X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=etc%2Frules%2Fweb_appsec_rules.xml;fp=etc%2Frules%2Fweb_appsec_rules.xml;h=e3d9aaa6c7fafe109be59ef87db815121c020acb;hp=0000000000000000000000000000000000000000;hb=ff0e686ac67bbd82b60c277eb324910dbc60f65f;hpb=33a81e69474ae91ecec4e991debe59e26bb330fd

diff --git a/etc/rules/web_appsec_rules.xml b/etc/rules/web_appsec_rules.xml
new file mode 100755
index 0000000..e3d9aaa
--- /dev/null
+++ b/etc/rules/web_appsec_rules.xml
@@ -0,0 +1,152 @@
+<!-- @(#) $Id: ./etc/rules/web_appsec_rules.xml, 2012/08/11 dcid Exp $
+
+  -
+  -  Web attacks/vulns specific rules for OSSEC.
+  -
+  -  Copyright (C) 2012 Daniel B. Cid (dcid@dcid.me)
+  -  All rights reserved.
+  -
+  -  This program is a free software; you can redistribute it
+  -  and/or modify it under the terms of the GNU General Public
+  -  License (version 2) as published by the FSF - Free Software
+  -  Foundation.
+  -
+  -  License details: http://www.ossec.net/en/licensing.html
+  -->
+  
+
+<!-- Collection of rules for common web attacks that we are seeing in the wild.
+  -  The real goal is to stop bots and automated attacks from doing further damage
+  -  on sites that are not updated. 
+  -->  
+<group name="web,appsec,attack">
+
+
+
+  <!-- Checking POST / requests - WP comment spam coming from fake search engines. 
+    -->
+  <rule id="31501" level="6">
+    <if_sid>31100</if_sid>
+    <match>POST /</match>
+    <url>/wp-comments-post.php</url>
+    <regex>Googlebot|MSNBot|BingBot</regex>
+    <description>WordPress Comment Spam (coming from a fake search engine UA).</description>
+   </rule>
+
+  <!-- Timthumb scans.
+    -->
+  <rule id="31502" level="6">
+    <if_sid>31100</if_sid>
+    <url>thumb.php|timthumb.php</url>
+    <regex> "GET \S+thumb.php?src=\S+.php</regex>
+    <description>TimThumb vulnerability exploit attempt.</description>
+   </rule>
+
+  <!-- osCommerce login.php bypass
+    -->
+  <rule id="31503" level="6">
+    <if_sid>31100</if_sid>
+    <url>login.php</url>
+    <regex> "POST /\S+.php/login.php?cPath=</regex>
+    <description>osCommerce login.php bypass attempt.</description>
+   </rule>
+
+  <!-- osCommerce file manager login.php bypass
+    -->
+  <rule id="31504" level="6">
+    <if_sid>31100</if_sid>
+    <url>login.php</url>
+    <regex> "GET /\S+/admin/file_manager.php/login.php</regex>
+    <description>osCommerce file manager login.php bypass attempt.</description>
+   </rule>
+
+  <!-- Timthumb backdoor access.
+    -->
+  <rule id="31505" level="6">
+    <if_sid>31100</if_sid>
+    <url>/cache/external</url>
+    <regex> "GET /\S+/cache/external\S+.php</regex>
+    <description>TimThumb backdoor access attempt.</description>
+   </rule>
+
+  <!-- Timthumb backdoor access.
+    -->
+  <rule id="31506" level="6">
+    <if_sid>31100</if_sid>
+    <url>cart.php</url>
+    <regex> "GET /\S+cart.php?\S+templatefile=../</regex>
+    <description>Cart.php directory transversal attempt.</description>
+   </rule>
+
+  <!-- MSSQL IIS inject rules -->
+  <rule id="31507" level="6">
+    <if_sid>31100</if_sid>
+    <url>DECLARE%20@S%20CHAR|%20AS%20CHAR</url>
+    <description>MSSQL Injection attempt (ur.php, urchin.js).</description>
+  </rule>
+
+  <!-- BAD/Annoying user agents -->
+  <rule id="31508" level="6">
+    <if_sid>31100</if_sid>
+    <match> "ZmEu"| "libwww-perl/</match>
+    <description>Blacklisted user agent (known malicious user agent).</description>
+  </rule>
+
+  <!-- WordPress wp-login.php brute force -->
+  <rule id="31509" level="3">
+    <if_sid>31108</if_sid>
+    <url>wp-login.php</url>
+    <regex>] "POST \S+wp-login.php</regex>
+    <description>WordPress login attempt.</description>
+  </rule>
+
+  <!-- If we see frequent wp-login POST's, it is likely a bot. -->
+  <rule id="31510" level="6" frequency="4" timeframe="120" ignore="30">
+    <if_matched_sid>31509</if_matched_sid>
+    <same_source_ip />
+    <description>WordPress wp-login.php brute force attempt.</description>
+  </rule>
+
+  <!-- Nothing wrong with wget per se, but it misses a lot of links
+     - that generates many 404s. Blocking it to avoid the noise.
+    -->
+  <rule id="31511" level="6">
+    <if_sid>31100</if_sid>
+    <match>" "Wget/</match>
+    <description>Blacklisted user agent (wget).</description>
+  </rule>
+
+  <!-- Uploadify scans.
+    -->
+  <rule id="31512" level="6">
+    <if_sid>31100</if_sid>
+    <url>uploadify.php</url>
+    <regex> "GET /\S+/uploadify.php?src=http://\S+.php</regex>
+    <description>TimThumb vulnerability exploit attempt.</description>
+   </rule>
+
+  <!-- BBS delete.php skin_path.
+    -->
+  <rule id="31513" level="6">
+    <if_sid>31100</if_sid>
+    <url>delete.php</url>
+    <regex> "GET \S+/delete.php?board_skin_path=http://\S+.php</regex>
+    <description>BBS delete.php exploit attempt.</description>
+   </rule>
+
+  <!-- Anomaly rules - Used on common web attacks -->
+  <rule id="31550" level="6">
+    <if_sid>31100</if_sid>
+    <url>%00</url>
+    <regex> "GET /\S+.php?\S+%00</regex>
+    <description>Anomaly URL query (attempting to pass null termination).</description>
+   </rule>
+
+
+
+
+
+
+
+
+</group>