1 <!-- @(#) $Id: apache_rules.xml,v 1.36 2009/09/16 14:19:45 dcid Exp $
2 - Official Apache rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 3) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
14 - Contributed by: Ahmet Ozturk
18 <group name="apache,">
19 <rule id="30100" level="0">
20 <decoded_as>apache-errorlog</decoded_as>
21 <description>Apache messages grouped.</description>
24 <rule id="30101" level="0">
25 <if_sid>30100</if_sid>
26 <match>^[error] </match>
27 <description>Apache error messages grouped.</description>
30 <rule id="30102" level="0">
31 <if_sid>30100</if_sid>
32 <match>^[warn] </match>
33 <description>Apache warn messages grouped.</description>
36 <rule id="30103" level="0">
37 <if_sid>30100</if_sid>
38 <match>^[notice] </match>
39 <description>Apache notice messages grouped.</description>
42 <rule id="30104" level="12">
43 <if_sid>30103</if_sid>
44 <match>exit signal Segmentation Fault</match>
45 <description>Apache segmentation fault.</description>
46 <info>http://www.securityfocus.com/infocus/1633</info>
47 <group>service_availability,</group>
50 <rule id="30105" level="5">
51 <if_sid>30101</if_sid>
52 <match>denied by server configuration</match>
53 <description>Attempt to access forbidden file or directory.</description>
54 <group>access_denied,</group>
57 <rule id="30106" level="5">
58 <if_sid>30101</if_sid>
59 <match>Directory index forbidden by rule</match>
60 <description>Attempt to access forbidden directory index.</description>
61 <group>access_denied,</group>
64 <rule id="30107" level="6">
65 <if_sid>30101</if_sid>
66 <match>Client sent malformed Host header</match>
67 <description>Code Red attack.</description>
68 <info>http://www.cert.org/advisories/CA-2001-19.html</info>
69 <group>automatic_attack,</group>
72 <rule id="30108" level="5">
73 <if_sid>30102</if_sid>
74 <match>authentication failed</match>
75 <description>User authentication failed.</description>
76 <group>authentication_failed,</group>
79 <rule id="30109" level="9">
80 <if_sid>30101</if_sid>
81 <regex>user \S+ not found</regex>
82 <description>Attempt to login using a non-existent user.</description>
83 <group>invalid_login,</group>
86 <rule id="30110" level="5">
87 <if_sid>30101</if_sid>
88 <match>authentication failure</match>
89 <description>User authentication failed.</description>
90 <group>authentication_failed,</group>
93 <rule id="30112" level="0">
94 <if_sid>30101</if_sid>
95 <match>File does not exist: |</match>
96 <match>failed to open stream: No such file or directory|</match>
97 <match>Failed opening </match>
98 <description>Attempt to access an non-existent file (those are reported on the access.log).</description>
99 <group>unknown_resource,</group>
102 <!-- [Tue Mar 07 12:05:15 2006] [error] [client 200.206.165.91] Invalid URI in request %3Bi%3A3%3Bi%3A0%3B%7D; usercookie[password]=d6ed9e1750d0b2aba6b3311cbec087d8; 45befd35f8a0f47b89ed8831f892b8dc=167c4e46a940cd2570b952eea527b27a; PHPSESSID=616hjdg7kj9bln37efsv7vt7g3
103 - [client 65.204.137.200] script '/var/www/html/xmlrpc.php' not found or unable to stat
105 <rule id="30115" level="5">
106 <if_sid>30101</if_sid>
107 <match>Invalid URI in request</match>
108 <description>Invalid URI (bad client request).</description>
109 <group>invalid_request,</group>
112 <rule id="30116" level="10" frequency="8" timeframe="120">
113 <if_matched_sid>30115</if_matched_sid>
115 <description>Multiple Invalid URI requests from </description>
116 <description>same source.</description>
117 <group>invalid_request,</group>
120 <rule id="30117" level="10">
121 <if_sid>30101</if_sid>
122 <match>File name too long|request failed: URI too long</match>
123 <description>Invalid URI, file name too long.</description>
124 <group>invalid_request,</group>
127 <!-- Mod security rules by <ossec ( at ) sioban.net -->
128 <rule id="30118" level="6">
129 <if_sid>30101</if_sid>
130 <match>mod_security: Access denied|ModSecurity: Access denied</match>
131 <description>Access attempt blocked by Mod Security.</description>
132 <group>access_denied,</group>
135 <rule id="30119" level="12" frequency="6" timeframe="120">
136 <if_matched_sid>30118</if_matched_sid>
138 <description>Multiple attempts blocked by Mod Security.</description>
139 <group>access_denied,</group>
142 <rule id="30120" level="12">
143 <if_sid>30101</if_sid>
144 <match>Resource temporarily unavailable:</match>
145 <description>Apache without resources to run.</description>
146 <group>service_availability,</group>
149 <rule id="30200" level="6" noalert="1">
150 <match>^mod_security-message: </match>
151 <description>Modsecurity alert.</description>
154 <rule id="30201" level="6">
155 <if_sid>30200</if_sid>
156 <match>^mod_security-message: Access denied </match>
157 <description>Modsecurity access denied.</description>
158 <group>access_denied,</group>
161 <rule id="30202" level="10" frequency="8" timeframe="120">
162 <if_matched_sid>30201</if_matched_sid>
163 <description>Multiple attempts blocked by Mod Security.</description>
164 <group>access_denied,</group>
166 </group> <!-- ERROR_LOG,APACHE -->
projects / ossec-hids.git / blob