rc2 apache 2.2.15 configtest error REQUEST-932-APPLICATION-ATTACK-RCE

[emphazer]

OS: Rhel6 Modsecurity: 2.91

Syntax error on line 56 of /etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf: Error creating rule: Error compiling pattern (offset 6266): missing terminating ] for character class

Ruleid:932100

Syntax error on line 119 of /etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf: Error creating rule: Error compiling pattern (offset 7274): \ at end of pattern

Ruleid:932110

[dune73]

@emphazer:

You are running an old RHEL release. Please determine the apache version. It is likely the following apache bug is biting you.

https://bz.apache.org/bugzilla/show_bug.cgi?id=55910

[emphazer]

@dune73:

i dont think its the bug 55910 we have this ALIAS problem with Rhel7 and apache 2.4.6 we are already in contact with redhat to fix that bug in our backported subscription.

i opened an issue in the past already and its closed. https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/261 we fixed it with reordering the rules a bit.

we never had a problem like that with apache 2.2.15 this problem has nothing to do that bug.

Red Hat Enterprise Linux Server release 6.8 (Santiago) httpd 2.2.15.54.el6_8 everything patched and newest release.

the ALIAS bug showed never an offset error so far.

i guess it is something else.

[dune73]

Thanks for confirming.

This is bad news, though. Even more so as the error points to the new RCE rules 932100 und 932110. Likely to be a case for @lifeforms then.

@emphazer: Can you tell us your PCRE version please? Or to be more precise, please issue the following commands to give us a detailed information of your environment:

$> ps aux | grep httpd
root      47243  0.0  0.7  41100  3532 pts/1    T+   11:06   0:00 sudo /apache/bin/httpd -X -f /apache/conf/httpd.conf
www-data  47245  0.1  5.3 402484 26468 pts/1    Sl+  11:06   0:00 /apache/bin/httpd -X -f /apache/conf/httpd.conf
root      62861  0.0  0.4  13240  2204 pts/3    S+   11:11   0:00 grep httpd
$> ldd /apache/bin/httpd | grep pcre
        libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f54f9110000)
$> ls -l /lib/x86_64-linux-gnu/libpcre.so.3
lrwxrwxrwx 1 root root 17 Mär 26 23:00 /lib/x86_64-linux-gnu/libpcre.so.3 -> libpcre.so.3.13.1
$> pmap 47245 | grep pcre
00007f744f098000    432K r-x-- libpcre.so.3.13.1
00007f744f104000   2048K ----- libpcre.so.3.13.1
00007f744f304000      4K r---- libpcre.so.3.13.1
00007f744f305000      4K rw--- libpcre.so.3.13.1
$> grep -i pcre /apache/logs/error.log | tail -1
[Fri Aug 19 11:06:30.006828 2016] [:notice] [pid 47245:tid 140137523664640] ModSecurity: PCRE compiled version="8.35 "; loaded version="8.35 2014-04-04"

[emphazer]

sure ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"

Name : pcre Arch : x86_64 Version : 7.8 Release : 7.el6 Size : 517 k Repo : installed From repo : rhel6-x86_64

/lib64/libpcre.so.0 /lib64/libpcre.so.0.0.1

its the default pcre for rhel6/centos6

mod_security is compiled with

%configure \ --enable-pcre-match-limit=no \ --enable-pcre-match-limit-recursion=no \ --enable-pcre-study \ --with-yajl=%{yajl_path} \ --enable-lua-cache

do you need any more information?

[dune73]

Terrific. Thank you very much for all this information. This should be enough to reproduce the error.

[lifeforms]

This is very interesting. Thanks for submitting it. My guess would be that Apache 2.2 does not like the line length and is passing a corrupted string to PCRE. Will have to test and see.

These lines are 10287 chars (line 56) and 10410 chars (line 119) respectively.

[dune73]

Probably... PCRE version looks terribly old though.

[emphazer]

