1 <!-- @(#) $Id: ./etc/rules/apache_rules.xml, 2011/09/08 dcid Exp $
3 - Official Apache rules for OSSEC.
5 - Copyright (C) 2009 Trend Micro Inc.
8 - This program is a free software; you can redistribute it
9 - and/or modify it under the terms of the GNU General Public
10 - License (version 2) as published by the FSF - Free Software
13 - License details: http://www.ossec.net/en/licensing.html
15 - Contributed by: Ahmet Ozturk
16 - Ben Chavet <ben.chavet@lullabot.com>
20 <group name="apache,">
21 <rule id="30100" level="0">
22 <decoded_as>apache-errorlog</decoded_as>
23 <description>Apache messages grouped.</description>
26 <rule id="30101" level="0">
27 <if_sid>30100</if_sid>
28 <match>^[error] </match>
29 <description>Apache error messages grouped.</description>
32 <rule id="30102" level="0">
33 <if_sid>30100</if_sid>
34 <match>^[warn] </match>
35 <description>Apache warn messages grouped.</description>
38 <rule id="30103" level="0">
39 <if_sid>30100</if_sid>
40 <match>^[notice] </match>
41 <description>Apache notice messages grouped.</description>
44 <rule id="30104" level="12">
45 <if_sid>30103</if_sid>
46 <match>exit signal Segmentation Fault</match>
47 <description>Apache segmentation fault.</description>
48 <info type="link">http://www.securityfocus.com/infocus/1633</info>
49 <group>service_availability,</group>
52 <rule id="30105" level="5">
53 <if_sid>30101</if_sid>
54 <match>denied by server configuration</match>
55 <description>Attempt to access forbidden file or directory.</description>
56 <group>access_denied,</group>
59 <rule id="30106" level="5">
60 <if_sid>30101</if_sid>
61 <match>Directory index forbidden by rule</match>
62 <description>Attempt to access forbidden directory index.</description>
63 <group>access_denied,</group>
66 <rule id="30107" level="6">
67 <if_sid>30101</if_sid>
68 <match>Client sent malformed Host header</match>
69 <description>Code Red attack.</description>
70 <info type="link">http://www.cert.org/advisories/CA-2001-19.html</info>
71 <info type="text">CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL</info>
72 <group>automatic_attack,</group>
75 <rule id="30108" level="5">
76 <if_sid>30102</if_sid>
77 <match>authentication failed</match>
78 <description>User authentication failed.</description>
79 <group>authentication_failed,</group>
82 <rule id="30109" level="9">
83 <if_sid>30101</if_sid>
84 <regex>user \S+ not found|user \S+ in realm \.* not found</regex>
85 <description>Attempt to login using a non-existent user.</description>
86 <group>invalid_login,</group>
89 <rule id="30110" level="5">
90 <if_sid>30101</if_sid>
91 <match>authentication failure</match>
92 <description>User authentication failed.</description>
93 <group>authentication_failed,</group>
96 <rule id="30112" level="0">
97 <if_sid>30101</if_sid>
98 <match>File does not exist: |</match>
99 <match>failed to open stream: No such file or directory|</match>
100 <match>Failed opening </match>
101 <description>Attempt to access an non-existent file (those are reported on the access.log).</description>
102 <group>unknown_resource,</group>
105 <!-- [Tue Mar 07 12:05:15 2006] [error] [client 200.206.165.91] Invalid URI in request %3Bi%3A3%3Bi%3A0%3B%7D; usercookie[password]=d6ed9e1750d0b2aba6b3311cbec087d8; 45befd35f8a0f47b89ed8831f892b8dc=167c4e46a940cd2570b952eea527b27a; PHPSESSID=616hjdg7kj9bln37efsv7vt7g3
106 - [client 65.204.137.200] script '/var/www/html/xmlrpc.php' not found or unable to stat
108 <rule id="30115" level="5">
109 <if_sid>30101</if_sid>
110 <match>Invalid URI in request</match>
111 <description>Invalid URI (bad client request).</description>
112 <group>invalid_request,</group>
115 <rule id="30116" level="10" frequency="8" timeframe="120">
116 <if_matched_sid>30115</if_matched_sid>
118 <description>Multiple Invalid URI requests from </description>
119 <description>same source.</description>
120 <group>invalid_request,</group>
123 <rule id="30117" level="10">
124 <if_sid>30101</if_sid>
125 <match>File name too long|request failed: URI too long</match>
126 <description>Invalid URI, file name too long.</description>
127 <group>invalid_request,</group>
130 <!-- Mod security rules by <ossec ( at ) sioban.net -->
131 <rule id="30118" level="6">
132 <if_sid>30101</if_sid>
133 <match>mod_security: Access denied|ModSecurity: Access denied</match>
134 <description>Access attempt blocked by Mod Security.</description>
135 <group>access_denied,</group>
138 <rule id="30119" level="12" frequency="6" timeframe="120">
139 <if_matched_sid>30118</if_matched_sid>
141 <description>Multiple attempts blocked by Mod Security.</description>
142 <group>access_denied,</group>
145 <rule id="30120" level="12">
146 <if_sid>30101</if_sid>
147 <match>Resource temporarily unavailable:</match>
148 <description>Apache without resources to run.</description>
149 <group>service_availability,</group>
152 <rule id="30200" level="6" noalert="1">
