Frontdoor - Legacy Default Rule Set 1.0¶
Generated: 22 February 2026 | Total Rules: 117
DefaultRuleSet 1.0¶
MS-ThreatIntel-WebShells - Web shell attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 99005006 | MS-ThreatIntel-WebShells | Spring4Shell Interaction Attempt | Block | Disabled |
MS-ThreatIntel-CVEs - Rest API exploitation¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 99001014 | MS-ThreatIntel-CVEs | Attempted Spring Cloud routing-expression injection (CVE-2022-22963) | Block | Disabled | |
| 99001015 | MS-ThreatIntel-CVEs | Attempted Spring Framework unsafe class object exploitation (CVE-2022-22965) | Block | Disabled | |
| 99001016 | MS-ThreatIntel-CVEs | Attempted Spring Cloud Gateway Actuator injection (CVE-2022-22947) | Block | Disabled | |
| 99001017 | MS-ThreatIntel-CVEs | Attempted Apache Struts file upload exploitation (CVE-2023-50164) | Block | Disabled |
PROTOCOL-ATTACK - Protocol attack¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 921110 | PROTOCOL-ATTACK | HTTP Request Smuggling Attack | Block | Enabled | |
| 921120 | PROTOCOL-ATTACK | HTTP Response Splitting Attack | Block | Enabled | |
| 921130 | PROTOCOL-ATTACK | HTTP Response Splitting Attack | Block | Enabled | |
| 921140 | PROTOCOL-ATTACK | HTTP Header Injection Attack via headers | Block | Enabled | |
| 921150 | PROTOCOL-ATTACK | HTTP Header Injection Attack via payload (CR/LF detected) | Block | Enabled | |
| 921160 | PROTOCOL-ATTACK | HTTP Header Injection Attack via payload (CR/LF and header-name detected) | Block | Enabled | |
| 921151 | PROTOCOL-ATTACK | HTTP Header Injection Attack via payload (CR/LF detected) | Block | Enabled |
LFI - Local file inclusion¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 930100 | LFI | Path Traversal Attack (/../) | Block | Enabled | |
| 930110 | LFI | Path Traversal Attack (/../) | Block | Enabled | |
| 930120 | LFI | OS File Access Attempt | Block | Enabled | |
| 930130 | LFI | Restricted File Access Attempt | Block | Enabled |
RFI - Remote file inclusion¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 931100 | RFI | Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address | Block | Enabled | |
| 931110 | RFI | Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload | Block | Enabled | |
| 931120 | RFI | Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) | Block | Enabled | |
| 931130 | RFI | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link (replaced by rule #99032002) | Block | Enabled |
RCE - Remote Command Execution attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 932100 | RCE | Remote Command Execution: Unix Command Injection | Block | Enabled | |
| 932105 | RCE | Remote Command Execution: Unix Command Injection | Block | Enabled | |
| 932110 | RCE | Remote Command Execution: Windows Command Injection | Block | Enabled | |
| 932115 | RCE | Remote Command Execution: Windows Command Injection | Block | Enabled | |
| 932120 | RCE | Remote Command Execution: Windows PowerShell Command Found | Block | Enabled | |
| 932130 | RCE | Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found | Block | Enabled | |
| 932140 | RCE | Remote Command Execution: Windows FOR/IF Command Found | Block | Enabled | |
| 932150 | RCE | Remote Command Execution: Direct Unix Command Execution | Block | Enabled | |
| 932160 | RCE | Remote Command Execution: Unix Shell Code Found | Block | Enabled | |
| 932170 | RCE | Remote Command Execution: Shellshock (CVE-2014-6271) | Block | Enabled | |
| 932171 | RCE | Remote Command Execution: Shellshock (CVE-2014-6271) | Block | Enabled | |
| 932180 | RCE | Restricted File Upload Attempt | Block | Enabled |
PHP - PHP attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 933100 | PHP | PHP Injection Attack: PHP Open Tag Found | Block | Enabled | |
| 933110 | PHP | PHP Injection Attack: PHP Script File Upload Found | Block | Enabled | |
| 933120 | PHP | PHP Injection Attack: Configuration Directive Found | Block | Enabled | |
| 933130 | PHP | PHP Injection Attack: Variables Found | Block | Enabled | |
| 933140 | PHP | PHP Injection Attack: I/O Stream Found | Block | Enabled | |
| 933150 | PHP | PHP Injection Attack: High-Risk PHP Function Name Found | Block | Enabled | |
| 933151 | PHP | PHP Injection Attack: Medium-Risk PHP Function Name Found | Block | Enabled | |
| 933160 | PHP | PHP Injection Attack: High-Risk PHP Function Call Found | Block | Enabled | |
| 933170 | PHP | PHP Injection Attack: Serialized Object Injection | Block | Enabled | |
| 933180 | PHP | PHP Injection Attack: Variable Function Call Found | Block | Enabled |
XSS - Cross-site scripting¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 941100 | XSS | XSS Attack Detected via libinjection | Block | Enabled | |
| 941101 | XSS | XSS Attack Detected via libinjection | Block | Enabled | |
| 941110 | XSS | XSS Filter - Category 1: Script Tag Vector | Block | Enabled | |
| 941120 | XSS | XSS Filter - Category 2: Event Handler Vector | Block | Enabled | |
| 941130 | XSS | XSS Filter - Category 3: Attribute Vector | Block | Enabled | |
| 941140 | XSS | XSS Filter - Category 4: Javascript URI Vector | Block | Enabled | |
| 941150 | XSS | XSS Filter - Category 5: Disallowed HTML Attributes | Block | Enabled | |
| 941160 | XSS | NoScript XSS InjectionChecker: HTML Injection | Block | Enabled | |
| 941170 | XSS | NoScript XSS InjectionChecker: Attribute Injection | Block | Enabled | |
| 941180 | XSS | Node-Validator Blacklist Keywords | Block | Enabled | |
