X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fweb_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fweb_rules.xml;h=0000000000000000000000000000000000000000;hb=946517cefb8751a43a89bda4220221f065f4e5d1;hp=6d40e604dffd3c2f63aff13db73fee51b1f7b5b2;hpb=3f728675941dc69d4e544d3a880a56240a6e394a;p=ossec-hids.git

diff --git a/debian/ossec-hids/var/ossec/rules/web_rules.xml b/debian/ossec-hids/var/ossec/rules/web_rules.xml
deleted file mode 100644
index 6d40e60..0000000
--- a/debian/ossec-hids/var/ossec/rules/web_rules.xml
+++ /dev/null
@@ -1,225 +0,0 @@
-<!-- @(#) $Id: ./etc/rules/web_rules.xml, 2013/02/28 dcid Exp $
-
-  -
-  -  Official Web access rules for OSSEC.
-  -
-  -  Copyright (C) 2009 Trend Micro Inc.
-  -  All rights reserved.
-  -
-  -  This program is a free software; you can redistribute it
-  -  and/or modify it under the terms of the GNU General Public
-  -  License (version 2) as published by the FSF - Free Software
-  -  Foundation.
-  -
-  -  License details: http://www.ossec.net/en/licensing.html
-  -->
-
-
-<group name="web,accesslog,">
-  <rule id="31100" level="0">
-    <category>web-log</category>
-    <description>Access log messages grouped.</description>
-  </rule>
-
-  <rule id="31108" level="0">
-    <if_sid>31100</if_sid>
-    <id>^2|^3</id>
-    <compiled_rule>is_simple_http_request</compiled_rule>
-    <description>Ignored URLs (simple queries).</description>
-   </rule>
-
-  <rule id="31101" level="5">
-    <if_sid>31100</if_sid>
-    <id>^4</id>
-    <description>Web server 400 error code.</description>
-  </rule>
-
-  <rule id="31102" level="0">
-    <if_sid>31101</if_sid>
-    <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$|.jpeg$</url>
-    <compiled_rule>is_simple_http_request</compiled_rule>
-    <description>Ignored extensions on 400 error codes.</description>
-  </rule>
-
-  <rule id="31103" level="6">
-    <if_sid>31100,31108</if_sid>
-    <url>=select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
-    <url>union+|where+|null,null|xp_cmdshell</url>
-    <description>SQL injection attempt.</description>
-    <group>attack,sql_injection,</group>
-  </rule>
-
-  <rule id="31104" level="6">
-    <if_sid>31100</if_sid>
-
-    <!-- Attempt to do directory transversal, simple sql injections,
-      -  or access to the etc or bin directory (unix). -->
-    <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|</url>
-    <url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|/boot.ini|</url>
-    <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|</url>
-    <url>exec%20|../..//|%5C../%5C|././././|2e%2e%5c%2e|\x5C\x5C</url>
-    <description>Common web attack.</description>
-    <group>attack,</group>
-  </rule>
-
-  <rule id="31105" level="6">
-    <if_sid>31100</if_sid>
-    <url>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url>
-    <url>%20ONLOAD=|INPUT%20|iframe%20</url>
-    <description>XSS (Cross Site Scripting) attempt.</description>
-    <group>attack,</group>
-  </rule>
-
-  <rule id="31106" level="6">
-    <if_sid>31103, 31104, 31105</if_sid>
-    <id>^200</id>
-    <description>A web attack returned code 200 (success).</description>
-    <group>attack,</group>
-  </rule>
-
-  <rule id="31110" level="6">
-    <if_sid>31100</if_sid>
-    <url>?-d|?-s|?-a|?-b|?-w</url>
-    <description>PHP CGI-bin vulnerability attempt.</description>
-    <group>attack,</group>
-  </rule>
-
-  <rule id="31109" level="6">
-    <if_sid>31100</if_sid>
-    <url>+as+varchar</url>
-    <regex>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)</regex>
-    <description>MSSQL Injection attempt (/ur.php, urchin.js)</description>
-    <group>attack,</group>
-  </rule>
-
-
-  <!-- If your site have a search engine, you may need to ignore
-    - it in here.
