--- /dev/null
+<!-- @(#) $Id: ./etc/rules/web_appsec_rules.xml, 2012/08/11 dcid Exp $
+
+ -
+ - Web attacks/vulns specific rules for OSSEC.
+ -
+ - Copyright (C) 2012 Daniel B. Cid (dcid@dcid.me)
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 2) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
+ -->
+
+
+<!-- Collection of rules for common web attacks that we are seeing in the wild.
+ - The real goal is to stop bots and automated attacks from doing further damage
+ - on sites that are not updated.
+ -->
+<group name="web,appsec,attack">
+
+
+
+ <!-- Checking POST / requests - WP comment spam coming from fake search engines.
+ -->
+ <rule id="31501" level="6">
+ <if_sid>31100</if_sid>
+ <match>POST /</match>
+ <url>/wp-comments-post.php</url>
+ <regex>Googlebot|MSNBot|BingBot</regex>
+ <description>WordPress Comment Spam (coming from a fake search engine UA).</description>
+ </rule>
+
+ <!-- Timthumb scans.
+ -->
+ <rule id="31502" level="6">
+ <if_sid>31100</if_sid>
+ <url>thumb.php|timthumb.php</url>
+ <regex> "GET \S+thumb.php?src=\S+.php</regex>
+ <description>TimThumb vulnerability exploit attempt.</description>
+ </rule>
+
+ <!-- osCommerce login.php bypass
+ -->
+ <rule id="31503" level="6">
+ <if_sid>31100</if_sid>
+ <url>login.php</url>
+ <regex> "POST /\S+.php/login.php?cPath=</regex>
+ <description>osCommerce login.php bypass attempt.</description>
+ </rule>
+
+ <!-- osCommerce file manager login.php bypass
+ -->
+ <rule id="31504" level="6">
+ <if_sid>31100</if_sid>
+ <url>login.php</url>
+ <regex> "GET /\S+/admin/file_manager.php/login.php</regex>
+ <description>osCommerce file manager login.php bypass attempt.</description>
+ </rule>
+
+ <!-- Timthumb backdoor access.
+ -->
+ <rule id="31505" level="6">
+ <if_sid>31100</if_sid>
+ <url>/cache/external</url>
+ <regex> "GET /\S+/cache/external\S+.php</regex>
+ <description>TimThumb backdoor access attempt.</description>
+ </rule>
+
+ <!-- Timthumb backdoor access.
+ -->
+ <rule id="31506" level="6">
+ <if_sid>31100</if_sid>
+ <url>cart.php</url>
+ <regex> "GET /\S+cart.php?\S+templatefile=../</regex>
+ <description>Cart.php directory transversal attempt.</description>
+ </rule>
+
+ <!-- MSSQL IIS inject rules -->
+ <rule id="31507" level="6">
+ <if_sid>31100</if_sid>
+ <url>DECLARE%20@S%20CHAR|%20AS%20CHAR</url>
+ <description>MSSQL Injection attempt (ur.php, urchin.js).</description>
+ </rule>
+
+ <!-- BAD/Annoying user agents -->
+ <rule id="31508" level="6">
+ <if_sid>31100</if_sid>
+ <match> "ZmEu"| "libwww-perl/</match>
+ <description>Blacklisted user agent (known malicious user agent).</description>
+ </rule>
+
+ <!-- WordPress wp-login.php brute force -->
+ <rule id="31509" level="3">
+ <if_sid>31108</if_sid>
+ <url>wp-login.php</url>
+ <regex>] "POST \S+wp-login.php</regex>
+ <description>WordPress login attempt.</description>
+ </rule>
+
+ <!-- If we see frequent wp-login POST's, it is likely a bot. -->
+ <rule id="31510" level="6" frequency="4" timeframe="120" ignore="30">
+ <if_matched_sid>31509</if_matched_sid>
+ <same_source_ip />
+ <description>WordPress wp-login.php brute force attempt.</description>
+ </rule>
+
+ <!-- Nothing wrong with wget per se, but it misses a lot of links
+ - that generates many 404s. Blocking it to avoid the noise.
+ -->
+ <rule id="31511" level="6">
+ <if_sid>31100</if_sid>
+ <match>" "Wget/</match>
+ <description>Blacklisted user agent (wget).</description>
+ </rule>
+
+ <!-- Uploadify scans.
+ -->
+ <rule id="31512" level="6">
+ <if_sid>31100</if_sid>
+ <url>uploadify.php</url>
+ <regex> "GET /\S+/uploadify.php?src=http://\S+.php</regex>
+ <description>TimThumb vulnerability exploit attempt.</description>
+ </rule>
+
+ <!-- BBS delete.php skin_path.
+ -->
+ <rule id="31513" level="6">
+ <if_sid>31100</if_sid>
+ <url>delete.php</url>
+ <regex> "GET \S+/delete.php?board_skin_path=http://\S+.php</regex>
+ <description>BBS delete.php exploit attempt.</description>
+ </rule>
+
+ <!-- Anomaly rules - Used on common web attacks -->
+ <rule id="31550" level="6">
+ <if_sid>31100</if_sid>
+ <url>%00</url>
+ <regex> "GET /\S+.php?\S+%00</regex>
+ <description>Anomaly URL query (attempting to pass null termination).</description>
+ </rule>
+
+
+
+
+
+
+
+
+</group>