read(5, "# ------------------------------------------------------------------------\n# OWASP ModSecurity Core Rule Set ver.3.0.0\n# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.\n#\n# The OWASP ModSecurity Core Rule Set is distributed under\n# Apache Software License (ASL) version 2\n# Please see the enclosed LICENSE file for full details.\n# ------------------------------------------------------------------------\n\n#\n# -= Paranoia Level 0 (empty) =- (apply unconditionally)\n#\n\n\n\nSecRule TX:PARANOIA_LEVEL \"@lt 1\" \"phase:1,id:932011,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"\nSecRule TX:PARANOIA_LEVEL \"@lt 1\" \"phase:2,id:932012,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"\n#\n# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)\n#\n\n\n# [ Unix command injection ]\n#\n# This rule detects Unix command injections.\n# A command injection takes a form such as:\n#\n#   foo.jpg;uname -a\n#   foo.jpg||uname -a\n#\n# The vulnerability exists when an application executes a shell command\n# without proper input escaping/validation.\n#\n# To prevent false positives, we look for a 'starting sequence' that\n# precedes a command in shell syntax, such as: ; | & $( ` <( >(\n#\n# This rule is case-sensitive to prevent FP (\"Cat\" vs. \"cat\").\n#\n# An effort was made to combat evasions by shell quoting (e.g. 'ls',\n# 'l'\"s\", \\l\\s are all valid). ModSecurity has a t:cmdLine\n# transformation built-in to deal with this, but unfortunately, it\n# replaces ';' characters and lowercases the payload, which is less\n# useful for this case. However, emulating the transformation makes\n# the regexp more complex.\n#\n# To rebuild the word list regexp:\n#   cd util/regexp-assemble\n#   cat regexp-932100.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl\n#\n# Then insert the assembled regexp into this template:\n#\n# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?:;|\\{|\\||\\|\\||&|&&|\\n|\\r|\\$\\(|\\$\\(\\(|`|\\${|<\\(|>\\(|\\(\\s*\\))\\s*(?:{|\\s*\\(\\s*|\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\\\".*\\\")\\s+|!\\s*|\\$)*\\s*(?:'|\\\")*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\\\"\\./\\\\\\\\]+/)?[\\\\\\\\'\\\"]*\n# [regexp assembled from util/regexp-assemble/regexp-932100.txt]\n# \\b\" \\\n#\nSecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?:;|\\{|\\||\\|\\||&|&&|\\n|\\r|\\$\\(|\\$\\(\\(|`|\\${|<\\(|>\\(|\\(\\s*\\))\\s*(?:{|\\s*\\(\\s*|\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\\\".*\\\")\\s+|!\\s*|\\$)*\\s*(?:'|\\\")*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\\\"\\./\\\\\\\\]+/)?[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*(?:w[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*-[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*(?:o[\\\\\\\\'\\\"]*w[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*d|u[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*p)|r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*q[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t|m[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r)|s(?:[\\\\\\\\'\\\"]*(?:b[\\\\\\\\'\\\"]*_[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*e|c[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*u|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*d|p[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*i|u[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*b|-[\\\\\\\\'\\\"]*F|o[\\\\\\\\'\\\"]*f))?|z[\\\\\\\\'\\\"]*(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|c[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*t|m[\\\\\\\\'\\\"]*p)|m[\\\\\\\\'\\\"]*(?:o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|a)|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s)|e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*(?:(?:f[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l|p[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*p)[\\\\\\\\'\\\"]*e|e[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o|(?:\\s|<|>).*)|a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*g(?:[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n)?|c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*m|(?:\\s|<|>).*)|o[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*e|l)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|g[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e)|f[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*p(?:[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t)?|(?:y[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*x|p)[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|s[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*v|s[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*d|(?:\\s|<|>).*)|n[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l|d[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|h[\\\\\\\\'\\\"]*(?:\\.[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*b|u[\\\\\\\\'\\", 4096) = 4096
read(5, "\"]*t[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*w[\\\\\\\\'\\\"]*n|(?:\\s|<|>).*)|o[\\\\\\\\'\\\"]*(?:(?:u[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e|r[\\\\\\\\'\\\"]*t)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|c[\\\\\\\\'\\\"]*(?:h[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*d|p[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*s|(?:l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*e|f[\\\\\\\\'\\\"]*t)[\\\\\\\\'\\\"]*p|y[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*l|u[\\\\\\\\'\\\"]*(?:(?:\\s|<|>).*|d[\\\\\\\\'\\\"]*o)|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|s[\\\\\\\\'\\\"]*h|v[\\\\\\\\'\\\"]*n)|p[\\\\\\\\'\\\"]*(?:k[\\\\\\\\'\\\"]*(?:g(?:(?:[\\\\\\\\'\\\"]*_)?[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*o)?|e[\\\\\\\\'\\\"]*x[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*c|i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*l)|t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*r(?:[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p))?|(?:a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*w|u[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*h|o[\\\\\\\\'\\\"]*p)[\\\\\\\\'\\\"]*d|y[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n(?:[\\\\\\\\'\\\"]*(?:3(?:[\\\\\\\\'\\\"]*m)?|2))?|e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*(?:l(?:[\\\\\\\\'\\\"]*(?:s[\\\\\\\\'\\\"]*h|5))?|m[\\\\\\\\'\\\"]*s)|r[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*v|(?:g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|f[\\\\\\\\'\\\"]*t)[\\\\\\\\'\\\"]*p|h[\\\\\\\\'\\\"]*p(?:[\\\\\\\\'\\\"]*[57])?|i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g|s[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|n[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*(?:\\.[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*l|o[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*b[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*d)|(?:\\s|<|>).*|a[\\\\\\\\'\\\"]*t)|e[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*(?:k[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*-[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*p|(?:s[\\\\\\\\'\\\"]*t|c)[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t|(?:\\s|<|>).*)|s[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*k[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*p|t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|(?:a[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*o|i[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|(?:o[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*u|m[\\\\\\\\'\\\"]*a)[\\\\\\\\'\\\"]*p|p[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g)|r[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*(?:(?:p[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e|e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|a[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*h)|m[\\\\\\\\'\\\"]*(?:(?:d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*)?(?:\\s|<|>).*|u[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r)|u[\\\\\\\\'\\\"]*b[\\\\\\\\'\\\"]*y(?:[\\\\\\\\'\\\"]*(?:1(?:[\\\\\\\\'\\\"]*[89])?|2[\\\\\\\\'\\\"]*[012]))?|(?:a[\\\\\\\\'\\\"]*r|c[\\\\\\\\'\\\"]*p|p[\\\\\\\\'\\\"]*m)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*o|o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e|s[\\\\\\\\'\\\"]*y[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*c)|t[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*(?:p[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e|i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g)|s[\\\\\\\\'\\\"]*h)|r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e(?:[\\\\\\\\'\\\"]*6)?|e[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t|e[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|i[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*(?:o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*t|(?:\\s|<|>).