--- /dev/null
+<!-- @(#) $Id: ./etc/rules/web_appsec_rules.xml, 2012/08/11 dcid Exp $
+
+ -
+ - Web attacks/vulns specific rules for OSSEC.
+ -
+ - Copyright (C) 2012 Daniel B. Cid (dcid@dcid.me)
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 2) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
+ -->
+
+
+<!-- Collection of rules for common web attacks that we are seeing in the wild.
+ - The real goal is to stop bots and automated attacks from doing further damage
+ - on sites that are not updated.
+ -->
+<group name="web,appsec,attack">
+
+
+
+ <!-- Checking POST / requests - WP comment spam coming from fake search engines.
+ -->
+ <rule id="31501" level="6">
+ <if_sid>31100</if_sid>
+ <match>POST /</match>
+ <url>/wp-comments-post.php</url>
+ <regex>Googlebot|MSNBot|BingBot</regex>
+ <description>WordPress Comment Spam (coming from a fake search engine UA).</description>
+ </rule>
+
+ <!-- Timthumb scans.
+ -->
+ <rule id="31502" level="6">
+ <if_sid>31100</if_sid>
+ <url>thumb.php|timthumb.php</url>
+ <regex> "GET \S+thumb.php?src=\S+.php</regex>
+ <description>TimThumb vulnerability exploit attempt.</description>
+ </rule>
+
+ <!-- osCommerce login.php bypass
+ -->
+ <rule id="31503" level="6">
+ <if_sid>31100</if_sid>
+ <url>login.php</url>
+ <regex> "POST /\S+.php/login.php?cPath=</regex>
+ <description>osCommerce login.php bypass attempt.</description>
+ </rule>
+
+ <!-- osCommerce file manager login.php bypass
+ -->
+ <rule id="31504" level="6">
+ <if_sid>31100</if_sid>
+ <url>login.php</url>
+ <regex>/admin/\w+.php/login.php</regex>
+ <description>osCommerce file manager login.php bypass attempt.</description>
+ </rule>
+
+ <!-- Timthumb backdoor access.
+ -->
+ <rule id="31505" level="6">
+ <if_sid>31100</if_sid>
+ <url>/cache/external</url>
+ <regex> "GET /\S+/cache/external\S+.php</regex>
+ <description>TimThumb backdoor access attempt.</description>
+ </rule>
+
+ <!-- Timthumb backdoor access.
+ -->
+ <rule id="31506" level="6">
+ <if_sid>31100</if_sid>
+ <url>cart.php</url>
+ <regex> "GET /\S+cart.php?\S+templatefile=../</regex>
+ <description>Cart.php directory transversal attempt.</description>
+ </rule>
+
+ <!-- MSSQL IIS inject rules -->
+ <rule id="31507" level="6">
+ <if_sid>31100</if_sid>
+ <url>DECLARE%20@S%20CHAR|%20AS%20CHAR</url>
+ <description>MSSQL Injection attempt (ur.php, urchin.js).</description>
+ </rule>
+
+ <!-- BAD/Annoying user agents -->
+ <rule id="31508" level="6">
+ <if_sid>31100</if_sid>
+ <match> "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af.sourceforge.net|MJ12bot/v| Jorgee"|"Proxy Gear Pro|"DataCha0s</match>
+ <description>Blacklisted user agent (known malicious user agent).</description>
+ </rule>
+
+ <!-- WordPress wp-login.php brute force -->
+ <rule id="31509" level="3">
+ <if_sid>31108</if_sid>
+ <url>wp-login.php|/administrator</url>
+ <regex>] "POST \S+wp-login.php| "POST /administrator</regex>
+ <description>CMS (WordPress or Joomla) login attempt.</description>
+ </rule>
+
+ <!-- If we see frequent wp-login POST's, it is likely a bot. -->
+ <rule id="31510" level="8" frequency="6" timeframe="30">
+ <if_matched_sid>31509</if_matched_sid>
+ <same_source_ip />
+ <description>CMS (WordPress or Joomla) brute force attempt.</description>
+ </rule>
+
+ <!-- Nothing wrong with wget per se, but it misses a lot of links
+ - that generates many 404s. Blocking it to avoid the noise.
+ -->
+ <rule id="31511" level="0">
+ <if_sid>31100</if_sid>
+ <match>" "Wget/</match>
+ <description>Blacklisted user agent (wget).</description>
+ </rule>
+
+ <!-- Uploadify scans.
+ -->
+ <rule id="31512" level="6">
+ <if_sid>31100</if_sid>
+ <url>uploadify.php</url>
+ <regex> "GET /\S+/uploadify.php?src=http://\S+.php</regex>
+ <description>Uploadify vulnerability exploit attempt.</description>
+ </rule>
+
+ <!-- BBS delete.php skin_path.
+ -->
+ <rule id="31513" level="6">
+ <if_sid>31100</if_sid>
+ <url>delete.php</url>
+ <regex> "GET \S+/delete.php?board_skin_path=http://\S+.php</regex>
+ <description>BBS delete.php exploit attempt.</description>
+ </rule>
+
+ <!-- Simple shell.php command execution
+ -->
+ <rule id="31514" level="6">
+ <if_sid>31100</if_sid>
+ <url>shell.php</url>
+ <regex> "GET \S+/shell.php?cmd=</regex>
+ <description>Simple shell.php command execution.</description>
+ </rule>
+
+ <!-- PHPMyAdmin scans
+ -->
+ <rule id="31515" level="6">
+ <if_sid>31100</if_sid>
+ <url>phpMyAdmin/scripts/setup.php</url>
+ <description>PHPMyAdmin scans (looking for setup.php).</description>
+ </rule>
+
+ <!-- Suspicious URL's access
+ -->
+ <rule id="31516" level="6">
+ <if_sid>31100</if_sid>
+ <url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history|/wallet.dat</url>
+ <description>Suspicious URL access.</description>
+ </rule>
+
+ <!-- Checking POST requests - Too many in a small type = likely a bot -->
+ <rule id="31530" level="3">
+ <if_sid>31100</if_sid>
+ <match>] "POST </match>
+ <options>no_log</options>
+ <description>POST request received.</description>
+ </rule>
+
+ <rule id="31531" level="0">
+ <if_sid>31530</if_sid>
+ <url>/wp-admin/|/administrator/|/admin/</url>
+ <description>Ignoring often post requests inside /wp-admin and /admin.</description>
+ </rule>
+
+ <rule id="31533" level="10" timeframe="20" frequency="6">
+ <if_matched_sid>31530</if_matched_sid>
+ <same_source_ip />
+ <description>High amount of POST requests in a small period of time (likely bot).</description>
+ </rule>
+
+ <!-- Anomaly rules - Used on common web attacks -->
+ <rule id="31550" level="6">
+ <if_sid>31100</if_sid>
+ <url>%00</url>
+ <regex> "GET /\S+.php?\S+%00</regex>
+ <description>Anomaly URL query (attempting to pass null termination).</description>
+ </rule>
+
+
+</group>
projects / ossec-hids.git / blobdiff