From b9c9619a54f4d6d887ccfbbc9afe1547767d2866 Mon Sep 17 00:00:00 2001
From: Alex 'AdUser' Z <ad_user@runbox.com>
Date: Thu, 4 Feb 2021 17:18:53 +1000
Subject: [PATCH] * tune nginx filters

---
 filters/nginx-bots.pcre | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/filters/nginx-bots.pcre b/filters/nginx-bots.pcre
index 858c5b1..b457284 100644
--- a/filters/nginx-bots.pcre
+++ b/filters/nginx-bots.pcre
@@ -1,11 +1,4 @@
-# phpmyadmin and variations
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|sqlite)-?(manager)?
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|pg|sql)-?my-?admin
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+pma[0-9]*
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+((my|pg)(sql)?|db|msd?)-?(admin|dumper|dump|manager)
-# shit-coded php cms
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*/wp-login.php
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(joomla|cms)/administrator
+# set: defscore=15
 # h4x0rs
 <HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/(shell|cmd|x)\.(php|cgi)
 <HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/w00tw00t
@@ -13,11 +6,19 @@
 <HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*(wget|curl)(\\x|%)20https?://
 <HOST> .* "(GET|HEAD|POST) .*/bin/(ba|c|z)?sh( |\\x20|%20)-c
 <HOST> .* "(\\x[0-9a-z]{2,6})+" 400
+# set: defscore=10
+# phpmyadmin and variations
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|sqlite)-?(manager)?
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|pg|sql)-?my-?admin
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+pma[0-9]*
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+((my|pg)(sql)?|db|msd?)-?(admin|dumper|dump|manager)
+# set: defscore=5
 # open proxy search
 <HOST> .* "(GET|HEAD|POST) https?://[a-z-\.]+proxyradar\.com
 <HOST> .* "CONNECT [a-z-\.]*proxyradar\.com
 <HOST> .* "CONNECT [a-z-\.]*proxytest\.zmap\.io
 <HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+testproxy\.php
+# set: defscore=2
 # search bots
 <HOST> .* "(GET|HEAD|POST) .* "python-(requests|urllib)/[0-9\.]+
 <HOST> .* "(GET|HEAD|POST) .* "AhrefsBot/[0-9a-z\.]+
@@ -26,3 +27,6 @@
 <HOST> .* "(GET|HEAD|POST) .* SiteExplorer/[0-9a-z\.]+
 <HOST> .* "(GET|HEAD|POST) .* MJ12bot
 <HOST> .* "(GET|HEAD|POST) .* WebIndex
+# shit-coded php cms
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*/wp-login.php
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(joomla|cms)/administrator