*)|a[\\\\\\\\'\\\"]*(?:i[\\\\\\\\'\\\"]*l(?:[\\\\\\\\'\\\"]*f)?|r[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|o[\\\\\\\\'\\\"]*(?:u[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*(?:\\s|<|>).*|p))|b[\\\\\\\\'\\\"]*(?:z[\\\\\\\\'\\\"]*(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t|i[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*2)|s[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t|i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*r)|a[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*(?:\\s|<|>).*|s[\\\\\\\\'\\\"]*h)|r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*k[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*w|u[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n)|m[\\\\\\\\'\\\"]*(?:y[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*q[\\\\\\\\'\\\"]*l(?:[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*p(?:[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*w)?|h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*y|a[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n|s[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*w))?|(?:o[\\\\\\\\'\\\"]*(?:u[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*t|r[\\\\\\\\'\\\"]*e)|k[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*r|v)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e|a[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*q)|c[\\\\\\\\'\\\"]*(?:o[\\\\\\\\'\\\"]*(?:m[\\\\\\\\'\\\"]*(?:p[\\\\\\\\'\\\"]*r[\\\\", 4096) = 4096
read(5, "\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|m[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*d)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|p[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*c)|h[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*(?:\\s|<|>).*|f[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*s|a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*r|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*d)|r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*b|(?:[cp]|a[\\\\\\\\'\\\"]*t)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|u[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*l|s[\\\\\\\\'\\\"]*h)|f[\\\\\\\\'\\\"]*(?:i(?:[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t|(?:\\s|<|>).*)|n[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*(?:\\s|<|>).*))?|t[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*(?:s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*s|w[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o|(?:\\s|<|>).*)|u[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n|(?:e[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h|c)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h|g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p)|e[\\\\\\\\'\\\"]*(?:n[\\\\\\\\'\\\"]*(?:v(?:[\\\\\\\\'\\\"]*-[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e)?|d[\\\\\\\\'\\\"]*(?:i[\\\\\\\\'\\\"]*f|s[\\\\\\\\'\\\"]*w))|x[\\\\\\\\'\\\"]*(?:p[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*d|o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*t|r)|e[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*(?:\\s|<|>).*|i[\\\\\\\\'\\\"]*t)|c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*(?:\\s|<|>).*|g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|s[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c|v[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*l)|u[\\\\\\\\'\\\"]*(?:n[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|l[\\\\\\\\'\\\"]*z[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*a|a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e|r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*r|s[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t|z[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*p|x[\\\\\\\\'\\\"]*z)|s[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*(?:(?:a[\\\\\\\\'\\\"]*d|m[\\\\\\\\'\\\"]*o)[\\\\\\\\'\\\"]*d|d[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*l))|h[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t|p[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*w[\\\\\\\\'\\\"]*d)|o[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*(?:n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e|i[\\\\\\\\'\\\"]*d)|(?:e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*d|u[\\\\\\\\'\\\"]*p)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|i[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*y)|x[\\\\\\\\'\\\"]*(?:z[\\\\\\\\'\\\"]*(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|d[\\\\\\\\'\\\"]*(?:i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|e[\\\\\\\\'\\\"]*c)|c[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*t|m[\\\\\\\\'\\\"]*p)|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|(?:\\s|<|>).*)|a[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*s|t[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*m)|i[\\\\\\\\'\\\"]*(?:p[\\\\\\\\'\\\"]*(?:(?:6[\\\\\\\\'\\\"]*)?t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*b[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s|c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*g)|r[\\\\\\\\'\\\"]*b(?:[\\\\\\\\'\\\"]*(?:1(?:[\\\\\\\\'\\\"]*[89])?|2[\\\\\\\\'\\\"]*[012]))?|f[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*g|d[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|z[\\\\\\\\'\\\"]*(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|c[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*t|m[\\\\\\\\'\\\"]*p)|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|i[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*(?:\\s|<|>).*|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|r[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*n|s[\\\\\\\\'\\\"]*h)|d[\\\\\\\\'\\\"]*(?:h[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*t|(?:i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|u)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|(?:m[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s|p[\\\\\\\\'\\\"]*k)[\\\\\\\\'\\\"]*g|o[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*s|n[\\\\\\\\'\\\"]*e)|a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*h)|a[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r|l[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*(?:\\s|<|>).*|p[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*-[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t|r[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*(?:\\s|<|>).*|p))|g[\\\\\\\\'\\\"]*(?:(?:r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|c[\\\\\\\\'\\\"]*c|i[\\\\\\\\'\\\"]*t)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|z[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t|i[\\\\\\\\'\\\"]*p)|u[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*z[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*p|d[\\\\\\\\'\\\"]*b)|j[\\\\\\\\'\\\"]*(?:(?:a[\\\\\\\\'\\\"]*v[\\\\\\\\'\\\"]*a|o[\\\\\\\\'\\\"]*b[\\\\\\\\'\\\"]*s)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|e[\\\\\\\\'\\\"]*x[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*c)|o[\\\\\\\\'\\\"]*(?:p[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*l|n[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*r)|w[\\\\\\\\'\\\"]*(?:h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*i|(?:\\s|<|>).*)|g[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t|3[\\\\\\\\'\\\"]*m)|k[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*l|(?:\\s|<|>).*)|v[", 4096) = 4096
read(5, "\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*(?:m[\\\\\\\\'\\\"]*(?:\\s|<|>).*|g[\\\\\\\\'\\\"]*r|p[\\\\\\\\'\\\"]*w)|(?:G[\\\\\\\\'\\\"]*E[\\\\\\\\'\\\"]*T[\\\\\\\\'\\\"]*(?:\\s|<|>)|\\.\\s).*|7[\\\\\\\\'\\\"]*z(?:[\\\\\\\\'\\\"]*[ar])?|y[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*m)\\b\" \\\n\"msg:'Remote Command Execution: Unix Command Injection',\\\nphase:request,\\\nrev:'3',\\\nver:'OWASP_CRS/3.0.0',\\\nmaturity:'8',\\\naccuracy:'8',\\\ncapture,\\\nt:none,\\\nctl:auditLogParts=+E,\\\nblock,\\\nid:932100,\\\ntag:'application-multi',\\\ntag:'language-shell',\\\ntag:'platform-unix',\\\ntag:'attack-rce',\\\ntag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\\\ntag:'WASCTC/WASC-31',\\\ntag:'OWASP_TOP_10/A1',\\\ntag:'PCI/6.5.2',\\\nlogdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\\\nseverity:'CRITICAL',\\\nsetvar:'tx.msg=%{rule.msg}',\\\nsetvar:tx.rce_score=+%{tx.critical_anomaly_score},\\\nsetvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\\\nsetvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}\"\n\n\n# [ Windows command injection ]\n#\n# This rule detects Windows shell command injections.\n# If you are not running Windows, it is safe to disable this rule.\n#\n# A command injection takes a form such as:\n#\n#   foo.jpg&ver /r\n#   foo.jpg|ver /r\n#\n# The vulnerability exists when an application executes a shell command\n# without proper input escaping/validation.