| 941190 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941200 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941210 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941220 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941230 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941240 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941250 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941260 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941270 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941280 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941290 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941300 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941310 | XSS | US-ASCII Malformed Encoding XSS Filter - Attack Detected. | Block | Enabled | |
| 941320 | XSS | Possible XSS Attack Detected - HTML Tag Handler | Block | Enabled | |
| 941330 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941340 | XSS | IE XSS Filters - Attack Detected. | Block | Enabled | |
| 941350 | XSS | UTF-7 Encoding IE XSS - Attack Detected. | Block | Enabled |
SQLI - SQL injection¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 942100 | SQLI | SQL Injection Attack Detected via libinjection | Block | Enabled | |
| 942110 | SQLI | SQL Injection Attack: Common Injection Testing Detected | Block | Enabled | |
| 942120 | SQLI | SQL Injection Attack: SQL Operator Detected | Block | Enabled | |
| 942140 | SQLI | SQL Injection Attack: Common DB Names Detected | Block | Enabled | |
| 942150 | SQLI | SQL Injection Attack | Block | Enabled | |
| 942160 | SQLI | Detects blind sqli tests using sleep() or benchmark(). | Block | Enabled | |
| 942170 | SQLI | Detects SQL benchmark and sleep injection attempts including conditional queries | Block | Enabled | |
| 942180 | SQLI | Detects basic SQL authentication bypass attempts ⅓ | Block | Enabled | |
| 942190 | SQLI | Detects MSSQL code execution and information gathering attempts | Block | Enabled | |
| 942200 | SQLI | Detects MySQL comment-/space-obfuscated injections and backtick termination | Block | Enabled | |
| 942210 | SQLI | Detects chained SQL injection attempts ½ | Block | Enabled | |
| 942220 | SQLI | Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash | Block | Enabled | |
| 942230 | SQLI | Detects conditional SQL injection attempts | Block | Enabled | |
| 942240 | SQLI | Detects MySQL charset switch and MSSQL DoS attempts | Block | Enabled | |
| 942250 | SQLI | Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections | Block | Enabled | |
| 942260 | SQLI | Detects basic SQL authentication bypass attempts ⅔ | Block | Enabled | |
| 942270 | SQLI | Looking for basic sql injection. Common attack string for mysql, oracle and others. | Block | Enabled | |
| 942280 | SQLI | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts | Block | Enabled | |
| 942290 | SQLI | Finds basic MongoDB SQL injection attempts | Block | Enabled | |
| 942300 | SQLI | Detects MySQL comments, conditions and ch(a)r injections | Block | Enabled | |
| 942310 | SQLI | Detects chained SQL injection attempts 2/2 | Block | Enabled | |
| 942320 | SQLI | Detects MySQL and PostgreSQL stored procedure/function injections | Block | Enabled | |
| 942330 | SQLI | Detects classic SQL injection probings ⅓ | Block | Enabled | |
| 942340 | SQLI | Detects basic SQL authentication bypass attempts 3/3 | Block | Enabled | |
| 942350 | SQLI | Detects MySQL UDF injection and other data/structure manipulation attempts | Block | Enabled | |
| 942360 | SQLI | Detects concatenated basic SQL injection and SQLLFI attempts | Block | Enabled | |
| 942361 | SQLI | Detects basic SQL injection based on keyword alter or union | Block | Enabled | |
| 942370 | SQLI | Detects classic SQL injection probings ⅔ | Block | Enabled | |
| 942380 | SQLI | SQL Injection Attack | Block | Enabled | |
| 942390 | SQLI | SQL Injection Attack | Block | Enabled | |
| 942400 | SQLI | SQL Injection Attack | Block | Enabled | |
| 942410 | SQLI | SQL Injection Attack | Block | Enabled | |
| 942430 | SQLI | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) | Block | Enabled | |
| 942440 | SQLI | SQL Comment Sequence Detected. | Block | Enabled | |
| 942450 | SQLI | SQL Hex Encoding Identified | Block | Enabled | |
| 942470 | SQLI | SQL Injection Attack | Block | Enabled | |
| 942480 | SQLI | SQL Injection Attack | Block | Enabled |
FIX - Session Fixation attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 943100 | FIX | Possible Session Fixation Attack: Setting Cookie Values in HTML | Block | Enabled | |
| 943110 | FIX | Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer | Block | Enabled | |
| 943120 | FIX | Possible Session Fixation Attack: SessionID Parameter Name with No Referer | Block | Enabled |
JAVA - Java attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 944100 | JAVA | Remote Command Execution: Suspicious Java class detected | Block | Enabled | |
| 944110 | JAVA | Remote Command Execution: Java process spawn (CVE-2017-9805) | Block | Enabled | |
| 944120 | JAVA | Remote Command Execution: Java serialization (CVE-2015-5842) | Block | Enabled | |
| 944130 | JAVA | Suspicious Java class detected | Block | Enabled | |
| 944200 | JAVA | Magic bytes Detected, probable java serialization in use | Block | Enabled | |
| 944210 | JAVA | Magic bytes Detected Base64 Encoded, probable java serialization in use | Block | Enabled | |
| 944240 | JAVA | Remote Command Execution: Java serialization and Log4j vulnerability (CVE-2021-44228, CVE-2021-45046) | Block | Enabled | |
| 944250 | JAVA | Remote Command Execution: Suspicious Java method detected | Block | Enabled |