-    -->
-  <rule id="31107" level="0">
-    <if_sid>31103, 31104, 31105</if_sid>
-    <url>^/search.php?search=|^/index.php?searchword=</url>
-    <description>Ignored URLs for the web attacks</description>
-  </rule>
-
-  <rule id="31115" level="13" maxsize="7900">
-    <if_sid>31100</if_sid>
-    <description>URL too long. Higher than allowed on most </description>
-    <description>browsers. Possible attack.</description>
-    <group>invalid_access,</group>
-  </rule>
-
-
-  <!-- 500 error codes, server error
-    - http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
-    -->
-  <rule id="31120" level="5">
-    <if_sid>31100</if_sid>
-    <id>^50</id>
-    <description>Web server 500 error code (server error).</description>
-  </rule>
-
-  <rule id="31121" level="4">
-    <if_sid>31120</if_sid>
-    <id>^501</id>
-    <description>Web server 501 error code (Not Implemented).</description>
-  </rule>
-
-  <rule id="31122" level="5">
-    <if_sid>31120</if_sid>
-    <id>^500</id>
-    <options>alert_by_email</options>
-    <description>Web server 500 error code (Internal Error).</description>
-    <group>system_error,</group>
-  </rule>
-
-  <rule id="31123" level="4">
-    <if_sid>31120</if_sid>
-    <id>^503</id>
-    <options>alert_by_email</options>
-    <description>Web server 503 error code (Service unavailable).</description>
-  </rule>
-
-
-  <!-- Rules to ignore crawlers -->
-  <rule id="31140" level="0">
-    <if_sid>31101</if_sid>
-    <compiled_rule>is_valid_crawler</compiled_rule>
-    <description>Ignoring google/msn/yahoo bots.</description>
-  </rule>
-
-  <!-- Ignoring nginx 499's -->
-  <rule id="31141" level="0">
-    <if_sid>31101</if_sid>
-    <id>^499</id>
-    <description>Ignored 499's on nginx.</description>
-  </rule>
-
-
-  <rule id="31151" level="10" frequency="12" timeframe="90">
-    <if_matched_sid>31101</if_matched_sid>
-    <same_source_ip />
-    <description>Multiple web server 400 error codes </description>
-    <description>from same source ip.</description>
-    <group>web_scan,recon,</group>
-  </rule>
-
-  <rule id="31152" level="10" frequency="6" timeframe="120">
-    <if_matched_sid>31103</if_matched_sid>
-    <same_source_ip />
-    <description>Multiple SQL injection attempts from same </description>
-    <description>source ip.</description>
-    <group>attack,sql_injection,</group>
-  </rule>
-
-  <rule id="31153" level="10" frequency="8" timeframe="120">
-    <if_matched_sid>31104</if_matched_sid>
-    <same_source_ip />
-    <description>Multiple common web attacks from same source ip.</description>
-    <group>attack,</group>
-  </rule>
-
-  <rule id="31154" level="10" frequency="8" timeframe="120">
-    <if_matched_sid>31105</if_matched_sid>
-    <same_source_ip />
-    <description>Multiple XSS (Cross Site Scripting) attempts </description>
-    <description>from same source ip.</description>
-    <group>attack,</group>
-  </rule>
-
-  <rule id="31161" level="10" frequency="12" timeframe="120">
-    <if_matched_sid>31121</if_matched_sid>
-    <same_source_ip />
-    <description>Multiple web server 501 error code (Not Implemented).</description>
-    <group>web_scan,recon,</group>
-  </rule>
-
-  <rule id="31162" level="10" frequency="12" timeframe="120">
-    <if_matched_sid>31122</if_matched_sid>
-    <same_source_ip />
-    <description>Multiple web server 500 error code (Internal Error).</description>
-    <group>system_error,</group>
-  </rule>
-
-  <rule id="31163" level="10" frequency="12" timeframe="120">
-    <if_matched_sid>31123</if_matched_sid>
-    <same_source_ip />
-    <description>Multiple web server 503 error code (Service unavailable).</description>
-    <group>web_scan,recon,</group>
-  </rule>
-
-  <rule id="31164" level="6">
-    <if_sid>31100</if_sid>
-    <url>=%27|select%2B|insert%2B|%2Bfrom%2B|%2Bwhere%2B|%2Bunion%2B</url>
-    <description>SQL injection attempt.</description>
-    <group>attack,sqlinjection,</group>
-  </rule>
-
-  <rule id="31165" level="6">
-    <if_sid>31100</if_sid>
-    <url>%EF%BC%87|%EF%BC%87|%EF%BC%87|%2531|%u0053%u0045</url>
-    <description>SQL injection attempt.</description>
-    <group>attack,sqlinjection,</group>
-  </rule>
-
-</group> <!-- Web access log -->