\n#\n# To prevent false positives, we look for a 'starting sequence' that\n# precedes a command in CMD syntax, such as: ; | & `\n#\n# An effort is made to combat evasions by CMD syntax; for example,\n# the following strings are valid: c^md, @cmd, \"c\"md. ModSecurity\n# has a t:cmdLine transformation built-in to deal with some of these,\n# but unfortunately, that transformation replaces ';' characters (so\n# we cannot match on the start of a command) and '\\' characters (so we\n# have trouble matching paths). This makes the regexp more complex.\n#\n# This rule is case-insensitive.\n#\n# To rebuild the word list regexp:\n#   cd util/regexp-assemble\n#   cat regexp-932110.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl\n#\n# Then insert the assembled regexp into this template:\n#\n# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:;|\\{|\\||\\|\\||&|&&|\\n|\\r|`)\\s*[\\(,@\\'\\\"\\s]*(?:[\\w'\\\"\\./]+/|[\\\\\\\\'\\\"\\^]*\\w[\\\\\\\\'\\\"\\^]*:.*\\\\\\\\|[\\^\\.\\w '\\\"/\\\\\\\\]*\\\\\\\\)?[\\\"\\^]*\n# [regexp assembled from util/regexp-assemble/regexp-932110.txt]\n# (?:\\.[\\\"\\^]*\\w+)?\\b\" \\\n#\nSecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i)(?:;|\\{|\\||\\|\\||&|&&|\\n|\\r|`)\\s*[\\(,@\\'\\\"\\s]*(?:[\\w'\\\"\\./]+/|[\\\\\\\\'\\\"\\^]*\\w[\\\\\\\\'\\\"\\^]*:.*\\\\\\\\|[\\^\\.\\w '\\\"/\\\\\\\\]*\\\\\\\\)?[\\\"\\^]*(?:s[\\\"\\^]*(?:y[\\\"\\^]*s[\\\"\\^]*(?:t[\\\"\\^]*e[\\\"\\^]*m[\\\"\\^]*(?:p[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*p[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*(?:d[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*e[\\\"\\^]*x[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*p[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*o[\\\"\\^]*n|(?:p[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*f[\\\"\\^]*o[\\\"\\^]*r[\\\"\\^]*m[\\\"\\^]*a[\\\"\\^]*n[\\\"\\^]*c|h[\\\"\\^]*a[\\\"\\^]*r[\\\"\\^]*d[\\\"\\^]*w[\\\"\\^]*a[\\\"\\^]*r)[\\\"\\^]*e|a[\\\"\\^]*d[\\\"\\^]*v[\\\"\\^]*a[\\\"\\^]*n[\\\"\\^]*c[\\\"\\^]*e[\\\"\\^]*d)|i[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*o)|k[\\\"\\^]*e[\\\"\\^]*y|d[\\\"\\^]*m)|h[\\\"\\^]*(?:o[\\\"\\^]*(?:w[\\\"\\^]*(?:g[\\\"\\^]*r[\\\"\\^]*p|m[\\\"\\^]*b[\\\"\\^]*r)[\\\"\\^]*s|r[\\\"\\^]*t[\\\"\\^]*c[\\\"\\^]*u[\\\"\\^]*t)|e[\\\"\\^]*l[\\\"\\^]*l[\\\"\\^]*r[\\\"\\^]*u[\\\"\\^]*n[\\\"\\^]*a[\\\"\\^]*s|u[\\\"\\^]*t[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*n|r[\\\"\\^]*p[\\\"\\^]*u[\\\"\\^]*b[\\\"\\^]*w|a[\\\"\\^]*r[\\\"\\^]*e|i[\\\"\\^]*f[\\\"\\^]*t)|e[\\\"\\^]*(?:t[\\\"\\^]*(?:(?:x[\\\"\\^]*)?(?:[\\s,;]|\\.|/|<|>).*|l[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*a[\\\"\\^]*l)|c[\\\"\\^]*p[\\\"\\^]*o[\\\"\\^]*l|l[\\\"\\^]*e[\\\"\\^]*c[\\\"\\^]*t)|c[\\\"\\^]*(?:h[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*s[\\\"\\^]*k[\\\"\\^]*s|l[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*t)|u[\\\"\\^]*b[\\\"\\^]*(?:i[\\\"\\^]*n[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*l|s[\\\"\\^]*t)|t[\\\"\\^]*a[\\\"\\^]*r[\\\"\\^]*t[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|i[\\\"\\^]*g[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*f|l[\\\"\\^]*(?:e[\\\"\\^]*e[\\\"\\^]*p|m[\\\"\\^]*g[\\\"\\^]*r)|o[\\\"\\^]*r[\\\"\\^]*t|f[\\\"\\^]*c|v[\\\"\\^]*n)|p[\\\"\\^]*(?:s[\\\"\\^]*(?:s[\\\"\\^]*(?:h[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*n|e[\\\"\\^]*r[\\\"\\^]*v[\\\"\\^]*i[\\\"\\^]*c[\\\"\\^]*e|u[\\\"\\^]*s[\\\"\\^]*p[\\\"\\^]*e[\\\"\\^]*n[\\", 4096) = 4096
read(5, "\"\\^]*d)|l[\\\"\\^]*(?:o[\\\"\\^]*g[\\\"\\^]*(?:g[\\\"\\^]*e[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*n|l[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*t)|i[\\\"\\^]*s[\\\"\\^]*t)|p[\\\"\\^]*(?:a[\\\"\\^]*s[\\\"\\^]*s[\\\"\\^]*w[\\\"\\^]*d|i[\\\"\\^]*n[\\\"\\^]*g)|g[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*s[\\\"\\^]*i[\\\"\\^]*d|e[\\\"\\^]*x[\\\"\\^]*e[\\\"\\^]*c|f[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*e|i[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*o|k[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*l)|o[\\\"\\^]*(?:w[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*(?:s[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*l[\\\"\\^]*l(?:[\\\"\\^]*_[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*e)?|c[\\\"\\^]*f[\\\"\\^]*g)|r[\\\"\\^]*t[\\\"\\^]*q[\\\"\\^]*r[\\\"\\^]*y|p[\\\"\\^]*d)|r[\\\"\\^]*(?:i[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*(?:(?:[\\s,;]|\\.|/|<|>).*|b[\\\"\\^]*r[\\\"\\^]*m)|n[\\\"\\^]*(?:c[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*g|m[\\\"\\^]*n[\\\"\\^]*g[\\\"\\^]*r)|o[\\\"\\^]*m[\\\"\\^]*p[\\\"\\^]*t)|a[\\\"\\^]*t[\\\"\\^]*h[\\\"\\^]*(?:p[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*g|(?:[\\s,;]|\\.|/|<|>).*)|e[\\\"\\^]*r[\\\"\\^]*(?:l(?:[\\\"\\^]*(?:s[\\\"\\^]*h|5))?|f[\\\"\\^]*m[\\\"\\^]*o[\\\"\\^]*n)|y[\\\"\\^]*t[\\\"\\^]*h[\\\"\\^]*o[\\\"\\^]*n(?:[\\\"\\^]*(?:3(?:[\\\"\\^]*m)?|2))?|k[\\\"\\^]*g[\\\"\\^]*m[\\\"\\^]*g[\\\"\\^]*r|h[\\\"\\^]*p(?:[\\\"\\^]*[57])?|u[\\\"\\^]*s[\\\"\\^]*h[\\\"\\^]*d|i[\\\"\\^]*n[\\\"\\^]*g)|r[\\\"\\^]*(?:e[\\\"\\^]*(?:(?:p[\\\"\\^]*l[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*e|n(?:[\\\"\\^]*a[\\\"\\^]*m[\\\"\\^]*e)?|s[\\\"\\^]*e[\\\"\\^]*t)[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|g[\\\"\\^]*(?:s[\\\"\\^]*v[\\\"\\^]*r[\\\"\\^]*3[\\\"\\^]*2|e[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*t|(?:[\\s,;]|\\.|/|<|>).*|i[\\\"\\^]*n[\\\"\\^]*i)|c[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*c|o[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*r)|k[\\\"\\^]*e[\\\"\\^]*y[\\\"\\^]*w[\\\"\\^]*i[\\\"\\^]*z)|u[\\\"\\^]*(?:n[\\\"\\^]*(?:d[\\\"\\^]*l[\\\"\\^]*l[\\\"\\^]*3[\\\"\\^]*2|a[\\\"\\^]*s)|b[\\\"\\^]*y[\\\"\\^]*(?:1(?:[\\\"\\^]*[89])?|2[\\\"\\^]*[012]))|a[\\\"\\^]*(?:s[\\\"\\^]*(?:p[\\\"\\^]*h[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*e|d[\\\"\\^]*i[\\\"\\^]*a[\\\"\\^]*l)|r[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*)|m[\\\"\\^]*(?:(?:d[\\\"\\^]*i[\\\"\\^]*r[\\\"\\^]*)?(?:[\\s,;]|\\.|/|<|>).*|t[\\\"\\^]*s[\\\"\\^]*h[\\\"\\^]*a[\\\"\\^]*r[\\\"\\^]*e)|o[\\\"\\^]*(?:u[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|b[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*p[\\\"\\^]*y)|s[\\\"\\^]*(?:t[\\\"\\^]*r[\\\"\\^]*u[\\\"\\^]*i|y[\\\"\\^]*n[\\\"\\^]*c)|d[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*)|m[\\\"\\^]*(?:y[\\\"\\^]*s[\\\"\\^]*q[\\\"\\^]*l(?:[\\\"\\^]*(?:d[\\\"\\^]*u[\\\"\\^]*m[\\\"\\^]*p(?:[\\\"\\^]*s[\\\"\\^]*l[\\\"\\^]*o[\\\"\\^]*w)?|h[\\\"\\^]*o[\\\"\\^]*t[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*p[\\\"\\^]*y|a[\\\"\\^]*d[\\\"\\^]*m[\\\"\\^]*i[\\\"\\^]*n|s[\\\"\\^]*h[\\\"\\^]*o[\\\"\\^]*w))?|s[\\\"\\^]*(?:i[\\\"\\^]*(?:n[\\\"\\^]*f[\\\"\\^]*o[\\\"\\^]*3[\\\"\\^]*2|e[\\\"\\^]*x[\\\"\\^]*e[\\\"\\^]*c)|c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*g|g[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|t[\\\"\\^]*s[\\\"\\^]*c)|o[\\\"\\^]*(?:u[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*(?:(?:[\\s,;]|\\.|/|<|>).*|v[\\\"\\^]*o[\\\"\\^]*l)|v[\\\"\\^]*e[\\\"\\^]*u[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*r|[dr][\\\"\\^]*e[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*)|k[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*r[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|l[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*k)|d[\\\"\\^]*(?:s[\\\"\\^]*c[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*d|(?:[\\s,;]|\\.|/|<|>).*)|a[\\\"\\^]*p[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*d|b[\\\"\\^]*s[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*l[\\\"\\^]*i|e[\\\"\\^]*a[\\\"\\^]*s[\\\"\\^]*u[\\\"\\^]*r[\\\"\\^]*e|m[\\\"\\^]*s[\\\"\\^]*y[\\\"\\^]*s)|d[\\\"\\^]*(?:i[\\\"\\^]*(?:s[\\\"\\^]*k[\\\"\\^]*(?:(?:m[\\\"\\^]*g[\\\"\\^]*m|p[\\\"\\^]*a[\\\"\\^]*r)[\\\"\\^]*t|s[\\\"\\^]*h[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*o[\\\"\\^]*w)|r[\\\"\\^]*(?:(?:[\\s,;]|\\.|/|<|>).*|u[\\\"\\^]*s[\\\"\\^]*e)|f[\\\"\\^]*f[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*)|e[\\\"\\^]*(?:l[\\\"\\^]*(?:p[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*f|t[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*e|(?:[\\s,;]|\\.|/|<|>).*)|v[\\\"\\^]*(?:m[\\\"\\^]*g[\\\"\\^]*m[\\\"\\^]*t|c[\\\"\\^]*o[\\\"\\^]*n)|(?:f[\\\"\\^]*r[\\\"\\^]*a|b[\\\"\\^]*u)[\\\"\\^]*g)|s[\\\"\\^]*(?:a[\\\"\\^]*(?:c[\\\"\\^]*l[\\\"\\^]*s|d[\\\"\\^]*d)|q[\\\"\\^]*u[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*y|m[\\\"\\^]*o[\\\"\\^]*(?:v[\\\"\\^]*e|d)|g[\\\"\\^]*e[\\\"\\^]*t|r[\\\"\\^]*m)|(?:r[\\\"\\^]*i[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*q[\\\"\\^]*u[\\\"\\^]*e[\\\"\\^]*r|o[\\\"\\^]*s[\\\"\\^]*k[\\\"\\^]*e)[\\\"\\^]*y|(?:c[\\\"\\^]*o[\\\"\\^]*m[\\\"\\^]*c[\\\"\\^]*n[\\\"\\^]*f|x[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*a)[\\\"\\^]*g|a[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|n[\\\"\\^]*s[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*t)|c[\\\"\\^]*(?:o[\\\"\\^]*(?:m[\\\"\\^]*(?:p[\\\"\\^]*(?:(?:a[\\\"\\^]*c[\\\"\\^]*t[\\\"\\^]*)?(?:[\\s,;]|\\.|/|<|>).*|m[\\\"\\^]*g[\\\"\\^]*m[\\\"\\^]*t)|e[\\\"\\^]*x[\\\"\\^]*p)|n[\\\"\\^]*(?:2[\\\"\\^]*p|v[\\\"\\^]*e)[\\\"\\^]*r[\\\"\\^]*t|p[\\\"\\^]*y)|l[\\\"\\^]*(?:e[\\\"\\^]*a[\\\"\\^]*(?:n[\\\"\\^]*m[\\\"\\^]*g[\\\"\\^]*r|r[\\\"\\^]*m[\\\"\\^]*e[\\\"\\^]*m)|u[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*e[\\\"\\^]*r)|h[\\\"\\^]*(?:k[\\\"\\^]*(?:n[\\\"\\^]*t[\\\"\\^]*f[\\\"\\^]*s|d[\\\"\\^]*s[\\\"\\^]*k)|d[\\\"\\^]*i[\\\"\\^]*r[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*)|s[\\\"\\^]*(?:c[\\\"\\^]*(?:r[\\\"\\^]*i[\\\"\\^]*p[\\\"\\^]*t|c[\\\"\\^]*m[\\\"\\^]*d)|v[\\\"\\^]*d[", 4096) = 4096
