X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fweb_appsec_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fweb_appsec_rules.xml;h=0000000000000000000000000000000000000000;hb=946517cefb8751a43a89bda4220221f065f4e5d1;hp=6448db266620cba3c4204c49cc4be460bddab53e;hpb=3f728675941dc69d4e544d3a880a56240a6e394a;p=ossec-hids.git

diff --git a/debian/ossec-hids/var/ossec/rules/web_appsec_rules.xml b/debian/ossec-hids/var/ossec/rules/web_appsec_rules.xml
deleted file mode 100644
index 6448db2..0000000
--- a/debian/ossec-hids/var/ossec/rules/web_appsec_rules.xml
+++ /dev/null
@@ -1,191 +0,0 @@
-<!-- @(#) $Id: ./etc/rules/web_appsec_rules.xml, 2012/08/11 dcid Exp $
-
-  -
-  -  Web attacks/vulns specific rules for OSSEC.
-  -
-  -  Copyright (C) 2012 Daniel B. Cid (dcid@dcid.me)
-  -  All rights reserved.
-  -
-  -  This program is a free software; you can redistribute it
-  -  and/or modify it under the terms of the GNU General Public
-  -  License (version 2) as published by the FSF - Free Software
-  -  Foundation.
-  -
-  -  License details: http://www.ossec.net/en/licensing.html
-  -->
-
-
-<!-- Collection of rules for common web attacks that we are seeing in the wild.
-  -  The real goal is to stop bots and automated attacks from doing further damage
-  -  on sites that are not updated.
-  -->
-<group name="web,appsec,attack">
-
-
-
-  <!-- Checking POST / requests - WP comment spam coming from fake search engines.
-    -->
-  <rule id="31501" level="6">
-    <if_sid>31100</if_sid>
-    <match>POST /</match>
-    <url>/wp-comments-post.php</url>
-    <regex>Googlebot|MSNBot|BingBot</regex>
-    <description>WordPress Comment Spam (coming from a fake search engine UA).</description>
-   </rule>
-
-  <!-- Timthumb scans.
-    -->
-  <rule id="31502" level="6">
-    <if_sid>31100</if_sid>
-    <url>thumb.php|timthumb.php</url>
-    <regex> "GET \S+thumb.php?src=\S+.php</regex>
-    <description>TimThumb vulnerability exploit attempt.</description>
-   </rule>
-
-  <!-- osCommerce login.php bypass
-    -->
-  <rule id="31503" level="6">
-    <if_sid>31100</if_sid>
-    <url>login.php</url>
-    <regex> "POST /\S+.php/login.php?cPath=</regex>
-    <description>osCommerce login.php bypass attempt.</description>
-   </rule>
-
-  <!-- osCommerce file manager login.php bypass
-    -->
-  <rule id="31504" level="6">
-    <if_sid>31100</if_sid>
-    <url>login.php</url>
-    <regex>/admin/\w+.php/login.php</regex>
-    <description>osCommerce file manager login.php bypass attempt.</description>
-   </rule>
-
-  <!-- Timthumb backdoor access.
-    -->
-  <rule id="31505" level="6">
-    <if_sid>31100</if_sid>
-    <url>/cache/external</url>
-    <regex> "GET /\S+/cache/external\S+.php</regex>
-    <description>TimThumb backdoor access attempt.</description>
-   </rule>
-
-  <!-- Timthumb backdoor access.
