-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/web_rules.xml, 2013/02/28 dcid Exp $
+
-
- Official Web access rules for OSSEC.
-
<rule id="31102" level="0">
<if_sid>31101</if_sid>
- <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$</url>
+ <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$|.jpeg$</url>
<compiled_rule>is_simple_http_request</compiled_rule>
<description>Ignored extensions on 400 error codes.</description>
</rule>
<rule id="31103" level="6">
<if_sid>31100</if_sid>
- <url>='|select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
+ <url>=select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
<url>union+|where+|null,null|xp_cmdshell</url>
<description>SQL injection attempt.</description>
<group>attack,sql_injection,</group>
<!-- Attempt to do directory transversal, simple sql injections,
- or access to the etc or bin directory (unix). -->
- <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..|</url>
- <url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url>
+ <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|</url>
+ <url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|/boot.ini|</url>
<url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|</url>
- <url>cat%20|exec%20|rm%20</url>
+ <url>exec%20|../..//|%5C../%5C|././././|2e%2e%5c%2e|\x5C\x5C</url>
<description>Common web attack.</description>
<group>attack,</group>
</rule>
<group>attack,</group>
</rule>
+ <rule id="31110" level="6">
+ <if_sid>31100</if_sid>
+ <url>?-d|?-s|?-a|?-b|?-w</url>
+ <description>PHP CGI-bin vulnerability attempt.</description>
+ <group>attack,</group>
+ </rule>
+
+ <rule id="31109" level="6">
+ <if_sid>31100</if_sid>
+ <url>+as+varchar</url>
+ <regex>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)</regex>
+ <description>MSSQL Injection attempt (/ur.php, urchin.js)</description>
+ <group>attack,</group>
+ </rule>
+
+
<!-- If your site have a search engine, you may need to ignore
- it in here.
-->
<description>Ignored URLs for the web attacks</description>
</rule>
- <rule id="31115" level="13" maxsize="2900">
+ <rule id="31115" level="13" maxsize="7900">
<if_sid>31100</if_sid>
<description>URL too long. Higher than allowed on most </description>
<description>browsers. Possible attack.</description>
<group>invalid_access,</group>
</rule>
+
<!-- 500 error codes, server error
- http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
-->
<description>Ignoring google/msn/yahoo bots.</description>
</rule>
+ <!-- Ignoring nginx 499's -->
+ <rule id="31141" level="0">
+ <if_sid>31101</if_sid>
+ <id>^499</id>
+ <description>Ignored 499's on nginx.</description>
+ </rule>
+
- <rule id="31151" level="10" frequency="10" timeframe="120">
+ <rule id="31151" level="10" frequency="12" timeframe="90">
<if_matched_sid>31101</if_matched_sid>
<same_source_ip />
- <description>Mutiple web server 400 error codes </description>
+ <description>Multiple web server 400 error codes </description>
<description>from same source ip.</description>
<group>web_scan,recon,</group>
</rule>
<group>attack,</group>
</rule>
- <rule id="31161" level="10" frequency="8" timeframe="120">
+ <rule id="31161" level="10" frequency="12" timeframe="120">
<if_matched_sid>31121</if_matched_sid>
<same_source_ip />
<description>Multiple web server 501 error code (Not Implemented).</description>
<group>web_scan,recon,</group>
</rule>
- <rule id="31162" level="10" frequency="5" timeframe="120">
+ <rule id="31162" level="10" frequency="12" timeframe="120">
<if_matched_sid>31122</if_matched_sid>
<same_source_ip />
<description>Multiple web server 500 error code (Internal Error).</description>
<group>system_error,</group>
</rule>
- <rule id="31163" level="10" frequency="8" timeframe="120">
+ <rule id="31163" level="10" frequency="12" timeframe="120">
<if_matched_sid>31123</if_matched_sid>
<same_source_ip />
<description>Multiple web server 503 error code (Service unavailable).</description>
<group>web_scan,recon,</group>
</rule>
+
+ <rule id="31164" level="6">
+ <if_sid>31100</if_sid>
+ <url>=%27|select%2B|insert%2B|%2Bfrom%2B|%2Bwhere%2B|%2Bunion%2B</url>
+ <description>SQL injection attempt.</description>
+ <group>attack,sqlinjection,</group>
+ </rule>
+
+ <rule id="31165" level="6">
+ <if_sid>31100</if_sid>
+ <url>%EF%BC%87|%EF%BC%87|%EF%BC%87|%2531|%u0053%u0045</url>
+ <description>SQL injection attempt.</description>
+ <group>attack,sqlinjection,</group>
+ </rule>
+
</group> <!-- Web access log -->