I tought that I had your configuration, lol. A little bit modified as my server is CPanel but basically all the rules are the same.
If you don't mind, can you point me where is your configuration and see to set them in my server? BIG THANKS.
On the other hand, may be if I explain to you what I am trying to inted to do with this rule, you can tell me if I am wrong on what I want...
Take as an example the following action:
0. (Check the whitelist first and stops any checks).
1. So, for me it will be easier to start checking from the end, so the first part to test on the action is to search for "/id.txt?", if it is find in the malware-script.txt, then the process stops and gives a 406 error.
2. If the script wasn't find, then we can check for the domain name "civitatis.superweb.ws/", if it is located in the malware-blacklist.txt, then the process stops and gives 406 error.
3. Then check for black listed IPs in malware-blacklistIP.txt, if the connection IP is located there, stop the process and gives 406 error.
4 If all the above fails continue with the other rules.
What I intend to do is to check for the faster things first, so, the script file is the lowest in size of all the malware files and is also, in my case, the most used as a lot of the hack attempts are the ones that tries to inject code via scripts.
Am I wrong?