read(5, "\\\"\\^]*e)|e[\\\"\\^]*r[\\\"\\^]*t[\\\"\\^]*(?:u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l|r[\\\"\\^]*e[\\\"\\^]*q)|a[\\\"\\^]*(?:l[\\\"\\^]*l[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|c[\\\"\\^]*l[\\\"\\^]*s)|m[\\\"\\^]*d(?:[\\\"\\^]*k[\\\"\\^]*e[\\\"\\^]*y)?|i[\\\"\\^]*p[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*r|u[\\\"\\^]*r[\\\"\\^]*l)|t[\\\"\\^]*(?:a[\\\"\\^]*(?:s[\\\"\\^]*k[\\\"\\^]*(?:k[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*l|l[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*t|s[\\\"\\^]*c[\\\"\\^]*h[\\\"\\^]*d|m[\\\"\\^]*g[\\\"\\^]*r)|k[\\\"\\^]*e[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*n)|(?:i[\\\"\\^]*m[\\\"\\^]*e[\\\"\\^]*o[\\\"\\^]*u|p[\\\"\\^]*m[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*i|e[\\\"\\^]*l[\\\"\\^]*n[\\\"\\^]*e|l[\\\"\\^]*i[\\\"\\^]*s)[\\\"\\^]*t|s[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*c[\\\"\\^]*o|s[\\\"\\^]*h[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*d)[\\\"\\^]*n|y[\\\"\\^]*p[\\\"\\^]*e[\\\"\\^]*(?:p[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*f|(?:[\\s,;]|\\.|/|<|>).*)|r[\\\"\\^]*(?:a[\\\"\\^]*c[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*t|e[\\\"\\^]*e))|f[\\\"\\^]*(?:o[\\\"\\^]*r[\\\"\\^]*(?:m[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|f[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*e[\\\"\\^]*s|e[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*h)|i[\\\"\\^]*n[\\\"\\^]*d[\\\"\\^]*(?:(?:[\\s,;]|\\.|/|<|>).*|s[\\\"\\^]*t[\\\"\\^]*r)|s[\\\"\\^]*(?:m[\\\"\\^]*g[\\\"\\^]*m[\\\"\\^]*t|u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l)|t[\\\"\\^]*(?:p[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|y[\\\"\\^]*p[\\\"\\^]*e)|r[\\\"\\^]*e[\\\"\\^]*e[\\\"\\^]*d[\\\"\\^]*i[\\\"\\^]*s[\\\"\\^]*k|c[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|g[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*p)|w[\\\"\\^]*(?:i[\\\"\\^]*n[\\\"\\^]*(?:d[\\\"\\^]*i[\\\"\\^]*f[\\\"\\^]*f|m[\\\"\\^]*s[\\\"\\^]*d[\\\"\\^]*p|v[\\\"\\^]*a[\\\"\\^]*r|r[\\\"\\^]*[ms])|u[\\\"\\^]*(?:a[\\\"\\^]*(?:u[\\\"\\^]*c[\\\"\\^]*l[\\\"\\^]*t|p[\\\"\\^]*p)|s[\\\"\\^]*a)|s[\\\"\\^]*c[\\\"\\^]*(?:r[\\\"\\^]*i[\\\"\\^]*p[\\\"\\^]*t|u[\\\"\\^]*i)|e[\\\"\\^]*v[\\\"\\^]*t[\\\"\\^]*u[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*l|m[\\\"\\^]*i[\\\"\\^]*(?:m[\\\"\\^]*g[\\\"\\^]*m[\\\"\\^]*t|c)|a[\\\"\\^]*i[\\\"\\^]*t[\\\"\\^]*f[\\\"\\^]*o[\\\"\\^]*r|h[\\\"\\^]*o[\\\"\\^]*a[\\\"\\^]*m[\\\"\\^]*i|g[\\\"\\^]*e[\\\"\\^]*t)|n[\\\"\\^]*(?:e[\\\"\\^]*t[\\\"\\^]*(?:s[\\\"\\^]*(?:t[\\\"\\^]*a[\\\"\\^]*t|v[\\\"\\^]*c|h)|(?:[\\s,;]|\\.|/|<|>).*|c[\\\"\\^]*a[\\\"\\^]*t|d[\\\"\\^]*o[\\\"\\^]*m)|t[\\\"\\^]*(?:b[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*k[\\\"\\^]*u[\\\"\\^]*p|r[\\\"\\^]*i[\\\"\\^]*g[\\\"\\^]*h[\\\"\\^]*t[\\\"\\^]*s)|(?:s[\\\"\\^]*l[\\\"\\^]*o[\\\"\\^]*o[\\\"\\^]*k[\\\"\\^]*u|m[\\\"\\^]*a)[\\\"\\^]*p|c[\\\"\\^]*(?:(?:[\\s,;]|\\.|/|<|>).*|a[\\\"\\^]*t)|b[\\\"\\^]*t[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*t)|e[\\\"\\^]*(?:x[\\\"\\^]*(?:p[\\\"\\^]*(?:a[\\\"\\^]*n[\\\"\\^]*d[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|l[\\\"\\^]*o[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*r)|i[\\\"\\^]*t)|v[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*(?:c[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*e|v[\\\"\\^]*w[\\\"\\^]*r)|n[\\\"\\^]*d[\\\"\\^]*l[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*a[\\\"\\^]*l|g[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*p|r[\\\"\\^]*a[\\\"\\^]*s[\\\"\\^]*e|c[\\\"\\^]*h[\\\"\\^]*o)|g[\\\"\\^]*(?:a[\\\"\\^]*t[\\\"\\^]*h[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*n[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*w[\\\"\\^]*o[\\\"\\^]*r[\\\"\\^]*k[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*o|p[\\\"\\^]*(?:(?:r[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*u[\\\"\\^]*l|e[\\\"\\^]*d[\\\"\\^]*i)[\\\"\\^]*t|u[\\\"\\^]*p[\\\"\\^]*d[\\\"\\^]*a[\\\"\\^]*t[\\\"\\^]*e)|i[\\\"\\^]*t[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|e[\\\"\\^]*t[\\\"\\^]*m[\\\"\\^]*a[\\\"\\^]*c)|u[\\\"\\^]*(?:s[\\\"\\^]*(?:e[\\\"\\^]*r[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*u[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*t[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*l[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*t[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*g[\\\"\\^]*s|r[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a[\\\"\\^]*t)|n[\\\"\\^]*(?:r[\\\"\\^]*a[\\\"\\^]*r|z[\\\"\\^]*i[\\\"\\^]*p))|i[\\\"\\^]*(?:r[\\\"\\^]*b(?:[\\\"\\^]*(?:1(?:[\\\"\\^]*[89])?|2[\\\"\\^]*[012]))?|f[\\\"\\^]*m[\\\"\\^]*e[\\\"\\^]*m[\\\"\\^]*b[\\\"\\^]*e[\\\"\\^]*r|p[\\\"\\^]*c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*g|n[\\\"\\^]*e[\\\"\\^]*t[\\\"\\^]*c[\\\"\\^]*p[\\\"\\^]*l|c[\\\"\\^]*a[\\\"\\^]*c[\\\"\\^]*l[\\\"\\^]*s)|a[\\\"\\^]*(?:d[\\\"\\^]*(?:d[\\\"\\^]*u[\\\"\\^]*s[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*s|m[\\\"\\^]*o[\\\"\\^]*d[\\\"\\^]*c[\\\"\\^]*m[\\\"\\^]*d)|r[\\\"\\^]*p[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|t[\\\"\\^]*t[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*b|s[\\\"\\^]*s[\\\"\\^]*o[\\\"\\^]*c|z[\\\"\\^]*m[\\\"\\^]*a[\\\"\\^]*n)|l[\\\"\\^]*(?:o[\\\"\\^]*g[\\\"\\^]*(?:e[\\\"\\^]*v[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*t|t[\\\"\\^]*i[\\\"\\^]*m[\\\"\\^]*e|m[\\\"\\^]*a[\\\"\\^]*n|o[\\\"\\^]*f[\\\"\\^]*f)|a[\\\"\\^]*b[\\\"\\^]*e[\\\"\\^]*l[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|u[\\\"\\^]*s[\\\"\\^]*r[\\\"\\^]*m[\\\"\\^]*g[\\\"\\^]*r)|b[\\\"\\^]*(?:(?:c[\\\"\\^]*d[\\\"\\^]*(?:b[\\\"\\^]*o[\\\"\\^]*o|e[\\\"\\^]*d[\\\"\\^]*i)|r[\\\"\\^]*o[\\\"\\^]*w[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a)[\\\"\\^]*t|i[\\\"\\^]*t[\\\"\\^]*s[\\\"\\^]*a[\\\"\\^]*d[\\\"\\^]*m[\\\"\\^]*i[\\\"\\^]*n|o[\\\"\\^]*o[\\\"\\^]*t[\\\"\\^]*c[\\\"\\^]*f[\\\"\\^]*g)|q[\\\"\\^]*(?:u[\\\"\\^]*e[\\\"\\^]*r[\\\"\\^]*y[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|p[\\\"\\^]*r[\\\"\\^]*o[\\\"\\^]*c[\\\"\\^]*e[\\\"\\^]*s[\\\"\\^]*s|w[\\\"\\^]*i[\\\"\\^]*n[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*a|g[\\\"\\^]*r[\\\"\\^]*e[\\\"\\^]*p)|o[\\\"\\^]*(?:d[\\\"\\^]*b[\\\"\\^", 4096) = 4096
read(5, "]*c[\\\"\\^]*(?:a[\\\"\\^]*d[\\\"\\^]*3[\\\"\\^]*2|c[\\\"\\^]*o[\\\"\\^]*n[\\\"\\^]*f)|p[\\\"\\^]*e[\\\"\\^]*n[\\\"\\^]*f[\\\"\\^]*i[\\\"\\^]*l[\\\"\\^]*e[\\\"\\^]*s)|h[\\\"\\^]*(?:o[\\\"\\^]*s[\\\"\\^]*t[\\\"\\^]*n[\\\"\\^]*a[\\\"\\^]*m[\\\"\\^]*e|d[\\\"\\^]*w[\\\"\\^]*w[\\\"\\^]*i[\\\"\\^]*z)|v[\\\"\\^]*(?:o[\\\"\\^]*l[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|e[\\\"\\^]*r[\\\"\\^]*i[\\\"\\^]*f[\\\"\\^]*y)|(?:j[\\\"\\^]*a[\\\"\\^]*v[\\\"\\^]*a|z[\\\"\\^]*i[\\\"\\^]*p)[\\\"\\^]*(?:[\\s,;]|\\.|/|<|>).*|x[\\\"\\^]*c[\\\"\\^]*(?:a[\\\"\\^]*c[\\\"\\^]*l[\\\"\\^]*s|o[\\\"\\^]*p[\\\"\\^]*y)|7[\\\"\\^]*z(?:[\\\"\\^]*[ar])?)(?:\\.[\\\"\\^]*\\w+)?\\b\" \\\n\"msg:'Remote Command Execution: Windows Command Injection',\\\nphase:request,\\\nrev:'3',\\\nver:'OWASP_CRS/3.0.0',\\\nmaturity:'9',\\\naccuracy:'8',\\\ncapture,\\\nt:none,\\\nctl:auditLogParts=+E,\\\nblock,\\\nid:932110,\\\ntag:'application-multi',\\\ntag:'language-shell',\\\ntag:'platform-windows',\\\ntag:'attack-rce',\\\ntag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\\\ntag:'WASCTC/WASC-31',\\\ntag:'OWASP_TOP_10/A1',\\\ntag:'PCI/6.5.2',\\\nlogdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\\\nseverity:'CRITICAL',\\\nsetvar:'tx.msg=%{rule.msg}',\\\nsetvar:tx.rce_score=+%{tx.critical_anomaly_score},\\\nsetvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\\\nsetvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}\"\n\n\n# [ Windows PowerShell, cmdlets and options ]\n#\n# Detect some common PowerShell commands, cmdlets and options.\n# These commands should be relatively uncommon in normal text, but\n# potentially useful for code injection.