-    -->
-  <rule id="31506" level="6">
-    <if_sid>31100</if_sid>
-    <url>cart.php</url>
-    <regex> "GET /\S+cart.php?\S+templatefile=../</regex>
-    <description>Cart.php directory transversal attempt.</description>
-   </rule>
-
-  <!-- MSSQL IIS inject rules -->
-  <rule id="31507" level="6">
-    <if_sid>31100</if_sid>
-    <url>DECLARE%20@S%20CHAR|%20AS%20CHAR</url>
-    <description>MSSQL Injection attempt (ur.php, urchin.js).</description>
-  </rule>
-
-  <!-- BAD/Annoying user agents -->
-  <rule id="31508" level="6">
-    <if_sid>31100</if_sid>
-    <match> "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af.sourceforge.net|MJ12bot/v| Jorgee"|"Proxy Gear Pro|"DataCha0s</match>
-    <description>Blacklisted user agent (known malicious user agent).</description>
-  </rule>
-
-  <!-- WordPress wp-login.php brute force -->
-  <rule id="31509" level="3">
-    <if_sid>31108</if_sid>
-    <url>wp-login.php|/administrator</url>
-    <regex>] "POST \S+wp-login.php| "POST /administrator</regex>
-    <description>CMS (WordPress or Joomla) login attempt.</description>
-  </rule>
-
-  <!-- If we see frequent wp-login POST's, it is likely a bot. -->
-  <rule id="31510" level="8" frequency="6" timeframe="30">
-    <if_matched_sid>31509</if_matched_sid>
-    <same_source_ip />
-    <description>CMS (WordPress or Joomla) brute force attempt.</description>
-  </rule>
-
-  <!-- Nothing wrong with wget per se, but it misses a lot of links
-     - that generates many 404s. Blocking it to avoid the noise.
-    -->
-  <rule id="31511" level="0">
-    <if_sid>31100</if_sid>
-    <match>" "Wget/</match>
-    <description>Blacklisted user agent (wget).</description>
-  </rule>
-
-  <!-- Uploadify scans.
-    -->
-  <rule id="31512" level="6">
-    <if_sid>31100</if_sid>
-    <url>uploadify.php</url>
-    <regex> "GET /\S+/uploadify.php?src=http://\S+.php</regex>
-    <description>Uploadify vulnerability exploit attempt.</description>
-   </rule>
-
-  <!-- BBS delete.php skin_path.
-    -->
-  <rule id="31513" level="6">
-    <if_sid>31100</if_sid>
-    <url>delete.php</url>
-    <regex> "GET \S+/delete.php?board_skin_path=http://\S+.php</regex>
-    <description>BBS delete.php exploit attempt.</description>
-   </rule>
-
-  <!-- Simple shell.php command execution
-    -->
-  <rule id="31514" level="6">
-    <if_sid>31100</if_sid>
-    <url>shell.php</url>
-    <regex> "GET \S+/shell.php?cmd=</regex>
-    <description>Simple shell.php command execution.</description>
-   </rule>
-
-  <!-- PHPMyAdmin scans
-    -->
-  <rule id="31515" level="6">
-    <if_sid>31100</if_sid>
-    <url>phpMyAdmin/scripts/setup.php</url>
-    <description>PHPMyAdmin scans (looking for setup.php).</description>
-   </rule>
-
-  <!-- Suspicious URL's access
-    -->
-  <rule id="31516" level="6">
-    <if_sid>31100</if_sid>
-    <url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history|/wallet.dat</url>
-    <description>Suspicious URL access.</description>
-   </rule>
-
-  <!-- Checking POST requests - Too many in a small type = likely a bot -->
-  <rule id="31530" level="3">
-    <if_sid>31100</if_sid>
-    <match>] "POST </match>
-    <options>no_log</options>
-    <description>POST request received.</description>
-   </rule>
-
-   <rule id="31531" level="0">
-    <if_sid>31530</if_sid>
-    <url>/wp-admin/|/administrator/|/admin/</url>
-    <description>Ignoring often post requests inside /wp-admin and /admin.</description>
-   </rule>
-
-   <rule id="31533" level="10" timeframe="20" frequency="6">
-    <if_matched_sid>31530</if_matched_sid>
-    <same_source_ip />
-    <description>High amount of POST requests in a small period of time (likely bot).</description>
-   </rule>
-
-  <!-- Anomaly rules - Used on common web attacks -->
-  <rule id="31550" level="6">
-    <if_sid>31100</if_sid>
-    <url>%00</url>
-    <regex> "GET /\S+.php?\S+%00</regex>
-    <description>Anomaly URL query (attempting to pass null termination).</description>
-   </rule>
-
-
-</group>