X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=etc%2Frules%2Fweb_appsec_rules.xml;h=6448db266620cba3c4204c49cc4be460bddab53e;hp=3f405c0136f05683053ffa9adddc555573bf183c;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/etc/rules/web_appsec_rules.xml b/etc/rules/web_appsec_rules.xml
old mode 100755
new mode 100644
index 3f405c0..6448db2
--- a/etc/rules/web_appsec_rules.xml
+++ b/etc/rules/web_appsec_rules.xml
@@ -13,17 +13,17 @@
   -
   -  License details: http://www.ossec.net/en/licensing.html
   -->
-  
+
 
 <!-- Collection of rules for common web attacks that we are seeing in the wild.
   -  The real goal is to stop bots and automated attacks from doing further damage
-  -  on sites that are not updated. 
-  -->  
+  -  on sites that are not updated.
+  -->
 <group name="web,appsec,attack">
 
 
 
-  <!-- Checking POST / requests - WP comment spam coming from fake search engines. 
+  <!-- Checking POST / requests - WP comment spam coming from fake search engines.
     -->
   <rule id="31501" level="6">
     <if_sid>31100</if_sid>
@@ -88,7 +88,7 @@
   <!-- BAD/Annoying user agents -->
   <rule id="31508" level="6">
     <if_sid>31100</if_sid>
-    <match> "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af.sourceforge.net|MJ12bot/v</match>
+    <match> "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af.sourceforge.net|MJ12bot/v| Jorgee"|"Proxy Gear Pro|"DataCha0s</match>
     <description>Blacklisted user agent (known malicious user agent).</description>
   </rule>
 
@@ -110,7 +110,7 @@
   <!-- Nothing wrong with wget per se, but it misses a lot of links
      - that generates many 404s. Blocking it to avoid the noise.
     -->
-  <rule id="31511" level="6">
+  <rule id="31511" level="0">
     <if_sid>31100</if_sid>
     <match>" "Wget/</match>
     <description>Blacklisted user agent (wget).</description>
@@ -151,11 +151,11 @@
     <description>PHPMyAdmin scans (looking for setup.php).</description>
    </rule>
 
-  <!-- Suspicious URL's access 
+  <!-- Suspicious URL's access
     -->
   <rule id="31516" level="6">
     <if_sid>31100</if_sid>
-    <url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history</url>
+    <url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history|/wallet.dat</url>
     <description>Suspicious URL access.</description>
    </rule>