\n#\n# If you are not running Windows, it is safe to disable this rule.\n#\n# https://technet.microsoft.com/en-us/magazine/ff714569.aspx\n# https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help\n#\nSecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@pmf windows-powershell-commands.data\" \\\n\"msg:'Remote Command Execution: Windows PowerShell Command Found',\\\nphase:request,\\\nrev:'1',\\\nver:'OWASP_CRS/3.0.0',\\\nmaturity:'1',\\\naccuracy:'7',\\\ncapture,\\\nt:none,t:cmdLine,\\\nctl:auditLogParts=+E,\\\nblock,\\\nid:932120,\\\ntag:'application-multi',\\\ntag:'language-shell',\\\ntag:'language-powershell',\\\ntag:'platform-windows',\\\ntag:'attack-rce',\\\ntag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\\\ntag:'WASCTC/WASC-31',\\\ntag:'OWASP_TOP_10/A1',\\\ntag:'PCI/6.5.2',\\\nlogdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\\\nseverity:'CRITICAL',\\\nsetvar:'tx.msg=%{rule.msg}',\\\nsetvar:tx.rce_score=+%{tx.critical_anomaly_score},\\\nsetvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\\\nsetvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}\"\n\n\n# [ Unix shell expressions ]\n#\n# Detects the following patterns which are common in Unix shell scripts\n# and oneliners:\n#\n# $(foo)    Command substitution\n# ${foo}    Parameter expansion\n# <(foo)    Process substitution\n# >(foo)    Process substitution\n# $((foo))  Arithmetic expansion\n#\n# Regexp generated from util/regexp-assemble/regexp-932130.data using Regexp::Assemble.\n# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.\n#\nSecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?:\\$(?:\\((?:\\(.*\\)|.*)\\)|\\{.*\\})|[<>]\\(.*\\))\" \\\n\"msg:'Remote Command Execution: Unix Shell Expression Found',\\\nphase:request,\\\nrev:'1',\\\nver:'OWASP_CRS/3.0.0',\\\nmaturity:'1',\\\naccuracy:'7',\\\ncapture,\\\nt:none,t:cmdLine,\\\nctl:auditLogParts=+E,\\\nblock,\\\nid:932130,\\\ntag:'application-multi',\\\ntag:'language-shell',\\\ntag:'platform-unix',\\\ntag:'attack-rce',\\\ntag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\\\ntag:'WASCTC/WASC-31',\\\ntag:'OWASP_TOP_10/A1',\\\ntag:'PCI/6.5.2',\\\nlogdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\\\nseverity:'CRITICAL',\\\nsetvar:'tx.msg=%{rule.msg}',\\\nsetvar:tx.rce_score=+%{tx.critical_anomaly_score},\\\nsetvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\\\nsetvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}\"\n\n\n# [ Windows FOR, IF commands ]\n#\n# This rule detects Windows command shell FOR and IF commands.\n# If you are not running Windows, it is safe to disable this rule.", 4096) = 4096
read(5, "\n#\n# Examples:\n#\n#   FOR              %a IN (set) DO\n#   FOR /D           %a IN (dirs) DO\n#   FOR /F \"options\" %a IN (text|\"text\") DO\n#   FOR /L           %a IN (start,step,end) DO\n#   FOR /R C:\\dir    %A IN (set) DO\n#\n#   IF [/I] [NOT] EXIST filename | DEFINED define | ERRORLEVEL n | CMDEXTVERSION n\n#   IF [/I] [NOT] item1   [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] item2\n#   IF [/I] [NOT] (item1) [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] (item2)\n#\n# http://ss64.com/nt/if.html\n# http://ss64.com/nt/for.html\n#\n# Regexp generated from util/regexp-assemble/regexp-932140.data using Regexp::Assemble.\n# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.\n#\nSecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx \\b(?:if(?:/i)?(?: not)? ?(?:exist\\b|defined\\b|errorlevel\\b|cmdextversion\\b|.*(?:\\bgeq\\b|\\bequ\\b|\\bneq\\b|\\bleq\\b|\\bgtr\\b|\\blss\\b|==))|for(/[dflr].*)* %+[^ ]+ in\\(.*\\)\\s?do)\" \\\n\"msg:'Remote Command Execution: Windows FOR/IF Command Found',\\\nphase:request,\\\nrev:'1',\\\nver:'OWASP_CRS/3.0.0',\\\nmaturity:'1',\\\naccuracy:'7',\\\ncapture,\\\nt:none,t:cmdLine,\\\nctl:auditLogParts=+E,\\\nblock,\\\nid:932140,\\\ntag:'application-multi',\\\ntag:'language-shell',\\\ntag:'platform-windows',\\\ntag:'attack-rce',\\\ntag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\\\ntag:'WASCTC/WASC-31',\\\ntag:'OWASP_TOP_10/A1',\\\ntag:'PCI/6.5.2',\\\nlogdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\\\nseverity:'CRITICAL',\\\nsetvar:'tx.msg=%{rule.msg}',\\\nsetvar:tx.rce_score=+%{tx.critical_anomaly_score},\\\nsetvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\\\nsetvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}\"\n\n\n# [ Unix direct remote command execution ]\n#\n# Detects Unix commands at the start of a parameter (direct RCE).\n# Example: foo=wget%20www.example.com\n#\n# This case is different from command injection (rule 932100), where a\n# command string is appended (injected) to a regular parameter, and then\n# passed to a shell unescaped.\n#\n# Due to a higher risk of false positives, the following changes have been\n# made relative to rule 932100:\n# 1) the set of commands is smaller\n# 2) we require a trailing space (denoting command parameters) or command\n#    separator character after the command\n#\n# To rebuild the word list regexp:\n#   cd util/regexp-assemble\n#   cat regexp-932150.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl\n#\n# Then insert the assembled regexp into this template:\n#\n# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?:^|=)\\s*(?:{|\\s*\\(\\s*|\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\\\".*\\\")\\s+|!\\s*|\\$)*\\s*(?:'|\\\")*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\\\"\\./\\\\\\\\]+/)?[\\\\\\\\'\\\"]*\n# [regexp assembled from util/regexp-assemble/regexp-932150.txt]\n# [\\\\\\\\'\\\"]*(?:\\s|;|\\||&|<|>)\" \\\n#\nSecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?:^|=)\\s*(?:{|\\s*\\(\\s*|\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\\\".*\\\")\\s+|!\\s*|\\$)*\\s*(?:'|\\\")*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\\\"\\./\\\\\\\\]+/)?[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*(?:s(?:[\\\\\\\\'\\\"]*(?:b[\\\\\\\\'\\\"]*_[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*e|c[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*u|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*d|p[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*i|u[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*b|-[\\\\\\\\'\\\"]*F|o[\\\\\\\\'\\\"]*f))?|z[\\\\\\\\'\\\"]*(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|c[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*t|m[\\\\\\\\'\\\"]*p)|m[\\\\\\\\'\\\"]*(?:o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|a)|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s)|e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*(?:(?:f[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l|p[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*p)[\\\\\\\\'\\\"]*e|e[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o)|a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*g(?:[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n)?|c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*m)|w[\\\\\\\\'\\\"]*p(?:[\\\\\\\\'\\\"]*-[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*w[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*d)?|f[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*p(?:[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t)?|y[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*x)|s[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*v|s[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*d)|n[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*m[\\\\\\\\'\\", 4096) = 4096
read(5, "\"]*a[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l|d)|h(?:[\\\\\\\\'\\\"]*\\.[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*b)?|o[\\\\\\\\'\\\"]*(?:u[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e|c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*s|y[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*l|c[\\\\\\\\'\\\"]*(?:h[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*d|p)|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|f[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*p|u[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*o|s[\\\\\\\\'\\\"]*h|v[\\\\\\\\'\\\"]*n)|p[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*r(?:[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p))?|y[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n(?:[\\\\\\\\'\\\"]*(?:3(?:[\\\\\\\\'\\\"]*m)?|2))?|k[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*x[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*c|i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*l)|r[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*v|(?:g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|f[\\\\\\\\'\\\"]*t)[\\\\\\\\'\\\"]*p|e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*l(?:[\\\\\\\\'\\\"]*5)?|h[\\\\\\\\'\\\"]*p(?:[\\\\\\\\'\\\"]*[57])?|i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g)|n[\\\\\\\\'\\\"]*(?:c(?:[\\\\\\\\'\\\"]*(?:\\.