153 <match>^mod_security-message: </match>
154 <description>Modsecurity alert.</description>
157 <rule id="30201" level="6">
158 <if_sid>30200</if_sid>
159 <match>^mod_security-message: Access denied </match>
160 <description>Modsecurity access denied.</description>
161 <group>access_denied,</group>
164 <rule id="30202" level="10" frequency="8" timeframe="120">
165 <if_matched_sid>30201</if_matched_sid>
166 <description>Multiple attempts blocked by Mod Security.</description>
167 <group>access_denied,</group>
170 <!-- Apache 2.4 Rules -->
171 <rule id="30301" level="0">
172 <if_sid>30100</if_sid>
173 <regex> [\S*:error] </regex>
174 <description>Apache error messages grouped.</description>
177 <rule id="30302" level="0">
178 <if_sid>30100</if_sid>
179 <regex> [\S+:warn] </regex>
180 <description>Apache warn messages grouped.</description>
183 <rule id="30303" level="0">
184 <if_sid>30100</if_sid>
185 <regex> [\S+:notice] </regex>
186 <description>Apache notice messages grouped.</description>
189 <rule id="30304" level="12">
190 <if_sid>30303</if_sid>
191 <match>exit signal Segmentation Fault</match>
192 <description>Apache segmentation fault.</description>
193 <info type="link">http://www.securityfocus.com/infocus/1633</info>
194 <group>service_availability,</group>
197 <rule id="30305" level="5">
198 <if_sid>30301</if_sid>
200 <description>Attempt to access forbidden file or directory.</description>
201 <group>access_denied,</group>
204 <rule id="30306" level="5">
205 <if_sid>30301</if_sid>
207 <description>Attempt to access forbidden directory index.</description>
208 <group>access_denied,</group>
211 <rule id="30307" level="6">
212 <if_sid>30301</if_sid>
214 <description>Client sent malformed Host header. Possible Code Red attack.</description>
215 <info type="link">http://www.cert.org/advisories/CA-2001-19.html</info>
216 <info type="text">CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL</info>
217 <group>automatic_attack,</group>
220 <rule id="30308" level="5">
221 <if_sid>30301</if_sid>
222 <id>AH01617|AH01807|AH01694|AH01695|AH02009|AH02010</id>
223 <description>User authentication failed.</description>
224 <group>authentication_failed,</group>
227 <rule id="30309" level="5">
228 <if_sid>30301</if_sid>
229 <id>AH01618|AH01808|AH01790</id>
230 <description>Attempt to login using a non-existent user.</description>
231 <group>invalid_login,</group>
234 <rule id="30310" level="10" frequency="10" timeframe="160">
235 <if_matched_sid>30309</if_matched_sid>
237 <description>Multiple authentication failures with invalid user.</description>
238 <group>authentication_failures,</group>
241 <rule id="30312" level="0">
242 <if_sid>30301</if_sid>
243 <match>File does not exist: |</match>
244 <match>failed to open stream: No such file or directory|</match>
245 <match>Failed opening </match>
246 <description>Attempt to access an non-existent file (those are reported on the access.log).</description>
247 <group>unknown_resource,</group>
250 <rule id="30315" level="5">
251 <if_sid>30301</if_sid>
253 <description>Invalid URI (bad client request).</description>
254 <group>invalid_request,</group>
257 <rule id="30316" level="10" frequency="8" timeframe="120">
258 <if_matched_sid>30315</if_matched_sid>
260 <description>Multiple Invalid URI requests from </description>
261 <description>same source.</description>
262 <group>invalid_request,</group>
265 <rule id="30317" level="10">
266 <if_sid>30301</if_sid>
268 <description>Invalid URI, file name too long.</description>
269 <group>invalid_request,</group>
272 <rule id="30318" level="5">
273 <if_sid>30301</if_sid>
274 <match>PHP Notice:</match>
275 <description>PHP Notice in Apache log</description>
278 <rule id="30319" level="10">
279 <if_sid>30301</if_sid>
281 <match>File name too long: </match>
282 <description>File name too long.</description>
285 <rule id="30320" level="2">
286 <if_sid>30301</if_sid>
287 <match>Permission denied: | client denied by server configuration: </match>
288 <description>Permission denied.</description>
291 <rule id="30321" level="2">
292 <if_sid>30301</if_sid>
294 <match>script not found </match>
295 <description>A script cannot be accessed.</description>
298 <!-- Apache 2.4 ModSecurity Rules -->
299 <rule id="30401" level="0">
300 <if_sid>30301</if_sid>
301 <match>ModSecurity: Warning</match>
302 <description>ModSecurity Warning messages grouped</description>
305 <rule id="30402" level="0">
306 <if_sid>30301</if_sid>
307 <match>ModSecurity: Access denied</match>
308 <description>ModSecurity Access denied messages grouped</description>
311 <rule id="30403" level="0">
312 <if_sid>30301</if_sid>
313 <match>ModSecurity: Audit log:</match>
314 <description>ModSecurity Audit log messages grouped</description>
317 <rule id="30411" level="7">
318 <if_sid>30402</if_sid>
319 <match>with code 403</match>
320 <description>ModSecurity rejected a query</description>
322 </group> <!-- ERROR_LOG,APACHE -->