_addextendedproc
sp_dropextendedproc
sp_add_job
sp_start_job
sp_delete_alert
sp_msrepl_startup
sp_configure
sp_oa
sp_oacreate
sp_oadestroy
sp_oageterrorinfo
sp_oagetproperty
sp_oamethod
sp_oasetproperty
sp_oastop
msysaces
msysobjects
msysqueries
msysrelationships
mysql.
mysql.user
mysql.host
mysql.db
 sys.
sys.all_tables
sys.tab
sys.user_
sys.user_catalog
sys.user_objects
sys.user_tab_columns
sys.user_tables
sys.user_views

These are the SQL keywords for the SQL injection scanning.

SQL Injection Allowed Count: (default: 1)
Ignore this number of matches at most. Only trigger an alert when more keywords than this threshold are found.

SQL Injection Normalize Whitespace (default: 1)
Removes redundant whitespace before scanning. This removes double whitespaces and spaces around parenthesis and comparison operators and adds at least one space before and after comments.

SQL Injection Replace Numeric With One (default: 1)
Also scan with numeric and boolean values replaced with 1. This is needed for some of the keywords above.

Encoding Exploits 부적절 코드 단속(기본 값 사용)

Encoding Keywords

These are the keywords for detecting encoding exploits.

Encoding Regular Expressions

These are the regex patterns for detecting encoding exploits. 'Key' is the name of the rule (will be logged). 'Value' is the regex pattern used to find matches (CAtlRegExp syntax).

Detect Double Encoding (default: 1)
Scan for double encoding (= embedded encoding).

Detect Invalid UTF-8 (default: 1)
Scan for invalid UTF-8 sequences. To avoid issues with non US-ASCII characters, set your response pages to UTF-8.

Web Applications 응용프로그램 실행 제한, 해당되는 게 있으면 √

Allow File Uploads (default: 0)
Allows file uploads to your server using the HTTP POST command.

Allow Unicode (default: 0)
Allows Unicode encoding in the urls and other data sent to the server.

Allow Outlook Web Access (default: 0)
Allows Outlook Web Access. This changes other settings so that OWA is enabled. This reduces the security of your system and it is not recommended that you run OWA as a virtual directory ('/Exchange'). It is better to assign a web site to OWA (Use MMC of Exchange Server: add HTTP server) and exclude this web instance from scanning!

Allow Outlook Mobile Access (default: 0)
Allows Outlook Mobile Access. This changes other settings so that OMA is enabled. Outlook Mobile Access is the successor of Mobile Information Server 2002 (MIS) and now comes with Microsoft Exchange Server. It enables access to Exchange Server from XHTML (WAP 2.x), and CHTML-based microbrowsers.

Allow ActiveSync (default: 0)
Allows Microsoft ActiveSync. ActiveSync is used for connection with Pocket PCs and similar devices that have Microsoft ActiveSync client software installed. One example is access from Pocket PCs to Exchange Server via Exchange Server ActiveSync.

Allow RPC over HTTP (default: 0)
Allows RPC over HTTP Proxy. RPC over HTTP was first introduced in Windows 2003 and Windows XP SP1. It allows RPC connections over an HTTP connection. Exchange 2003 uses this feature for direct remote access from Outlook without a VPN.

Allow Frontpage Extensions (default: 0)
Allows Frontpage Extensions. This changes other settings so that the firewall will not block Frontpage Extensions. Enabling this reduces the security of your system and make sure you have the latest version of Frontpage installed and keep up with security patches!

Allow Coldfusion (default: 0)
Allows Coldfusion. This changes other settings so that the firewall will not block these requests. This reduces the security of your system and you should follow security practices of Coldfusion and keep up with security fixes!

Allow WebDAV (default: 0)
Allows WebDAV. WebDAV is an HTTP extension for Distributed Authoring and Versioning. This changes other settings so that the firewall will not block these requests. This reduces the security of your system!

Allow IISADMPWD (default: 0)
Allows IISADMPWD. IISADMPWD is a virtual directory that allows users to change their domain/local password over the HTTP protocol. Outlook Web Access can use this feature. Enabling this changes other settings so that the firewall will not block these requests.

Allow SharePoint Portal Server (default: 0)
Allows SharePoint Portal Server. Enabling this changes other settings so that the firewall will not block these requests.

Allow SharePoint Team Services (default: 0)
Allows SharePoint Team Services. Enabling this changes other settings so that the firewall will not block these requests.

Allow SharePoint Office 2007 (default: 0)
Allows Office SharePoint Server 2007. Enabling this changes other settings so that the firewall will not block these requests.

Allow Team Foundation Server (default: 0)
Allows Team Foundation Server. Enabling this changes other settings so that the firewall will not block these requests.

Allow Virtual Server 2005 (default: 0)
Allows Virtual Server 2005 Web Interface. Enabling this changes other settings so that the firewall will not block these requests.

Allow Certificate Services (default: 0)
Allows Certificate Services Web Interface. Certificate Services installs a virtual directory in your default web site for managing certificates via your browser. Enabling this changes other settings so that the firewall will not block these requests.

Allow BizTalk Server (default: 0)
Allows BizTalk Server. Enabling this changes other settings so that the firewall will not block these requests.

Allow Commerce Server (default: 0)
Allows Commerce Server. Enabling this changes other settings so that the firewall will not block these requests.

Allow Small Business Server (default: 0)
Allows Small Business Server. This is the same as enabling Outlook Web Access. Enabling this changes other settings so that the firewall will not block these requests.

Allow ASP (default: 0)
Allows Active Server Pages 3.0 (and previous versions). By default ASP is fully enabled, but if you changed the default settings and disabled ASP then you can use this option to re-enable ASP.

Allow ASP NET (default: 0)
Allows all features of ASP.NET. By default ASP.NET is partially enabled. You should select this option only if you really need debugging, tracing, remoting and SOAP for your ASP.NET.

Allow ASP NET MVC (default: 0)
Allows ASP.NET MVC. By default ASP.NET MVC is not enabled.

Allow PHP (default: 0)
Allows PHP. Use this to allow PHP isapi extension. This also changes the scanning engine to be compatible with PHP.

Allow BITS (default: 0)
Allows Background Intelligent Transfer Service (BITS). BITS uses an ISAPI to extend IIS to support upload jobs. Use this to enable this isapi extension.

Allow SOAP (default: 0)
Allows SOAP. By default SOAP is blocked. Enabling this changes other settings so that the firewall will not block these requests.

Allow JSON (default: 0)
Allows JSON. By default JSON is blocked. Enabling this changes other settings so that the firewall will not block these requests.

Allow REST (default: 0)
Allows REST. By default REST is partially blocked. Enabling this changes other settings so that the firewall will not block these requests.

Allow WinRM (default: 0)
Allows Windows Remote Management (WinRM) IIS Extensions. By default WinRM is blocked. Enabling this changes other settings so that the firewall will not block these requests.

Allow WebSocket (default: 0)
Allows WebSocket (RFC 6455). By default WebSocket is blocked. Enabling this changes other settings so that the firewall will not block these requests.

Allow Paypal IPN (default: 0)
Allows Paypal IPN. By default Paypal IPN is blocked. Enabling this changes other settings so that the firewall will not block these requests.