[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*l|o[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*b[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*d)|a[\\\\\\\\'\\\"]*t))?|e[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*(?:k[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*-[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*p|(?:s[\\\\\\\\'\\\"]*t|c)[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|o[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*p|p[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g|s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|r[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*(?:p[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e|e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|a[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*h|n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e|s[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t)|u[\\\\\\\\'\\\"]*b[\\\\\\\\'\\\"]*y(?:[\\\\\\\\'\\\"]*(?:1(?:[\\\\\\\\'\\\"]*[89])?|2[\\\\\\\\'\\\"]*[012]))?|m[\\\\\\\\'\\\"]*(?:u[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*e|d[\\\\\\\\'\\\"]*i)[\\\\\\\\'\\\"]*r|n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*o|s[\\\\\\\\'\\\"]*y[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*c|c[\\\\\\\\'\\\"]*p)|t[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*(?:p[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e|i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g)|s[\\\\\\\\'\\\"]*h)|r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e(?:[\\\\\\\\'\\\"]*6)?|i[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e(?:[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*t)?|a[\\\\\\\\'\\\"]*(?:i[\\\\\\\\'\\\"]*l(?:[\\\\\\\\'\\\"]*f)?|r)|e[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t)|b[\\\\\\\\'\\\"]*(?:z[\\\\\\\\'\\\"]*(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|s[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t|i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*r)|u[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n|a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*h)|m[\\\\\\\\'\\\"]*(?:y[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*q[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*p(?:[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*w)?|h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*y|a[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n|s[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*w)|l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e|a[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*q)|u[\\\\\\\\'\\\"]*(?:n[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|l[\\\\\\\\'\\\"]*z[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*a|a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e|r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*r|s[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t|z[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*p|x[\\\\\\\\'\\\"]*z)|s[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*(?:(?:a[\\\\\\\\'\\\"]*d|m[\\\\\\\\'\\\"]*o)[\\\\\\\\'\\\"]*d|d[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*l))|x[\\\\\\\\'\\\"]*(?:z(?:[\\\\\\\\'\\\"]*(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|d[\\\\\\\\'\\\"]*(?:i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|e[\\\\\\\\'\\\"]*c)|c[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*t|m[\\\\\\\\'\\\"]*p)|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e))?|a[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*s)|z[\\\\\\\\'\\\"]*(?:(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|i)[\\\\\\\\'\\\"]*p|c[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*t|m[\\\\\\\\'\\\"]*p)|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|r[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*n|s[\\\\\\\\'\\\"]*h)|f[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*(?:s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*s|w[\\", 4096) = 4096
read(5, "\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o)|i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t|e[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h|g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p)|c[\\\\\\\\'\\\"]*(?:o[\\\\\\\\'\\\"]*(?:m[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*d|p[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*c)|u[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*l|a[\\\\\\\\'\\\"]*t|s[\\\\\\\\'\\\"]*h|c)|e[\\\\\\\\'\\\"]*(?:g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o|v[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*l|x[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*c|n[\\\\\\\\'\\\"]*v)|d[\\\\\\\\'\\\"]*(?:m[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*g|a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*h|i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|o[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*s)|g[\\\\\\\\'\\\"]*(?:z[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t|i[\\\\\\\\'\\\"]*p)|r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|c[\\\\\\\\'\\\"]*c)|w[\\\\\\\\'\\\"]*(?:h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*i|g[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t|3[\\\\\\\\'\\\"]*m)|j[\\\\\\\\'\\\"]*(?:o[\\\\\\\\'\\\"]*b[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*\\s[\\\\\\\\'\\\"]*-[\\\\\\\\'\\\"]*x|a[\\\\\\\\'\\\"]*v[\\\\\\\\'\\\"]*a)|i[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*b(?:[\\\\\\\\'\\\"]*(?:1(?:[\\\\\\\\'\\\"]*[89])?|2[\\\\\\\\'\\\"]*[012]))?|o[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*r|h[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*d|u[\\\\\\\\'\\\"]*p)|v[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*(?:g[\\\\\\\\'\\\"]*r|p[\\\\\\\\'\\\"]*w)|G[\\\\\\\\'\\\"]*E[\\\\\\\\'\\\"]*T|\\.)[\\\\\\\\'\\\"]*(?:\\s|;|\\||&|<|>)\" \\\n\"msg:'Remote Command Execution: Direct Unix Command Execution',\\\nphase:request,\\\nrev:'1',\\\nver:'OWASP_CRS/3.0.0',\\\nmaturity:'1',\\\naccuracy:'7',\\\ncapture,\\\nt:none,\\\nctl:auditLogParts=+E,\\\nblock,\\\nid:932150,\\\ntag:'application-multi',\\\ntag:'language-shell',\\\ntag:'platform-unix',\\\ntag:'attack-rce',\\\ntag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\\\ntag:'WASCTC/WASC-31',\\\ntag:'OWASP_TOP_10/A1',\\\ntag:'PCI/6.5.2',\\\nlogdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\\\nseverity:'CRITICAL',\\\nsetvar:'tx.msg=%{rule.msg}',\\\nsetvar:tx.rce_score=+%{tx.critical_anomaly_score},\\\nsetvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\\\nsetvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}\"\n\n\n# [ Unix shell snippets ]\n#\n# Detect some common sequences found in shell commands and scripts.\n#\n# Some commands which were restricted in earlier rules due to FP,\n# have been added here with their full path, in order to catch some\n# cases where the full path is sent.\n#\nSecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@pmf unix-shell.data\" \\\n\"msg:'Remote Command Execution: Unix Shell Code Found',\\\nphase:request,\\\nrev:'1',\\\nver:'OWASP_CRS/3.0.0',\\\nmaturity:'1',\\\naccuracy:'8',\\\ncapture,\\\nt:none,t:cmdLine,t:normalizePath,\\\nctl:auditLogParts=+E,\\\nblock,\\\nid:932160,\\\ntag:'application-multi',\\\ntag:'language-shell',\\\ntag:'platform-unix',\\\ntag:'attack-rce',\\\ntag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\\\ntag:'WASCTC/WASC-31',\\\ntag:'OWASP_TOP_10/A1',\\\ntag:'PCI/6.5.2',\\\nlogdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\\\nseverity:'CRITICAL',\\\nsetvar:'tx.msg=%{rule.msg}',\\\nsetvar:tx.rce_score=+%{tx.critical_anomaly_score},\\\nsetvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\\\nsetvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}\"\n\n\n\nSecRule TX:PARANOIA_LEVEL \"@lt 2\" \"phase:1,id:932013,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"\nSecRule TX:PARANOIA_LEVEL \"@lt 2\" \"phase:2,id:932014,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"\n#\n# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)\n#\n\n\n\nSecRule TX:PARANOIA_LEVEL \"@lt 3\" \"phase:1,id:932015,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"\nSecRule TX:PARANOIA_LEVEL \"@lt 3\" \"phase:2,id:932016,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"\n#\n# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)\n#\n\n\n\nSecRule TX:PARANOIA_LEVEL \"@lt 4\" \"phase:1,id:932017,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"\nSecRule TX:PARANOIA_LEVEL \"@lt 4\" \"phase:2,id:932018,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"\n#\n# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)\n#\n\n\n\n#\n# -= Paranoia Levels Finished =-\n#\nSecMarker \"END-REQUEST-", 4096) = 4096
read(5, "932-APPLICATION-ATTACK-RCE\"\n\n", 4096) = 29
read(5, "", 4096)                       = 0
close(5)                                = 0

