X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=etc%2Frules%2Fweb_appsec_rules.xml;h=3f405c0136f05683053ffa9adddc555573bf183c;hb=refs%2Ftags%2Fdebian%2F2.8.3-1;hp=e3d9aaa6c7fafe109be59ef87db815121c020acb;hpb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;p=ossec-hids.git
diff --git a/etc/rules/web_appsec_rules.xml b/etc/rules/web_appsec_rules.xml
index e3d9aaa..3f405c0 100755
--- a/etc/rules/web_appsec_rules.xml
+++ b/etc/rules/web_appsec_rules.xml
@@ -56,7 +56,7 @@
31100
login.php
- "GET /\S+/admin/file_manager.php/login.php
+ /admin/\w+.php/login.php
osCommerce file manager login.php bypass attempt.
@@ -88,23 +88,23 @@
31100
- "ZmEu"| "libwww-perl/
+ "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af.sourceforge.net|MJ12bot/v
Blacklisted user agent (known malicious user agent).
31108
- wp-login.php
- ] "POST \S+wp-login.php
- WordPress login attempt.
+ wp-login.php|/administrator
+ ] "POST \S+wp-login.php| "POST /administrator
+ CMS (WordPress or Joomla) login attempt.
-
+
31509
- WordPress wp-login.php brute force attempt.
+ CMS (WordPress or Joomla) brute force attempt.
-
+
+
31100
- %00
- "GET /\S+.php?\S+%00
- Anomaly URL query (attempting to pass null termination).
+ shell.php
+ "GET \S+/shell.php?cmd=
+ Simple shell.php command execution.
+
+
+ 31100
+ phpMyAdmin/scripts/setup.php
+ PHPMyAdmin scans (looking for setup.php).
+
+
+
+ 31100
+ .swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history
+ Suspicious URL access.
+
+
+
+ 31100
+ ] "POST
+ no_log
+ POST request received.
+
+
+ 31530
+ /wp-admin/|/administrator/|/admin/
+ Ignoring often post requests inside /wp-admin and /admin.
+
+
+ 31530
+
+ High amount of POST requests in a small period of time (likely bot).
+
+
+
+ 31100
+ %00
+ "GET /\S+.php?\S+%00
+ Anomaly URL query (attempting to pass null termination).
+