Customização do WAF
Ruleset gocache-v2
As diretrizes do WAF contidas no ruleset gocache-v2 são:
Nivel de paranoia: A paranoia controla a sensibilidade das regras da OWASP, indicando o quanto o WAF desconfia da entrada de dados dos usuários. O nível 1 representa baixa paranoia, focando em ataques óbvios e gerando poucos falsos positivos. Níveis mais altos de paranoia ativam regras mais restritivas, assumindo que toda entrada pode ser maliciosa e podendo bloquear tráfego legítimo, com maior ocorrência de falsos positivos.
SCORE: soma o valor configurado para a regra em uma variável. O valor da variável será usado em uma regra oculta, que toma a ação especificada pelo modo de segurança do WAF se seu valor for superior a 5.
As ações que redefinem o comportamento de uma regra surtem o seguinte efeito, nas diretrizes:
Desabilitar: desativa a regra para a execução do WAF, ignorando completamente sua existência. Não são realizadas interceptações nem geração de eventos de segurança nessa diretiva.
Simular: faz com que o WAF não intercepte a requisição, mas ainda gera eventos de segurança.
Desafiar: retorna uma página de desafio para o usuário, permitindo o acesso caso responda corretamente o reCaptcha. Também gera um evento de segurança.
Bloquear: bloqueia a requisição na borda, respondendo com status code HTTP 403 e gerando um evento de segurança.
Grupos de regras
As regras do ruleset gocache-v2 funcionam com base no nível de paranoia. A mensagem da regra indica qual é o nível (PL) em que a regra é executada. A regra só é executada se o nivel de paranoia da regra for igual ou maior ao configurado no domínio.
Grupo PROTOCOL-ENFORCEMENT - gocache-v2/920*
| ID | Mensagem | Pontuação |
|---|---|---|
| 9201200 | Attempted multipart/form-data bypass (PL 1) | 5 |
| 9201210 | Attempted multipart/form-data bypass (PL 2) | 5 |
| 9201600 | Content-Length HTTP header is not numeric (PL 1) | 5 |
| 9201701 | GET or HEAD Request with Body Content (PL 1) | 5 |
| 9201711 | GET or HEAD Request with Transfer-Encoding (PL 1) | 5 |
| 9201803 | POST without Content-Length and Transfer-Encoding headers (PL 1) | 3 |
| 9202100 | Multiple/Conflicting Connection Header Data Found (PL 1) | 3 |
| 9202600 | Unicode Full/Half Width Abuse Attack Attempt (PL 1) | 3 |
| 9202700 | Invalid character in request (null character) (PL 3) | 5 |
| 9202710 | Invalid character in request (non printable characters) (PL 4) | 5 |
| 9203002 | Request Missing an Accept Header (PL 3) | 2 |
| 9203102 | Request Has an Empty Accept Header (PL 1) | 2 |
| 9203112 | Request Has an Empty Accept Header (PL 1) | 2 |
| 9203200 | Missing User Agent Header (PL 2) | 2 |
| 9203300 | Empty User Agent Header (PL 1) | 2 |
| 9203401 | Content-Type header missing from request with non-zero Content-Length (PL 1) | 5 |
| 9204901 | Request header x-up-devcap-post-charset detected in combination with prefix \'UP\' to User-Agent (PL 3) | 5 |
| 9205000 | Attempt to access a backup or working file (PL 1) | 5 |
| 9205101 | Invalid Cache-Control request header (PL 3) | 5 |
| 9205200 | Accept-Encoding header exceeded sensible length (PL 1) | 5 |
| 9205300 | Multiple charsets detected in content type header (PL 1) | 5 |
| 9206000 | Illegal Accept header: charset parameter (PL 1) | 5 |
| 9206200 | Multiple Content-Type Request Headers (PL 1) | 5 |
| 9206401 | Content-Type header missing from request with body (PL 1) | 5 |
