X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=etc%2Frules%2Fweb_appsec_rules.xml;h=6448db266620cba3c4204c49cc4be460bddab53e;hb=HEAD;hp=e3d9aaa6c7fafe109be59ef87db815121c020acb;hpb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;p=ossec-hids.git

diff --git a/etc/rules/web_appsec_rules.xml b/etc/rules/web_appsec_rules.xml
old mode 100755
new mode 100644
index e3d9aaa..6448db2
--- a/etc/rules/web_appsec_rules.xml
+++ b/etc/rules/web_appsec_rules.xml
@@ -13,17 +13,17 @@
   -
   -  License details: http://www.ossec.net/en/licensing.html
   -->
-  
+
 
 <!-- Collection of rules for common web attacks that we are seeing in the wild.
   -  The real goal is to stop bots and automated attacks from doing further damage
-  -  on sites that are not updated. 
-  -->  
+  -  on sites that are not updated.
+  -->
 <group name="web,appsec,attack">
 
 
 
-  <!-- Checking POST / requests - WP comment spam coming from fake search engines. 
+  <!-- Checking POST / requests - WP comment spam coming from fake search engines.
     -->
   <rule id="31501" level="6">
     <if_sid>31100</if_sid>
@@ -56,7 +56,7 @@
   <rule id="31504" level="6">
     <if_sid>31100</if_sid>
     <url>login.php</url>
-    <regex> "GET /\S+/admin/file_manager.php/login.php</regex>
+    <regex>/admin/\w+.php/login.php</regex>
     <description>osCommerce file manager login.php bypass attempt.</description>
    </rule>
 
@@ -88,29 +88,29 @@
   <!-- BAD/Annoying user agents -->
   <rule id="31508" level="6">
     <if_sid>31100</if_sid>
-    <match> "ZmEu"| "libwww-perl/</match>
+    <match> "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af.sourceforge.net|MJ12bot/v| Jorgee"|"Proxy Gear Pro|"DataCha0s</match>
     <description>Blacklisted user agent (known malicious user agent).</description>
   </rule>
 
   <!-- WordPress wp-login.php brute force -->
   <rule id="31509" level="3">
     <if_sid>31108</if_sid>
-    <url>wp-login.php</url>
-    <regex>] "POST \S+wp-login.php</regex>
-    <description>WordPress login attempt.</description>
+    <url>wp-login.php|/administrator</url>
+    <regex>] "POST \S+wp-login.php| "POST /administrator</regex>
+    <description>CMS (WordPress or Joomla) login attempt.</description>
   </rule>
 
   <!-- If we see frequent wp-login POST's, it is likely a bot. -->
-  <rule id="31510" level="6" frequency="4" timeframe="120" ignore="30">
+  <rule id="31510" level="8" frequency="6" timeframe="30">
     <if_matched_sid>31509</if_matched_sid>
     <same_source_ip />
-    <description>WordPress wp-login.php brute force attempt.</description>
+    <description>CMS (WordPress or Joomla) brute force attempt.</description>
   </rule>
 
   <!-- Nothing wrong with wget per se, but it misses a lot of links
      - that generates many 404s. Blocking it to avoid the noise.
     -->
-  <rule id="31511" level="6">
+  <rule id="31511" level="0">
     <if_sid>31100</if_sid>
     <match>" "Wget/</match>
     <description>Blacklisted user agent (wget).</description>
@@ -122,7 +122,7 @@
     <if_sid>31100</if_sid>
     <url>uploadify.php</url>
     <regex> "GET /\S+/uploadify.php?src=http://\S+.php</regex>
-    <description>TimThumb vulnerability exploit attempt.</description>
+    <description>Uploadify vulnerability exploit attempt.</description>
    </rule>
 
   <!-- BBS delete.php skin_path.
@@ -134,19 +134,58 @@
     <description>BBS delete.php exploit attempt.</description>
    </rule>
 
-  <!-- Anomaly rules - Used on common web attacks -->
-  <rule id="31550" level="6">
+  <!-- Simple shell.php command execution
+    -->
+  <rule id="31514" level="6">
     <if_sid>31100</if_sid>
-    <url>%00</url>
-    <regex> "GET /\S+.php?\S+%00</regex>
-    <description>Anomaly URL query (attempting to pass null termination).</description>
+    <url>shell.php</url>
+    <regex> "GET \S+/shell.php?cmd=</regex>
+    <description>Simple shell.php command execution.</description>
    </rule>
 
+  <!-- PHPMyAdmin scans
+    -->
+  <rule id="31515" level="6">
+    <if_sid>31100</if_sid>
+    <url>phpMyAdmin/scripts/setup.php</url>
+    <description>PHPMyAdmin scans (looking for setup.php).</description>
+   </rule>
 
+  <!-- Suspicious URL's access
+    -->
+  <rule id="31516" level="6">
+    <if_sid>31100</if_sid>
+    <url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history|/wallet.dat</url>
+    <description>Suspicious URL access.</description>
+   </rule>
 
+  <!-- Checking POST requests - Too many in a small type = likely a bot -->
+  <rule id="31530" level="3">
+    <if_sid>31100</if_sid>
+    <match>] "POST </match>
+    <options>no_log</options>
+    <description>POST request received.</description>
+   </rule>
 
+   <rule id="31531" level="0">
+    <if_sid>31530</if_sid>
+    <url>/wp-admin/|/administrator/|/admin/</url>
+    <description>Ignoring often post requests inside /wp-admin and /admin.</description>
+   </rule>
 
+   <rule id="31533" level="10" timeframe="20" frequency="6">
+    <if_matched_sid>31530</if_matched_sid>
+    <same_source_ip />
+    <description>High amount of POST requests in a small period of time (likely bot).</description>
+   </rule>
 
+  <!-- Anomaly rules - Used on common web attacks -->
+  <rule id="31550" level="6">
+    <if_sid>31100</if_sid>
+    <url>%00</url>
+    <regex> "GET /\S+.php?\S+%00</regex>
+    <description>Anomaly URL query (attempting to pass null termination).</description>
+   </rule>
 
 
 </group>