X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=etc%2Frules%2Fweb_rules.xml;h=bba91f4a11912e156aaff879b479a2cbaaa31d8b;hb=refs%2Ftags%2Fdebian%2F2.8.3-1;hp=9f0b00e06d9c835d2144542150779e152ecb70f5;hpb=301048b51990573e58a30dc4a5bb4ec285cad554;p=ossec-hids.git
diff --git a/etc/rules/web_rules.xml b/etc/rules/web_rules.xml
index 9f0b00e..bba91f4 100755
--- a/etc/rules/web_rules.xml
+++ b/etc/rules/web_rules.xml
@@ -1,4 +1,5 @@
-
- %027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..|
- cmd.exe|root.exe|_mem_bin|msadc|/winnt/|
+ %027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|
+ cmd.exe|root.exe|_mem_bin|msadc|/winnt/|/boot.ini|
/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|
- cat%20|exec%20|rm%20
+ exec%20|../..//|%5C../%5C|././././|2e%2e%5c%2e|\x5C\x5C
Common web attack.
attack,
@@ -76,6 +77,22 @@
attack,
+
+ 31100
+ ?-d|?-s|?-a|?-b|?-w
+ PHP CGI-bin vulnerability attempt.
+ attack,
+
+
+
+ 31100
+ +as+varchar
+ %2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)
+ MSSQL Injection attempt (/ur.php, urchin.js)
+ attack,
+
+
+
@@ -85,13 +102,14 @@
Ignored URLs for the web attacks
-
+
31100
URL too long. Higher than allowed on most
browsers. Possible attack.
invalid_access,
+
@@ -130,11 +148,18 @@
Ignoring google/msn/yahoo bots.
+
+
+ 31101
+ ^499
+ Ignored 499's on nginx.
+
+
-
+
31101
- Mutiple web server 400 error codes
+ Multiple web server 400 error codes
from same source ip.
web_scan,recon,
@@ -162,24 +187,39 @@
attack,
-
+
31121
Multiple web server 501 error code (Not Implemented).
web_scan,recon,
-
+
31122
Multiple web server 500 error code (Internal Error).
system_error,
-
+
31123
Multiple web server 503 error code (Service unavailable).
web_scan,recon,
+
+
+ 31100
+ =%27|select%2B|insert%2B|%2Bfrom%2B|%2Bwhere%2B|%2Bunion%2B
+ SQL injection attempt.
+ attack,sqlinjection,
+
+
+
+ 31100
+ %EF%BC%87|%EF%BC%87|%EF%BC%87|%2531|%u0053%u0045
+ SQL injection attempt.
+ attack,sqlinjection,
+
+