+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/web_appsec_rules.xml, 2012/08/11 dcid Exp $
-
- -
- - Web attacks/vulns specific rules for OSSEC.
- -
- - Copyright (C) 2012 Daniel B. Cid (dcid@dcid.me)
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- Collection of rules for common web attacks that we are seeing in the wild.
- - The real goal is to stop bots and automated attacks from doing further damage
- - on sites that are not updated.
- -->
-<group name="web,appsec,attack">
-
-
-
- <!-- Checking POST / requests - WP comment spam coming from fake search engines.
- -->
- <rule id="31501" level="6">
- <if_sid>31100</if_sid>
- <match>POST /</match>
- <url>/wp-comments-post.php</url>
- <regex>Googlebot|MSNBot|BingBot</regex>
- <description>WordPress Comment Spam (coming from a fake search engine UA).</description>
- </rule>
-
- <!-- Timthumb scans.
- -->
- <rule id="31502" level="6">
- <if_sid>31100</if_sid>
- <url>thumb.php|timthumb.php</url>
- <regex> "GET \S+thumb.php?src=\S+.php</regex>
- <description>TimThumb vulnerability exploit attempt.</description>
- </rule>
-
- <!-- osCommerce login.php bypass
- -->
- <rule id="31503" level="6">
- <if_sid>31100</if_sid>
- <url>login.php</url>
- <regex> "POST /\S+.php/login.php?cPath=</regex>
- <description>osCommerce login.php bypass attempt.</description>
- </rule>
-
- <!-- osCommerce file manager login.php bypass
- -->
- <rule id="31504" level="6">
- <if_sid>31100</if_sid>
- <url>login.php</url>
- <regex>/admin/\w+.php/login.php</regex>
- <description>osCommerce file manager login.php bypass attempt.</description>
- </rule>
-
- <!-- Timthumb backdoor access.
- -->
- <rule id="31505" level="6">
- <if_sid>31100</if_sid>
- <url>/cache/external</url>
- <regex> "GET /\S+/cache/external\S+.php</regex>
- <description>TimThumb backdoor access attempt.</description>
- </rule>
-
- <!-- Timthumb backdoor access.
- -->
- <rule id="31506" level="6">
- <if_sid>31100</if_sid>
- <url>cart.php</url>
- <regex> "GET /\S+cart.php?\S+templatefile=../</regex>
- <description>Cart.php directory transversal attempt.</description>
- </rule>
-
- <!-- MSSQL IIS inject rules -->
- <rule id="31507" level="6">
- <if_sid>31100</if_sid>
- <url>DECLARE%20@S%20CHAR|%20AS%20CHAR</url>
- <description>MSSQL Injection attempt (ur.php, urchin.js).</description>
- </rule>
-
- <!-- BAD/Annoying user agents -->
- <rule id="31508" level="6">
- <if_sid>31100</if_sid>
- <match> "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af.sourceforge.net|MJ12bot/v| Jorgee"|"Proxy Gear Pro|"DataCha0s</match>
- <description>Blacklisted user agent (known malicious user agent).</description>
- </rule>
-
- <!-- WordPress wp-login.php brute force -->
- <rule id="31509" level="3">
- <if_sid>31108</if_sid>
- <url>wp-login.php|/administrator</url>
- <regex>] "POST \S+wp-login.php| "POST /administrator</regex>
- <description>CMS (WordPress or Joomla) login attempt.</description>
- </rule>
-
- <!-- If we see frequent wp-login POST's, it is likely a bot. -->
- <rule id="31510" level="8" frequency="6" timeframe="30">
- <if_matched_sid>31509</if_matched_sid>
- <same_source_ip />
- <description>CMS (WordPress or Joomla) brute force attempt.</description>
- </rule>
-
- <!-- Nothing wrong with wget per se, but it misses a lot of links
- - that generates many 404s. Blocking it to avoid the noise.
- -->
- <rule id="31511" level="0">
- <if_sid>31100</if_sid>
- <match>" "Wget/</match>
- <description>Blacklisted user agent (wget).</description>
- </rule>
-
- <!-- Uploadify scans.
- -->
- <rule id="31512" level="6">
- <if_sid>31100</if_sid>
- <url>uploadify.php</url>
- <regex> "GET /\S+/uploadify.php?src=http://\S+.php</regex>
- <description>Uploadify vulnerability exploit attempt.</description>
- </rule>
-
- <!-- BBS delete.php skin_path.
- -->
- <rule id="31513" level="6">
- <if_sid>31100</if_sid>
- <url>delete.php</url>
- <regex> "GET \S+/delete.php?board_skin_path=http://\S+.php</regex>
- <description>BBS delete.php exploit attempt.</description>
- </rule>
-
- <!-- Simple shell.php command execution
- -->
- <rule id="31514" level="6">
- <if_sid>31100</if_sid>
- <url>shell.php</url>
- <regex> "GET \S+/shell.php?cmd=</regex>
- <description>Simple shell.php command execution.</description>
- </rule>
-
- <!-- PHPMyAdmin scans
- -->
- <rule id="31515" level="6">
- <if_sid>31100</if_sid>
- <url>phpMyAdmin/scripts/setup.php</url>
- <description>PHPMyAdmin scans (looking for setup.php).</description>
- </rule>
-
- <!-- Suspicious URL's access
- -->
- <rule id="31516" level="6">
- <if_sid>31100</if_sid>
- <url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history|/wallet.dat</url>
- <description>Suspicious URL access.</description>
- </rule>
-
- <!-- Checking POST requests - Too many in a small type = likely a bot -->
- <rule id="31530" level="3">
- <if_sid>31100</if_sid>
- <match>] "POST </match>
- <options>no_log</options>
- <description>POST request received.</description>
- </rule>
-
- <rule id="31531" level="0">
- <if_sid>31530</if_sid>
- <url>/wp-admin/|/administrator/|/admin/</url>
- <description>Ignoring often post requests inside /wp-admin and /admin.</description>
- </rule>
-
- <rule id="31533" level="10" timeframe="20" frequency="6">
- <if_matched_sid>31530</if_matched_sid>
- <same_source_ip />
- <description>High amount of POST requests in a small period of time (likely bot).</description>
- </rule>
-
- <!-- Anomaly rules - Used on common web attacks -->
- <rule id="31550" level="6">
- <if_sid>31100</if_sid>
- <url>%00</url>
- <regex> "GET /\S+.php?\S+%00</regex>
- <description>Anomaly URL query (attempting to pass null termination).</description>
- </rule>
-
-
-</group>