Imported Upstream version 2.7

[ossec-hids.git] / etc / rules / web_rules.xml

diff --git a/etc/rules/web_rules.xml b/etc/rules/web_rules.xml
index 9f0b00e..b35d899 100755 (executable)
--- a/etc/rules/web_rules.xml
+++ b/etc/rules/web_rules.xml
@@ -1,4 +1,5 @@
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/web_rules.xml, 2012/05/08 dcid Exp $
+
   -
   -  Official Web access rules for OSSEC.
   -
@@ -76,6 +77,22 @@
     <group>attack,</group>
   </rule>
 
+  <rule id="31110" level="6">
+    <if_sid>31100</if_sid>
+    <url>?-d|?-s|?-a|?-b|?-w</url>
+    <description>PHP CGI-bin vulnerability attempt.</description>
+    <group>attack,</group>
+  </rule>
+
+  <rule id="31109" level="6">
+    <if_sid>31100</if_sid>
+    <url>+as+varchar(8000)</url>
+    <regex>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)</regex>
+    <description>MSSQL Injection attempt (/ur.php, urchin.js)</description>
+    <group>attack,</group>
+  </rule>
+
+
   <!-- If your site have a search engine, you may need to ignore
     - it in here.
     -->
@@ -85,7 +102,7 @@
     <description>Ignored URLs for the web attacks</description>
   </rule>
 
-  <rule id="31115" level="13" maxsize="2900">
+  <rule id="31115" level="13" maxsize="5900">
     <if_sid>31100</if_sid>
     <description>URL too long. Higher than allowed on most </description>
     <description>browsers. Possible attack.</description>
@@ -134,7 +151,7 @@
   <rule id="31151" level="10" frequency="10" timeframe="120">
     <if_matched_sid>31101</if_matched_sid>
     <same_source_ip />
-    <description>Mutiple web server 400 error codes </description>
+    <description>Multiple web server 400 error codes </description>
     <description>from same source ip.</description>
     <group>web_scan,recon,</group>
   </rule>