/
web_appsec_rules.xml
190 lines (163 loc) · 6.15 KB
/
web_appsec_rules.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
<!-- @(#) $Id: ./etc/rules/web_appsec_rules.xml, 2012/08/11 dcid Exp $
-
- Web attacks/vulns specific rules for OSSEC.
-
- Copyright (C) 2012 Daniel B. Cid (dcid@dcid.me)
- All rights reserved.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
-->
<!-- Collection of rules for common web attacks that we are seeing in the wild.
- The real goal is to stop bots and automated attacks from doing further damage
- on sites that are not updated.
-->
<group name="web,appsec,attack">
<!-- Checking POST / requests - WP comment spam coming from fake search engines.
-->
<rule id="31501" level="6">
<if_sid>31100</if_sid>
<pcre2>POST /.*(?:Googlebot|MSNBot|BingBot)</pcre2>
<url_pcre2>/wp-comments-post\.php</url_pcre2>
<description>WordPress Comment Spam (coming from a fake search engine UA).</description>
</rule>
<!-- Timthumb scans.
-->
<rule id="31502" level="6">
<if_sid>31100</if_sid>
<url_pcre2>thumb\.php|timthumb\.php</url_pcre2>
<pcre2> "GET \S+thumb\.php\?src=\S+\.php</pcre2>
<description>TimThumb vulnerability exploit attempt.</description>
</rule>
<!-- osCommerce login.php bypass
-->
<rule id="31503" level="6">
<if_sid>31100</if_sid>
<url_pcre2>login\.php</url_pcre2>
<pcre2> "POST /\S+\.php/login\.php\?cPath=</pcre2>
<description>osCommerce login.php bypass attempt.</description>
</rule>
<!-- osCommerce file manager login.php bypass
-->
<rule id="31504" level="6">
<if_sid>31100</if_sid>
<url_pcre2>login\.php</url_pcre2>
<pcre2>/admin/[A-Za-z0-9@_-]+\.php/login\.php</pcre2>
<description>osCommerce file manager login.php bypass attempt.</description>
</rule>
<!-- Timthumb backdoor access.
-->
<rule id="31505" level="6">
<if_sid>31100</if_sid>
<url_pcre2>/cache/external</url_pcre2>
<pcre2> "GET /\S+/cache/external\S+\.php</pcre2>
<description>TimThumb backdoor access attempt.</description>
</rule>
<!-- Timthumb backdoor access.
-->
<rule id="31506" level="6">
<if_sid>31100</if_sid>
<url_pcre2>cart\.php</url_pcre2>
<pcre2> "GET /\S+cart\.php\?\S+templatefile=\.\./</pcre2>
<description>Cart.php directory transversal attempt.</description>
</rule>
<!-- MSSQL IIS inject rules -->
<rule id="31507" level="6">
<if_sid>31100</if_sid>
<url_pcre2>DECLARE%20@S%20CHAR|%20AS%20CHAR</url_pcre2>
<description>MSSQL Injection attempt (ur.php, urchin.js).</description>
</rule>
<!-- BAD/Annoying user agents -->
<rule id="31508" level="6">
<if_sid>31100</if_sid>
<pcre2> "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af\.sourceforge\.net|MJ12bot/v| Jorgee"|"Proxy Gear Pro|"DataCha0s</pcre2>
<description>Blacklisted user agent (known malicious user agent).</description>
</rule>
<!-- WordPress wp-login.php brute force -->
<rule id="31509" level="3">
<if_sid>31108</if_sid>
<url_pcre2>wp-login\.php|/administrator</url_pcre2>
<pcre2>\] "POST \S+wp-login\.php| "POST /administrator</pcre2>
<description>CMS (WordPress or Joomla) login attempt.</description>
</rule>
<!-- If we see frequent wp-login POST's, it is likely a bot. -->
<rule id="31510" level="8" frequency="6" timeframe="30">
<if_matched_sid>31509</if_matched_sid>
<same_source_ip />
<description>CMS (WordPress or Joomla) brute force attempt.</description>
</rule>
<!-- Nothing wrong with wget per se, but it misses a lot of links
- that generates many 404s. Blocking it to avoid the noise.
-->
<rule id="31511" level="0">
<if_sid>31100</if_sid>
<pcre2>" "Wget/</pcre2>
<description>Blacklisted user agent (wget).</description>
</rule>
<!-- Uploadify scans.
-->
<rule id="31512" level="6">
<if_sid>31100</if_sid>
<url_pcre2>uploadify\.php</url_pcre2>
<pcre2> "GET /\S+/uploadify\.php\?src=http://\S+\.php</pcre2>
<description>Uploadify vulnerability exploit attempt.</description>
</rule>
<!-- BBS delete.php skin_path.
-->
<rule id="31513" level="6">
<if_sid>31100</if_sid>
<url_pcre2>delete\.php</url_pcre2>
<pcre2> "GET \S+/delete\.php\?board_skin_path=http://\S+\.php</pcre2>
<description>BBS delete.php exploit attempt.</description>
</rule>
<!-- Simple shell.php command execution
-->
<rule id="31514" level="6">
<if_sid>31100</if_sid>
<url_pcre2>shell\.php</url_pcre2>
<pcre2> "GET \S+/shell\.php\?cmd=</pcre2>
<description>Simple shell.php command execution.</description>
</rule>
<!-- PHPMyAdmin scans
-->
<rule id="31515" level="6">
<if_sid>31100</if_sid>
<url_pcre2>phpMyAdmin/scripts/setup\.php</url_pcre2>
<description>PHPMyAdmin scans (looking for setup.php).</description>
</rule>
<!-- Suspicious URL's access
-->
<rule id="31516" level="6">
<if_sid>31100</if_sid>
<url_pcre2>\.swp$|\.bak$|/\.htaccess|/server-status|/\.ssh|/\.history|/wallet\.dat</url_pcre2>
<description>Suspicious URL access.</description>
</rule>
<!-- Checking POST requests - Too many in a small type = likely a bot -->
<rule id="31530" level="3">
<if_sid>31100</if_sid>
<pcre2>\] "POST </pcre2>
<options>no_log</options>
<description>POST request received.</description>
</rule>
<rule id="31531" level="0">
<if_sid>31530</if_sid>
<url_pcre2>/wp-admin/|/administrator/|/admin/</url_pcre2>
<description>Ignoring often post requests inside /wp-admin and /admin.</description>
</rule>
<rule id="31533" level="10" timeframe="20" frequency="6">
<if_matched_sid>31530</if_matched_sid>
<same_source_ip />
<description>High amount of POST requests in a small period of time (likely bot).</description>
</rule>
<!-- Anomaly rules - Used on common web attacks -->
<rule id="31550" level="6">
<if_sid>31100</if_sid>
<url_pcre2>%00</url_pcre2>
<pcre2> "GET /\S+\.php\?\S+%00</pcre2>
<description>Anomaly URL query (attempting to pass null termination).</description>
</rule>
</group>