-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/web_rules.xml, 2012/05/08 dcid Exp $
+
-
- Official Web access rules for OSSEC.
-
<group>attack,</group>
</rule>
+ <rule id="31110" level="6">
+ <if_sid>31100</if_sid>
+ <url>?-d|?-s|?-a|?-b|?-w</url>
+ <description>PHP CGI-bin vulnerability attempt.</description>
+ <group>attack,</group>
+ </rule>
+
+ <rule id="31109" level="6">
+ <if_sid>31100</if_sid>
+ <url>+as+varchar(8000)</url>
+ <regex>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)</regex>
+ <description>MSSQL Injection attempt (/ur.php, urchin.js)</description>
+ <group>attack,</group>
+ </rule>
+
+
<!-- If your site have a search engine, you may need to ignore
- it in here.
-->
<description>Ignored URLs for the web attacks</description>
</rule>
- <rule id="31115" level="13" maxsize="2900">
+ <rule id="31115" level="13" maxsize="5900">
<if_sid>31100</if_sid>
<description>URL too long. Higher than allowed on most </description>
<description>browsers. Possible attack.</description>
<rule id="31151" level="10" frequency="10" timeframe="120">
<if_matched_sid>31101</if_matched_sid>
<same_source_ip />
- <description>Mutiple web server 400 error codes </description>
+ <description>Multiple web server 400 error codes </description>
<description>from same source ip.</description>
<group>web_scan,recon,</group>
</rule>