X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fusr%2Fshare%2Fdoc%2Fossec-hids%2Fcontrib%2Fossec-testing%2Ftests%2Fapache.ini;fp=debian%2Fossec-hids%2Fusr%2Fshare%2Fdoc%2Fossec-hids%2Fcontrib%2Fossec-testing%2Ftests%2Fapache.ini;h=1fd79a6cdee14c184229b864fbdf807e1b91009a;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/apache.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/apache.ini new file mode 100644 index 0000000..1fd79a6 --- /dev/null +++ b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/apache.ini @@ -0,0 +1,81 @@ +[Attempt to access forbidden directory index.] +log 1 pass = [error] [client 80.230.208.105] Directory index forbidden by rule: /home/ +rule = 30106 +alert = 5 +decoder = apache-errorlog + +[Code Red attack] +log 1 pass = [error] [client 64.94.163.159] Client sent malformed Host header +rule = 30107 +alert = 6 +decoder = apache-errorlog + +[Attempt to access an non-existent file] +log 1 pass = [error] [client 66.31.142.16] File does not exist: /var/www/html/default.ida +rule = 30112 +alert = 0 +decoder = apache-errorlog + +[Apache notice messages grouped] +log 1 pass = [notice] Apache configured +rule = 30103 +alert = 0 +decoder = apache-errorlog + +[Apache 2.2 error messages grouped] +log 1 pass = [Fri Dec 13 06:59:54 2013] [error] [client 12.34.65.78] PHP Notice: +rule = 30101 +alert = 0 +decoder = apache-errorlog + +[Apache 2.4 error messages grouped] +log 1 pass = [Tue Sep 30 11:30:13.262255 2014] [core:error] [pid 20101] [client 99.47.227.95:34567] AH00037: Symbolic link not allowed or link target not accessible: /usr/share/awstats/icon/mime/document.png +log 2 pass = [Tue Sep 30 12:11:21.258612 2014] [ssl:error] [pid 30473] AH02032: Hostname www.example.com provided via SNI and hostname ssl://www.example.com provided via HTTP are different +rule = 30301 +alert = 0 +decoder = apache-errorlog + +[Apache 2.4 warn messages grouped] +log 1 pass = [Tue Sep 30 12:24:22.891366 2014] [proxy:warn] [pid 2331] [client 77.127.180.111:54082] AH01136: Unescaped URL path matched ProxyPass; ignoring unsafe nocanon, referer: http://www.easylinker.co.il/he/links.aspx?user=bguyb +rule = 30302 +alert = 0 +decoder = apache-errorlog + +[Attempt to access forbidden file or directory] +log 1 pass = [Tue Sep 30 14:25:44.895897 2014] [authz_core:error] [pid 31858] [client 99.47.227.95:38870] AH01630: client denied by server configuration: /var/www/example.com/docroot/ +rule = 30305 +alert = 5 +decoder = apache-errorlog + +[Apache messages grouped] +log 1 pass = [Thu Oct 23 15:17:55.926067 2014] [ssl:info] [pid 18838] [client 36.226.119.49:2359] AH02008: SSL library error 1 in handshake (server www.example.com:443) +log 2 pass = [Thu Oct 23 15:17:55.926123 2014] [ssl:info] [pid 18838] SSL Library Error: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request -- speaking HTTP to HTTPS port!? +rule = 30100 +alert = 0 +decoder = apache-errorlog + +[PHP Notices in Apache 2.4 errorlog] +log 1 pass = [Sun Nov 23 18:49:01.713508 2014] [:error] [pid 15816] [client 141.8.147.9:51507] PHP Notice: A non well formed numeric value encountered in /path/to/file.php on line 123 +rule = 30318 +alert = 5 +decoder = apache-errorlog + +[auth fail] +log 1 pass = [Tue Feb 07 08:50:22.679122 2017] [auth_basic:error] [pid 14446] [client 10.101.1.50:33168] AH01617: user pupkin: authentication failure for "/secret/": Password Mismatch +rule = 30308 +alert = 5 +decoder = apache-errorlog + +[script 404] +log 1 pass = [Tue Feb 07 02:43:19.799723 2017] [cgi:error] [pid 9721] [client 10.101.1.50:44324] AH02811: script not found or unable to stat: /var/www/html/showmail.pl +rule = 30321 +alert = 2 +decoder = apache-errorlog + +[permission denied] +log 1 pass = [Thu Feb 02 01:44:27.699327 2017] [access_compat:error] [pid 7934] [client ::1:50058] AH01797: client denied by server configuration: /var/www/html/' +log 2 pass = [Thu Feb 02 00:59:02.285651 2017] [core:error] [pid 20009] (13)Permission denied: [client ::1:49934] AH00132: file permissions deny server access: /var/www/html/1 +rule = 30320 +alert = 2 +decoder = apache-errorlog +