<rule id="31504" level="6">
<if_sid>31100</if_sid>
<url>login.php</url>
- <regex> "GET /\S+/admin/file_manager.php/login.php</regex>
+ <regex>/admin/\w+.php/login.php</regex>
<description>osCommerce file manager login.php bypass attempt.</description>
</rule>
<!-- BAD/Annoying user agents -->
<rule id="31508" level="6">
<if_sid>31100</if_sid>
- <match> "ZmEu"| "libwww-perl/</match>
+ <match> "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af.sourceforge.net|MJ12bot/v</match>
<description>Blacklisted user agent (known malicious user agent).</description>
</rule>
<!-- WordPress wp-login.php brute force -->
<rule id="31509" level="3">
<if_sid>31108</if_sid>
- <url>wp-login.php</url>
- <regex>] "POST \S+wp-login.php</regex>
- <description>WordPress login attempt.</description>
+ <url>wp-login.php|/administrator</url>
+ <regex>] "POST \S+wp-login.php| "POST /administrator</regex>
+ <description>CMS (WordPress or Joomla) login attempt.</description>
</rule>
<!-- If we see frequent wp-login POST's, it is likely a bot. -->
- <rule id="31510" level="6" frequency="4" timeframe="120" ignore="30">
+ <rule id="31510" level="8" frequency="6" timeframe="30">
<if_matched_sid>31509</if_matched_sid>
<same_source_ip />
- <description>WordPress wp-login.php brute force attempt.</description>
+ <description>CMS (WordPress or Joomla) brute force attempt.</description>
</rule>
<!-- Nothing wrong with wget per se, but it misses a lot of links
<if_sid>31100</if_sid>
<url>uploadify.php</url>
<regex> "GET /\S+/uploadify.php?src=http://\S+.php</regex>
- <description>TimThumb vulnerability exploit attempt.</description>
+ <description>Uploadify vulnerability exploit attempt.</description>
</rule>
<!-- BBS delete.php skin_path.
<description>BBS delete.php exploit attempt.</description>
</rule>
- <!-- Anomaly rules - Used on common web attacks -->
- <rule id="31550" level="6">
+ <!-- Simple shell.php command execution
+ -->
+ <rule id="31514" level="6">
<if_sid>31100</if_sid>
- <url>%00</url>
- <regex> "GET /\S+.php?\S+%00</regex>
- <description>Anomaly URL query (attempting to pass null termination).</description>
+ <url>shell.php</url>
+ <regex> "GET \S+/shell.php?cmd=</regex>
+ <description>Simple shell.php command execution.</description>
</rule>
+ <!-- PHPMyAdmin scans
+ -->
+ <rule id="31515" level="6">
+ <if_sid>31100</if_sid>
+ <url>phpMyAdmin/scripts/setup.php</url>
+ <description>PHPMyAdmin scans (looking for setup.php).</description>
+ </rule>
+ <!-- Suspicious URL's access
+ -->
+ <rule id="31516" level="6">
+ <if_sid>31100</if_sid>
+ <url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history</url>
+ <description>Suspicious URL access.</description>
+ </rule>
+ <!-- Checking POST requests - Too many in a small type = likely a bot -->
+ <rule id="31530" level="3">
+ <if_sid>31100</if_sid>
+ <match>] "POST </match>
+ <options>no_log</options>
+ <description>POST request received.</description>
+ </rule>
+ <rule id="31531" level="0">
+ <if_sid>31530</if_sid>
+ <url>/wp-admin/|/administrator/|/admin/</url>
+ <description>Ignoring often post requests inside /wp-admin and /admin.</description>
+ </rule>
+ <rule id="31533" level="10" timeframe="20" frequency="6">
+ <if_matched_sid>31530</if_matched_sid>
+ <same_source_ip />
+ <description>High amount of POST requests in a small period of time (likely bot).</description>
+ </rule>
+ <!-- Anomaly rules - Used on common web attacks -->
+ <rule id="31550" level="6">
+ <if_sid>31100</if_sid>
+ <url>%00</url>
+ <regex> "GET /\S+.php?\S+%00</regex>
+ <description>Anomaly URL query (attempting to pass null termination).</description>
+ </rule>
</group>