X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=etc%2Frules%2Fweb_rules.xml;h=bba91f4a11912e156aaff879b479a2cbaaa31d8b;hb=refs%2Ftags%2Fdebian%2F2.8.3-1;hp=ff185a2d50f3f81c4e54900aa4c9a627b5e818e6;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git
diff --git a/etc/rules/web_rules.xml b/etc/rules/web_rules.xml
index ff185a2..bba91f4 100755
--- a/etc/rules/web_rules.xml
+++ b/etc/rules/web_rules.xml
@@ -1,4 +1,5 @@
-
-
+ .jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$|.jpeg$
+ is_simple_http_request
Ignored extensions on 400 error codes.
31100
- ='|select%20|select+|insert%20|%20from%20|%20where%20|union%20|
+ =select%20|select+|insert%20|%20from%20|%20where%20|union%20|
union+|where+|null,null|xp_cmdshell
SQL injection attempt.
attack,sql_injection,
@@ -52,45 +54,62 @@
- %027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..
- cmd.exe|root.exe|_mem_bin|msadc|/winnt/|
- /x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%|
- cat%|exec%|rm%20
+ %027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|
+ cmd.exe|root.exe|_mem_bin|msadc|/winnt/|/boot.ini|
+ /x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|
+ exec%20|../..//|%5C../%5C|././././|2e%2e%5c%2e|\x5C\x5C
Common web attack.
attack,
31100
- %3Cscript|%2Fscript|script>|script%3E|SRC=javascript|IMG%20|
+ %3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|
%20ONLOAD=|INPUT%20|iframe%20
XSS (Cross Site Scripting) attempt.
attack,
-
+
31103, 31104, 31105
^200
A web attack returned code 200 (success).
attack,
+
+ 31100
+ ?-d|?-s|?-a|?-b|?-w
+ PHP CGI-bin vulnerability attempt.
+ attack,
+
+
+
+ 31100
+ +as+varchar
+ %2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)
+ MSSQL Injection attempt (/ur.php, urchin.js)
+ attack,
+
+
+
31103, 31104, 31105
- ^/search.php?search=|^index.php?searchword=
+ ^/search.php?search=|^/index.php?searchword=
Ignored URLs for the web attacks
-
+
31100
URL too long. Higher than allowed on most
browsers. Possible attack.
invalid_access,
+
@@ -120,11 +139,27 @@
alert_by_email
Web server 503 error code (Service unavailable).
+
+
+
+
+ 31101
+ is_valid_crawler
+ Ignoring google/msn/yahoo bots.
+
+
+
+
+ 31101
+ ^499
+ Ignored 499's on nginx.
+
+
-
+
31101
- Mutiple web server 400 error codes
+ Multiple web server 400 error codes
from same source ip.
web_scan,recon,
@@ -152,24 +187,39 @@
attack,
-
+
31121
Multiple web server 501 error code (Not Implemented).
web_scan,recon,
-
+
31122
Multiple web server 500 error code (Internal Error).
system_error,
-
+
31123
Multiple web server 503 error code (Service unavailable).
web_scan,recon,
+
+
+ 31100
+ =%27|select%2B|insert%2B|%2Bfrom%2B|%2Bwhere%2B|%2Bunion%2B
+ SQL injection attempt.
+ attack,sqlinjection,
+
+
+
+ 31100
+ %EF%BC%87|%EF%BC%87|%EF%BC%87|%2531|%u0053%u0045
+ SQL injection attempt.
+ attack,sqlinjection,
+
+