| 9206600 | Obsolete Request-Range header detected (PL 1) | 3 |
| 9206721 | Body is a JSON but content type does not indicate a JSON (PL 1) | 5 |
| 9206742 | Body is a XML but content type does not indicate a XML (PL 1) | 5 |
| 9206753 | Body is a base64 with a XML encoded (PL 3) | 5 |
| 9206764 | Body is a base64 with a JSON encoded (PL 3) | 5 |
| 9206775 | Invalid multipart format (PL 1) | 5 |
| 9206786 | Content type indicates JSON but the body is not a valid JSON (PL 1) | 5 |
| 9206797 | Content type indicates XML but the body is not a valid XML (PL 1) | 5 |
Grupo PROTOCOL-ATTACK - gocache-v2/921*
| ID | Mensagem | Pontuação |
|---|---|---|
| 9211100 | HTTP Request Smuggling Attack (PL 1) | 5 |
| 9211200 | HTTP Response Splitting Attack (PL 1) | 5 |
| 9211300 | HTTP Response Splitting Attack (PL 1) | 5 |
| 9211400 | HTTP Header Injection Attack via headers (PL 1) | 5 |
| 9211500 | HTTP Header Injection Attack via payload (CR/LF detected) (PL 1) | 5 |
| 9211900 | HTTP Splitting (CR/LF in request filename detected) (PL 1) | 5 |
| 9212000 | LDAP Injection Attack (PL 1) | 5 |
| 9212100 | HTTP Parameter Pollution after detecting bogus char after parameter array (PL 3) | 5 |
| 9212300 | HTTP Range Header detected (PL 3) | 5 |
| 9212400 | mod_proxy attack attempt detected (PL 1) | 5 |
| 9212500 | Old Cookies V1 usage attempt detected (PL 1) | 5 |
| 9214210 | Content-Type header: Dangerous content type outside the mime type declaration (PL 1) | 5 |
| 9214220 | Content-Type header: Dangerous content type outside the mime type declaration (PL 2) | 5 |
Grupo MULTIPART-ATTACK - gocache-v2/922*
| ID | Mensagem | Pontuação |
|---|---|---|
| 9221200 | Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (PL 1) | 5 |
| 9221300 | Multipart header contains characters outside of valid range (PL 1) | 5 |
| 9221421 | Node.js React2shell-CVE-2025-55182 attempt (PL 1) | 5 |
| 9221442 | Node.js React2shell-CVE-2025-55182 attempt with next action (PL 1) | 5 |
Grupo APPLICATION-ATTACK-LFI - gocache-v2/930*
| ID | Mensagem | Pontuação |
|---|---|---|
| 9301000 | Path Traversal Attack (/../) or (/.../) (PL 1) | 5 |
| 9301100 | Path Traversal Attack (/../) or (/.../) (PL 1) | 5 |
| 9301200 | OS File Access Attempt (PL 1) | 5 |
| 9301210 | OS File Access Attempt in REQUEST_HEADERS (PL 2) | 5 |
| 9301300 | Restricted File Access Attempt (PL 1) | 5 |
| 9301400 | Restricted File Access Attempt: AI Coding Assistant Artifact (PL 1) | 5 |
Grupo APPLICATION-ATTACK-RFI - gocache-v2/931*
| ID | Mensagem | Pontuação |
|---|---|---|
| 9311000 | Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address (PL 1) | 5 |
| 9311100 | Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload (PL 1) | 5 |
| 9311200 | Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) (PL 1) | 5 |
| 9311310 | Possible Remote File Inclusion (RFI) Attack (PL 2) | 5 |
| 9311411 | Remote File Inclusion - IPv6 detected (PL 1) | 5 |
| 9311412 | Remote File Inclusion - Decimal IP detected (PL 1) | 5 |
| 9311413 | Remote File Inclusion - Hexadecimal IP detected (PL 1) | 5 |
| 9311414 | Remote File Inclusion - Short Format IPv4 detected (PL 1) | 5 |
Grupo APPLICATION-ATTACK-RCE - gocache-v2/932*
| ID | Mensagem | Pontuação |
|---|---|---|
| 9321200 | Remote Command Execution: Windows PowerShell Command Found (PL 1) | 5 |
