-<!-- @(#) $Id: web_rules.xml,v 1.25 2009/09/25 14:35:20 dcid Exp $
+<!-- @(#) $Id: ./etc/rules/web_rules.xml, 2012/05/08 dcid Exp $
+
-
- Official Web access rules for OSSEC.
-
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
+ - License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
<description>Access log messages grouped.</description>
</rule>
+ <rule id="31108" level="0">
+ <if_sid>31100</if_sid>
+ <id>^2|^3</id>
+ <compiled_rule>is_simple_http_request</compiled_rule>
+ <description>Ignored URLs (simple queries).</description>
+ </rule>
+
<rule id="31101" level="5">
<if_sid>31100</if_sid>
<id>^4</id>
<rule id="31102" level="0">
<if_sid>31101</if_sid>
- <id>^403|^404</id>
- <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$</url>
-
- <!-- Add any other url to be ignored in here
- (to avoid too many false positives from your site)
- <url>|.html$|.jpe$</url>
- -->
-
+ <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$</url>
+ <compiled_rule>is_simple_http_request</compiled_rule>
<description>Ignored extensions on 400 error codes.</description>
</rule>
<!-- Attempt to do directory transversal, simple sql injections,
- or access to the etc or bin directory (unix). -->
- <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..</url>
+ <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..|</url>
<url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url>
- <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%|</url>
- <url>cat%|exec%|rm%20</url>
+ <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|</url>
+ <url>cat%20|exec%20|rm%20</url>
<description>Common web attack.</description>
<group>attack,</group>
</rule>
<rule id="31105" level="6">
<if_sid>31100</if_sid>
- <url>%3Cscript|%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url>
+ <url>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url>
<url>%20ONLOAD=|INPUT%20|iframe%20</url>
<description>XSS (Cross Site Scripting) attempt.</description>
<group>attack,</group>
</rule>
- <rule id="31106" level="12">
+ <rule id="31106" level="6">
<if_sid>31103, 31104, 31105</if_sid>
<id>^200</id>
<description>A web attack returned code 200 (success).</description>
<group>attack,</group>
</rule>
+ <rule id="31110" level="6">
+ <if_sid>31100</if_sid>
+ <url>?-d|?-s|?-a|?-b|?-w</url>
+ <description>PHP CGI-bin vulnerability attempt.</description>
+ <group>attack,</group>
+ </rule>
+
+ <rule id="31109" level="6">
+ <if_sid>31100</if_sid>
+ <url>+as+varchar(8000)</url>
+ <regex>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)</regex>
+ <description>MSSQL Injection attempt (/ur.php, urchin.js)</description>
+ <group>attack,</group>
+ </rule>
+
+
<!-- If your site have a search engine, you may need to ignore
- it in here.
-->
<rule id="31107" level="0">
<if_sid>31103, 31104, 31105</if_sid>
- <url>^/search.php?search=|^index.php?searchword=</url>
+ <url>^/search.php?search=|^/index.php?searchword=</url>
<description>Ignored URLs for the web attacks</description>
</rule>
- <rule id="31115" level="13" maxsize="2900">
+ <rule id="31115" level="13" maxsize="5900">
<if_sid>31100</if_sid>
<description>URL too long. Higher than allowed on most </description>
<description>browsers. Possible attack.</description>
<options>alert_by_email</options>
<description>Web server 503 error code (Service unavailable).</description>
</rule>
+
+
+ <!-- Rules to ignore crawlers -->
+ <rule id="31140" level="0">
+ <if_sid>31101</if_sid>
+ <compiled_rule>is_valid_crawler</compiled_rule>
+ <description>Ignoring google/msn/yahoo bots.</description>
+ </rule>
+
<rule id="31151" level="10" frequency="10" timeframe="120">
<if_matched_sid>31101</if_matched_sid>
<same_source_ip />
- <description>Mutiple web server 400 error codes </description>
+ <description>Multiple web server 400 error codes </description>
<description>from same source ip.</description>
<group>web_scan,recon,</group>
</rule>