1 <!-- @(#) $Id: ./etc/rules/web_rules.xml, 2012/05/08 dcid Exp $
4 - Official Web access rules for OSSEC.
6 - Copyright (C) 2009 Trend Micro Inc.
9 - This program is a free software; you can redistribute it
10 - and/or modify it under the terms of the GNU General Public
11 - License (version 2) as published by the FSF - Free Software
14 - License details: http://www.ossec.net/en/licensing.html
18 <group name="web,accesslog,">
19 <rule id="31100" level="0">
20 <category>web-log</category>
21 <description>Access log messages grouped.</description>
24 <rule id="31108" level="0">
25 <if_sid>31100</if_sid>
27 <compiled_rule>is_simple_http_request</compiled_rule>
28 <description>Ignored URLs (simple queries).</description>
31 <rule id="31101" level="5">
32 <if_sid>31100</if_sid>
34 <description>Web server 400 error code.</description>
37 <rule id="31102" level="0">
38 <if_sid>31101</if_sid>
39 <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$</url>
40 <compiled_rule>is_simple_http_request</compiled_rule>
41 <description>Ignored extensions on 400 error codes.</description>
44 <rule id="31103" level="6">
45 <if_sid>31100</if_sid>
46 <url>='|select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
47 <url>union+|where+|null,null|xp_cmdshell</url>
48 <description>SQL injection attempt.</description>
49 <group>attack,sql_injection,</group>
52 <rule id="31104" level="6">
53 <if_sid>31100</if_sid>
55 <!-- Attempt to do directory transversal, simple sql injections,
56 - or access to the etc or bin directory (unix). -->
57 <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..|</url>
58 <url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url>
59 <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|</url>
60 <url>cat%20|exec%20|rm%20</url>
61 <description>Common web attack.</description>
62 <group>attack,</group>
65 <rule id="31105" level="6">
66 <if_sid>31100</if_sid>
67 <url>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url>
68 <url>%20ONLOAD=|INPUT%20|iframe%20</url>
69 <description>XSS (Cross Site Scripting) attempt.</description>
70 <group>attack,</group>
73 <rule id="31106" level="6">
74 <if_sid>31103, 31104, 31105</if_sid>
76 <description>A web attack returned code 200 (success).</description>
77 <group>attack,</group>
80 <rule id="31110" level="6">
81 <if_sid>31100</if_sid>
82 <url>?-d|?-s|?-a|?-b|?-w</url>
83 <description>PHP CGI-bin vulnerability attempt.</description>
84 <group>attack,</group>
87 <rule id="31109" level="6">
88 <if_sid>31100</if_sid>
89 <url>+as+varchar(8000)</url>
90 <regex>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)</regex>
91 <description>MSSQL Injection attempt (/ur.php, urchin.js)</description>
92 <group>attack,</group>
96 <!-- If your site have a search engine, you may need to ignore
99 <rule id="31107" level="0">
100 <if_sid>31103, 31104, 31105</if_sid>
101 <url>^/search.php?search=|^/index.php?searchword=</url>
102 <description>Ignored URLs for the web attacks</description>
105 <rule id="31115" level="13" maxsize="5900">
106 <if_sid>31100</if_sid>
107 <description>URL too long. Higher than allowed on most </description>
108 <description>browsers. Possible attack.</description>
109 <group>invalid_access,</group>
112 <!-- 500 error codes, server error
113 - http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
115 <rule id="31120" level="5">
116 <if_sid>31100</if_sid>
118 <description>Web server 500 error code (server error).</description>
121 <rule id="31121" level="4">
122 <if_sid>31120</if_sid>
124 <description>Web server 501 error code (Not Implemented).</description>
127 <rule id="31122" level="5">
128 <if_sid>31120</if_sid>
130 <options>alert_by_email</options>
131 <description>Web server 500 error code (Internal Error).</description>
132 <group>system_error,</group>
135 <rule id="31123" level="4">
136 <if_sid>31120</if_sid>
138 <options>alert_by_email</options>
139 <description>Web server 503 error code (Service unavailable).</description>
143 <!-- Rules to ignore crawlers -->
144 <rule id="31140" level="0">
145 <if_sid>31101</if_sid>
146 <compiled_rule>is_valid_crawler</compiled_rule>
147 <description>Ignoring google/msn/yahoo bots.</description>
151 <rule id="31151" level="10" frequency="10" timeframe="120">
152 <if_matched_sid>31101</if_matched_sid>
154 <description>Multiple web server 400 error codes </description>
155 <description>from same source ip.</description>
156 <group>web_scan,recon,</group>
159 <rule id="31152" level="10" frequency="6" timeframe="120">
160 <if_matched_sid>31103</if_matched_sid>
162 <description>Multiple SQL injection attempts from same </description>
163 <description>souce ip.</description>
164 <group>attack,sql_injection,</group>
167 <rule id="31153" level="10" frequency="8" timeframe="120">
168 <if_matched_sid>31104</if_matched_sid>
170 <description>Multiple common web attacks from same souce ip.</description>
171 <group>attack,</group>
174 <rule id="31154" level="10" frequency="8" timeframe="120">
175 <if_matched_sid>31105</if_matched_sid>
177 <description>Multiple XSS (Cross Site Scripting) attempts </description>
178 <description>from same souce ip.</description>
179 <group>attack,</group>
182 <rule id="31161" level="10" frequency="8" timeframe="120">
183 <if_matched_sid>31121</if_matched_sid>
185 <description>Multiple web server 501 error code (Not Implemented).</description>
186 <group>web_scan,recon,</group>
189 <rule id="31162" level="10" frequency="5" timeframe="120">
190 <if_matched_sid>31122</if_matched_sid>
192 <description>Multiple web server 500 error code (Internal Error).</description>
193 <group>system_error,</group>
196 <rule id="31163" level="10" frequency="8" timeframe="120">
197 <if_matched_sid>31123</if_matched_sid>
199 <description>Multiple web server 503 error code (Service unavailable).</description>
200 <group>web_scan,recon,</group>
202 </group> <!-- Web access log -->