| 9321250 | Remote Command Execution: Windows Powershell Alias Command Injection (PL 1) | 5 |
| 9321300 | Remote Command Execution: Unix Shell Expression Found (PL 1) | 5 |
| 9321310 | Remote Command Execution: Unix Shell Expression Found (PL 2) | 5 |
| 9321400 | Remote Command Execution: Windows FOR/IF Command Found (PL 1) | 5 |
| 9321600 | Remote Command Execution: Unix Shell Code Found (PL 1) | 5 |
| 9321610 | Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS (PL 2) | 5 |
| 9321700 | Remote Command Execution: Shellshock (CVE-2014-6271) (PL 1) | 5 |
| 9321710 | Remote Command Execution: Shellshock (CVE-2014-6271) (PL 1) | 5 |
| 9321750 | Remote Command Execution: Unix shell alias invocation (PL 1) | 5 |
| 9321801 | Restricted File Upload Attempt (PL 1) | 5 |
| 9321900 | Remote Command Execution: Wildcard bypass technique attempt (PL 3) | 5 |
| 9322002 | RCE Bypass Technique (PL 2) | 5 |
| 9322053 | RCE Bypass Technique (PL 2) | 5 |
| 9322062 | RCE Bypass Technique (PL 2) | 5 |
| 9322074 | RCE Bypass Technique (PL 2) | 5 |
| 9322100 | Remote Command Execution: SQLite System Command Execution (PL 2) | 5 |
| 9322200 | Remote Command Execution: Unix Command Injection with pipe (PL 2) | 5 |
| 9322300 | Remote Command Execution: Unix Command Injection (2-3 chars) (PL 1) | 5 |
| 9322310 | Remote Command Execution: Unix Command Injection (PL 2) | 5 |
| 9322320 | Remote Command Execution: Unix Command Injection (PL 3) | 5 |
| 9322350 | Remote Command Execution: Unix Command Injection (command without evasion) (PL 1) | 5 |
| 9322360 | Remote Command Execution: Unix Command Injection (command without evasion) (PL 2) | 5 |
| 9322370 | Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS (PL 3) | 5 |
| 9322380 | Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS (PL 3) | 5 |
| 9322390 | Remote Command Execution: Unix Command Injection found in user-agent or referer header (PL 2) | 5 |
| 9322401 | Remote Command Execution: Unix Command Injection evasion attempt detected (PL 2) | 5 |
| 9322500 | Remote Command Execution: Direct Unix Command Execution (PL 1) | 5 |
| 9322600 | Remote Command Execution: Direct Unix Command Execution (PL 1) | 5 |
| 9322700 | Remote Command Execution: Unix Shell Expression Found (PL 1) | 5 |
| 9322710 | Remote Command Execution: Unix Shell Expression Found (PL 2) | 5 |
| 9322800 | Remote Command Execution: Brace Expansion Found (PL 1) | 5 |
| 9322810 | Remote Command Execution: Brace Expansion Found (PL 2) | 5 |
| 9323000 | Remote Command Execution: SMTP Command Execution (PL 2) | 5 |
| 9323010 | Remote Command Execution: SMTP Command Execution (PL 3) | 5 |
| 9323100 | Remote Command Execution: IMAP Command Execution (PL 2) | 5 |
| 9323110 | Remote Command Execution: IMAP Command Execution (PL 3) | 5 |
| 9323200 | Remote Command Execution: POP3 Command Execution (PL 2) | 5 |
| 9323210 | Remote Command Execution: POP3 Command Execution (PL 3) | 5 |
| 9323300 | Remote Command Execution: Unix shell history invocation (PL 1) | 5 |
| 9323310 | Remote Command Execution: Unix shell history invocation (PL 3) | 5 |
| 9323400 | Remote Command Execution: Direct Unix Command Execution (No Arguments) (PL 1) | 5 |
| 9323500 | Remote Command Execution: Direct Unix Command Execution (No Arguments) (PL 3) | 5 |
| 9323700 | Remote Command Execution: Windows Command Injection (PL 1) | 5 |