sorry for the terrible strace output. but the apache seem to read all information without error.

[dune73]

Thanks. I edited your output a bit.

[csanders-git]

I am setting up said environment now as we speak (although with centos 6.8 sources)

[csanders-git]

First approach was to check if it is any of the compile params: it is not.

[csanders-git]

Upgrading to PCRE 8.32 (without recompiling APXS) results in same issue.

[dune73]

So it's still an apache issue then?

[csanders-git]

@dune73 compiling apache 2.2.31 right now to test :)

[csanders-git]

Upgraded to Apache 2.2.31 w/ PCRE 7.8: Results in same issue.

[lifeforms]

It's definitely Apache.

I have a reproduce on Apache 2.2.31_1 on FreeBSD.

The Apache 2.2 documentation mentions: The maximum length of a line in the configuration file, after environment-variable substitution, joining any continued lines and removing leading and trailing white space, is 8192 characters. (source)

In Apache 2.4: The maximum length of a line in normal configuration files, after variable substitution and joining any continued lines, is approximately 16 MiB. (source)

[csanders-git]

this would seem to a probable cause then.

[csanders-git]

I can confirm that PCRE 8.32 with Apache 2.2.31 don't work.

[csanders-git]

will compile 2.4 for verify.

[emphazer]

2.4 works perfect

[csanders-git]

nvm then @lifeforms this seems to be the issue

[emphazer]

well, i removed some less critical words from regexp-932110.txt and regexp-932100.txt. and it works. so i guess thats it

you could remove some words or split it up to 2-3 rules or i have to write a patch for my mock rpmbuild environment. thats not a big deal for me. up to you guys. ;-)

we have round about 100 rhel6 servers hardware or vmware with crs_v3 in production already and they are monthly patched with rpm and puppet.

btw, big thanks for your great work here!

[lifeforms]

I also think that the best thing is probably to cull the word lists so we can stay under 8K line length. I was surprised but there are multiple distros keeping Apache 2.2 alive.

For Windows, this is probably easy. The list was already pretty large when we took over maintainership and I've blanket added all the stuff I could find. There is probably a lot that is either not executable or requires elevation.

For the Unix list, I'm having a tougher time saying goodbye to most entries. I guess we need to trim it down by 20%.

Can you share the stuff you removed, @emphazer?

[dune73]

What's wrong with splitting the rules in two by alphabet? -> Keyword starting with a-k go into 932100/ 932110, keywords m-z go into siblings 932101/932111.

I'd hate to cut down of security just because we want to support a legacy server software. I take apache 2.2 will lose support within 24 months now.

What distros are actually still using Apache 2.2? Ubuntu 2012 LTS, I guess. But who else?

[lifeforms]

@dune73 That's also an option. My gut feeling is that for Windows, it's definitely possible to chuck 20% of the list without expected security impact. I've added lots of stuff on a hunch, and haven't looked at the inherited entries too critically unless they caused many FP in my data. I fully expected to cull the list later based on FP reports. I'm hoping, with some help, we can cut 20% from the Windows list -- and for Unix your approach is probably the best option.

[dune73]

Sounds like the way to go then, @lifeforms. You may want to place a note that we can join the 2 unix rules once Apache 2.2 has phased out.

[emphazer]

@lifeforms sure i can do.

@all well, redhat 6 has support until 2020 and extended support untill 2025. and they definetly use apache a backported version for 2.2.15

[dune73]

@emphazer:

Here is what apache has to say:

The Apache HTTP Server Project will only provide maintenance releases of the 2.2.x flavor through 
June of 2017, and will provide some security patches beyond this date through at least December of 
2017. Minimal maintenance patches of 2.2.x are expected throughout this period, and users are 
strongly encouraged to promptly complete their transitions to the the 2.4.x flavour of httpd to benefit 
from a much larger assortment of minor security and bug fixes as well as new features.

There is some merit in supporting Apache 2.2 with the latest CRS until the end of 2017 as well. But I also think that making the update to Apache 2.4 mandatory would be a good move as it would form an incentive for people to upgrade.

People running old server software without an upgrade path for Apache are unlikely to up upgrade to the latest CRS anyways. So it's probably a non-issue outside of a few isolated cases.

RedHat's case is different. They get real money for the real support they are providing. If their customers demand support for CRS3, then RedHat will find all the necessary information to provide that service in this public thread here.

[emphazer]

@lifeforms i know it has nothing to do with this issue but there are some standard dangerous commands which are not in the list

awk+ disown getfacl+ ln+ ldd ldconfig lshw mailx+ mutt+ patch+ printf+ sed+ setfacl+ ulimit+ umask+ unlink+ xxd+

[emphazer]

@lifeforms here is my list for rule 932100 with 7005 characters.

alias+ arch+ arp bash batch+ builtin bzip2+ cat+ cc+ chattr chdir+ chmod command+ coproc crontab curl disown dmesg du+ echo+ egrep env esac eval exec+ exit expand export expr fc+ fetch+ fgrep fi file+ find+ foreach ftp+ ftpstats ftpwho function gcc+ gdb GET+ getfacl+ git+ grep+ gunzip gzip head+ history hostid hostname htdigest htpasswd hup+ id+ ifconfig ipconfig irb java+ jexec jobs+ kill+ killall last+ lastlog less+ lessecho lesspipe.sh ln+ local+ locate+ logname lp+ ldd+ ldconfig+ lshw lsmod lsof lspci lsusb lwp-download lwp-dump lwp-mirror lwp-request lynx+ mailq mailx more+ mount+ mutt+ mv+ mysql mysqladmin mysqldump mysqldumpslow mysqlhotcopy mysqlshow nc+ ncat net+ netstat nice+ nmap nohup nping nstat onintr openssl passwd patch perl pgrep php pkexec pkill printenv printf+ ps+ ptar ptardiff ptargrep python python2 python3 rar+ rcp+ realpath rename+ repeat+ replace+ rm+ rmuser route rpm+ rsync ruby sched scp+ sdiff sed+ sendmail set+ setenv setfacl+ setsid sftp sh+ sleep socat sort+ source+ ssh strings su+ sudo svn sysctl tail tailf tar+ tee+ telnet time+ top ulimit umask uname unlink unset vigr vim+ vipw wget who+ whoami xargs xterm xxd+ xz+ yum zcmp zip+ zrun zsh

[lifeforms]

A PR for this problem is in #593.

@emphazer Thanks for the report and the extra command suggestions!