| 9323710 | Remote Command Execution: Windows Command Injection (PL 2) | 5 |
| 9323800 | Remote Command Execution: Windows Command Injection (PL 1) | 5 |
Grupo APPLICATION-ATTACK-PHP - gocache-v2/933*
| ID | Mensagem | Pontuação |
|---|---|---|
| 9331000 | PHP Injection Attack: PHP Open Tag Found (PL 1) | 5 |
| 9331100 | PHP Injection Attack: PHP Script File Upload Found (PL 1) | 5 |
| 9331110 | PHP Injection Attack: PHP Script File Upload Found (PL 3) | 5 |
| 9331200 | PHP Injection Attack: Configuration Directive Found (PL 1) | 5 |
| 9331300 | PHP Injection Attack: Variables Found (PL 1) | 5 |
| 9331310 | PHP Injection Attack: Variables Found (PL 3) | 5 |
| 9331350 | PHP Injection Attack: Variable Access Found (PL 1) | 5 |
| 9331400 | PHP Injection Attack: I/O Stream Found (PL 1) | 5 |
| 9331501 | PHP Injection Attack: High-Risk PHP Function Name Found (PL 1) | 5 |
| 9331510 | PHP Injection Attack: Medium-Risk PHP Function Name Found (PL 2) | 5 |
| 9331520 | PHP Injection Attack: Medium-Risk PHP Function Name Found (PL 2) | 5 |
| 9331530 | PHP Injection Attack: Medium-Risk PHP Function Name Found (PL 2) | 5 |
| 9331600 | PHP Injection Attack: High-Risk PHP Function Call Found (PL 1) | 5 |
| 9331610 | PHP Injection Attack: Low-Value PHP Function Call Found (PL 3) | 5 |
| 9331700 | PHP Injection Attack: Serialized Object Injection (PL 1) | 5 |
| 9331800 | PHP Injection Attack: Variable Function Call Found (PL 1) | 5 |
| 9331900 | PHP Injection Attack: PHP Closing Tag Found (PL 3) | 5 |
| 9332000 | PHP Injection Attack: Wrapper scheme detected (PL 1) | 5 |
| 9332100 | PHP Injection Attack: Variable Function Call Found (PL 1) | 5 |
| 9332110 | PHP Injection Attack: Variable Function Call Found (PL 3) | 5 |
| 9332200 | PHP Injection Attack: PHP Session File Upload Attempt (PL 1) | 5 |
Grupo APPLICATION-ATTACK-GENERIC - gocache-v2/934*
| ID | Mensagem | Pontuação |
|---|---|---|
| 9341000 | Node.js Injection Attack 1/2 (PL 1) | 5 |
| 9341010 | Node.js Injection Attack 2/2 (PL 2) | 5 |
| 9341100 | Possible Server Side Request Forgery (SSRF) Attack: Cloud provider metadata URL in Parameter (PL 1) | 5 |
| 9341200 | Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address (PL 2) | 5 |
| 9341300 | JavaScript Prototype Pollution (PL 1) | 5 |
| 9341400 | Perl Injection Attack (PL 2) | 5 |
| 9341500 | Ruby Injection Attack (PL 1) | 5 |
| 9341600 | Node.js DoS attack (PL 1) | 5 |
| 9341700 | PHP data scheme attack (PL 1) | 5 |
| 9341800 | SSTI Attack (PL 2) | 5 |
| 9341900 | Possible Server Side Request Forgery (SSRF) Attack: Scheme-less localhost or internal hostname detected (PL 1) | 5 |
Grupo APPLICATION-ATTACK-XSS - gocache-v2/941*
| ID | Mensagem | Pontuação |
|---|---|---|
| 9411000 | XSS Attack Detected via libinjection (PL 1) | 5 |
| 9411010 | XSS Attack Detected via libinjection (PL 2) | 5 |
| 9411100 | XSS Filter - Category 1: Script Tag Vector (PL 1) | 5 |
| 9411200 | XSS Filter - Category 2: Event Handler Vector (PL 1) | 5 |
| 9411300 | XSS Filter - Category 3: Attribute Vector (PL 1) | 5 |
| 9411400 | XSS Filter - Category 4: Javascript URI Vector (PL 1) | 5 |
| 9411500 | XSS Filter - Category 5: Disallowed HTML Attributes (PL 2) | 5 |
| 9411600 | NoScript XSS InjectionChecker: HTML Injection (PL 1) | 5 |
| 9411700 | NoScript XSS InjectionChecker: Attribute Injection (PL 1) | 5 |
| 9411800 | Node-Validator Deny List Keywords (PL 1) | 5 |
| 9411810 | Node-Validator Deny List Keywords (PL 2) | 5 |
| 9411900 | IE XSS Filters - Attack Detected (PL 1) | 5 |
| 9412000 | IE XSS Filters - Attack Detected (PL 1) | 5 |
| 9412100 | Javascript Word Detected (PL 1) | 5 |
| 9412200 | IE XSS Filters - Attack Detected (PL 1) | 5 |
| 9412300 | IE XSS Filters - Attack Detected (PL 1) | 5 |
| 9412400 | IE XSS Filters - Attack Detected (PL 1) | 5 |
| 9412500 | IE XSS Filters - Attack Detected (PL 1) | 5 |
| 9412600 | IE XSS Filters - Attack Detected (PL 1) | 5 |
| 9412700 | IE XSS Filters - Attack Detected (PL 1) | 5 |
| 9412800 | IE XSS Filters - Attack Detected (PL 1) | 5 |
| 9412900 | IE XSS Filters - Attack Detected (PL 1) | 5 |
| 9413000 | IE XSS Filters - Attack Detected (PL 1) | 5 |
| 9413101 | US-ASCII Malformed Encoding XSS Filter - Attack Detected (PL 1) | 5 |
| 9413200 | Possible XSS Attack Detected - HTML Tag Handler (PL 2) | 5 |
| 9413300 | IE XSS Filters - Attack Detected (PL 2) | 5 |
| 9413400 | IE XSS Filters - Attack Detected (PL 2) | 5 |
| 9413500 | UTF-7 Encoding IE XSS - Attack Detected (PL 1) | 5 |
| 9413600 | JSFuck / Hieroglyphy obfuscation detected (PL 1) | 5 |
| 9413700 | JavaScript global variable found (PL 1) | 5 |
| 9413800 | AngularJS client side template injection detected (PL 2) | 5 |
| 9413900 | Javascript method detected (PL 1) | 5 |
| 9414000 | XSS JavaScript function without parentheses (PL 1) | 5 |
Grupo APPLICATION-ATTACK-SQLI - gocache-v2/942*
| ID | Mensagem | Pontuação |
|---|---|---|
| 9421000 | SQL Injection Attack Detected via libinjection (PL 1) | 5 |
| 9421200 | SQL Injection Attack: SQL Operator Detected (PL 2) | 5 |
| 9421400 | SQL Injection Attack: Common DB Names Detected (PL 1) | 5 |
| 9421500 | SQL Injection Attack: SQL function name detected (PL 2) | 5 |
| 9421510 | SQL Injection Attack: SQL function name detected (PL 1) | 5 |
| 9421600 | Detects blind sqli tests using sleep() or benchmark() (PL 1) | 5 |
| 9421700 | Detects SQL benchmark and sleep injection attempts including conditional queries (PL 1) | 5 |
| 9421800 | Detects basic SQL authentication bypass attempts 1/3 (PL 2) | 5 |
| 9421900 | Detects MSSQL code execution and information gathering attempts (PL 1) | 5 |
| 9422000 | Detects MySQL comment-/space-obfuscated injections and backtick termination (PL 2) | 5 |
| 9422100 | Detects chained SQL injection attempts 1/2 (PL 2) | 5 |
| 9422200 | Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the \"magic number\" crash (PL 1) | 5 |
| 9422300 | Detects conditional SQL injection attempts (PL 1) | 5 |
| 9422400 | Detects MySQL charset switch and MSSQL DoS attempts (PL 1) | 5 |
| 9422500 | Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections (PL 1) | 5 |
| 9422510 | Detects HAVING injections (PL 3) | 5 |
| 9422600 | Detects basic SQL authentication bypass attempts 2/3 (PL 2) | 5 |
| 9422700 | Looking for basic sql injection. Common attack string for mysql, oracle and others (PL 1) | 5 |
| 9422800 | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts (PL 1) | 5 |
| 9422900 | Finds basic MongoDB SQL injection attempts (PL 1) | 5 |
| 9423000 | Detects MySQL comments, conditions and ch(a)r injections (PL 2) | 5 |
| 9423100 | Detects chained SQL injection attempts 2/2 (PL 2) | 5 |
| 9423200 | Detects MySQL and PostgreSQL stored procedure/function injections (PL 1) | 5 |
| 9423300 | Detects classic SQL injection probings 1/3 (PL 2) | 5 |
| 9423400 | Detects basic SQL authentication bypass attempts 3/3 (PL 2) | 5 |
| 9423500 | Detects MySQL UDF injection and other data/structure manipulation attempts (PL 1) | 5 |
| 9423600 | Detects concatenated basic SQL injection and SQLLFI attempts (PL 1) | 5 |
| 9423610 | Detects basic SQL injection based on keyword alter or union (PL 2) | 5 |
| 9423620 | Detects concatenated basic SQL injection and SQLLFI attempts (PL 2) | 5 |
| 9423700 | Detects classic SQL injection probings 2/3 (PL 2) | 5 |
| 9423800 | SQL Injection Attack (PL 2) | 5 |
| 9423900 | SQL Injection Attack (PL 2) | 5 |
| 9424000 | SQL Injection Attack (PL 2) | 5 |
| 9424100 | SQL Injection Attack (PL 2) | 5 |
| 9424210 | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3) (PL 4) | 3 |
| 9424300 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) (PL 2) | 3 |
| 9424310 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6) (PL 3) | 3 |
| 9424401 | SQL Comment Sequence Detected (PL 2) | 5 |
| 9424500 | SQL Bin or Hex Encoding Identified (PL 2) | 5 |
| 9424600 | Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters (PL 3) | 3 |
| 9424700 | SQL Injection Attack (PL 2) | 5 |
| 9424800 | SQL Injection Attack (PL 2) | 5 |
| 9424900 | Detects classic SQL injection probings 3/3 (PL 3) | 5 |
| 9425000 | MySQL in-line comment detected (PL 1) | 5 |
| 9425100 | SQLi bypass attempt by ticks or backticks detected (PL 2) | 5 |
| 9425110 | SQLi bypass attempt by ticks detected (PL 3) | 5 |
| 9425200 | Detects basic SQL authentication bypass attempts 4.0/4 (PL 2) | 5 |
| 9425220 | Detects basic SQL authentication bypass attempts 4.1/4 (PL 2) | 5 |
| 9425300 | SQLi query termination detected (PL 3) | 5 |
| 9425400 | SQL Authentication bypass (split query) (PL 1) | 5 |
| 9425500 | JSON-Based SQL Injection (PL 1) | 5 |
| 9425600 | MySQL Scientific Notation payload detected (PL 1) | 5 |
Grupo APPLICATION-ATTACK-SESSION-FIXATION - gocache-v2/943*
| ID | Mensagem | Pontuação |
|---|---|---|
| 9431000 | Possible Session Fixation Attack: Setting Cookie Values in HTML (PL 1) | 5 |
| 9431201 | Possible Session Fixation Attack: SessionID Parameter Name with No Referer (PL 1) | 5 |
Grupo APPLICATION-ATTACK-JAVA - gocache-v2/944*
| ID | Mensagem | Pontuação |
|---|---|---|
| 9441000 | Remote Command Execution: Suspicious Java class detected (PL 1) | 5 |
| 9441101 | Remote Command Execution: Java process spawn (CVE-2017-9805) (PL 1) | 5 |
| 9441201 | Remote Command Execution: Java serialization (CVE-2015-4852) (PL 1) | 5 |
| 9441300 | Suspicious Java class detected (PL 1) | 5 |
| 9441400 | Java Injection Attack: Java Script File Upload Found (PL 1) | 5 |
| 9441500 | Potential Remote Command Execution: Log4j / Log4shell (PL 1) | 5 |
| 9441510 | Potential Remote Command Execution: Log4j / Log4shell (PL 2) | 5 |
| 9442000 | Magic bytes Detected, probable java serialization in use (PL 2) | 5 |
| 9442100 | Magic bytes Detected Base64 Encoded, probable java serialization in use (PL 2) | 5 |
| 9442400 | Remote Command Execution: Java serialization (CVE-2015-4852) (PL 2) | 5 |
| 9442500 | Remote Command Execution: Suspicious Java method detected (PL 2) | 5 |
| 9442600 | Remote Command Execution: Malicious class-loading payload (PL 2) | 5 |
| 9443000 | Base64 encoded string matched suspicious keyword (PL 3) | 5 |