1 <!-- @(#) $Id: ./etc/rules/web_appsec_rules.xml, 2012/08/11 dcid Exp $
4 - Web attacks/vulns specific rules for OSSEC.
6 - Copyright (C) 2012 Daniel B. Cid (dcid@dcid.me)
9 - This program is a free software; you can redistribute it
10 - and/or modify it under the terms of the GNU General Public
11 - License (version 2) as published by the FSF - Free Software
14 - License details: http://www.ossec.net/en/licensing.html
18 <!-- Collection of rules for common web attacks that we are seeing in the wild.
19 - The real goal is to stop bots and automated attacks from doing further damage
20 - on sites that are not updated.
22 <group name="web,appsec,attack">
26 <!-- Checking POST / requests - WP comment spam coming from fake search engines.
28 <rule id="31501" level="6">
29 <if_sid>31100</if_sid>
31 <url>/wp-comments-post.php</url>
32 <regex>Googlebot|MSNBot|BingBot</regex>
33 <description>WordPress Comment Spam (coming from a fake search engine UA).</description>
38 <rule id="31502" level="6">
39 <if_sid>31100</if_sid>
40 <url>thumb.php|timthumb.php</url>
41 <regex> "GET \S+thumb.php?src=\S+.php</regex>
42 <description>TimThumb vulnerability exploit attempt.</description>
45 <!-- osCommerce login.php bypass
47 <rule id="31503" level="6">
48 <if_sid>31100</if_sid>
50 <regex> "POST /\S+.php/login.php?cPath=</regex>
51 <description>osCommerce login.php bypass attempt.</description>
54 <!-- osCommerce file manager login.php bypass
56 <rule id="31504" level="6">
57 <if_sid>31100</if_sid>
59 <regex>/admin/\w+.php/login.php</regex>
60 <description>osCommerce file manager login.php bypass attempt.</description>
63 <!-- Timthumb backdoor access.
65 <rule id="31505" level="6">
66 <if_sid>31100</if_sid>
67 <url>/cache/external</url>
68 <regex> "GET /\S+/cache/external\S+.php</regex>
69 <description>TimThumb backdoor access attempt.</description>
72 <!-- Timthumb backdoor access.
74 <rule id="31506" level="6">
75 <if_sid>31100</if_sid>
77 <regex> "GET /\S+cart.php?\S+templatefile=../</regex>
78 <description>Cart.php directory transversal attempt.</description>
81 <!-- MSSQL IIS inject rules -->
82 <rule id="31507" level="6">
83 <if_sid>31100</if_sid>
84 <url>DECLARE%20@S%20CHAR|%20AS%20CHAR</url>
85 <description>MSSQL Injection attempt (ur.php, urchin.js).</description>
88 <!-- BAD/Annoying user agents -->
89 <rule id="31508" level="6">
90 <if_sid>31100</if_sid>
91 <match> "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af.sourceforge.net|MJ12bot/v| Jorgee"|"Proxy Gear Pro|"DataCha0s</match>
92 <description>Blacklisted user agent (known malicious user agent).</description>
95 <!-- WordPress wp-login.php brute force -->
96 <rule id="31509" level="3">
97 <if_sid>31108</if_sid>
98 <url>wp-login.php|/administrator</url>
99 <regex>] "POST \S+wp-login.php| "POST /administrator</regex>
100 <description>CMS (WordPress or Joomla) login attempt.</description>
103 <!-- If we see frequent wp-login POST's, it is likely a bot. -->
104 <rule id="31510" level="8" frequency="6" timeframe="30">
105 <if_matched_sid>31509</if_matched_sid>
107 <description>CMS (WordPress or Joomla) brute force attempt.</description>
110 <!-- Nothing wrong with wget per se, but it misses a lot of links
111 - that generates many 404s. Blocking it to avoid the noise.
113 <rule id="31511" level="0">
114 <if_sid>31100</if_sid>
115 <match>" "Wget/</match>
116 <description>Blacklisted user agent (wget).</description>
119 <!-- Uploadify scans.
121 <rule id="31512" level="6">
122 <if_sid>31100</if_sid>
123 <url>uploadify.php</url>
124 <regex> "GET /\S+/uploadify.php?src=http://\S+.php</regex>
125 <description>Uploadify vulnerability exploit attempt.</description>
128 <!-- BBS delete.php skin_path.
130 <rule id="31513" level="6">
131 <if_sid>31100</if_sid>
132 <url>delete.php</url>
133 <regex> "GET \S+/delete.php?board_skin_path=http://\S+.php</regex>
134 <description>BBS delete.php exploit attempt.</description>
137 <!-- Simple shell.php command execution
139 <rule id="31514" level="6">
140 <if_sid>31100</if_sid>
142 <regex> "GET \S+/shell.php?cmd=</regex>
143 <description>Simple shell.php command execution.</description>
146 <!-- PHPMyAdmin scans
148 <rule id="31515" level="6">
149 <if_sid>31100</if_sid>
150 <url>phpMyAdmin/scripts/setup.php</url>
151 <description>PHPMyAdmin scans (looking for setup.php).</description>
154 <!-- Suspicious URL's access
156 <rule id="31516" level="6">
157 <if_sid>31100</if_sid>
158 <url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history|/wallet.dat</url>
159 <description>Suspicious URL access.</description>
162 <!-- Checking POST requests - Too many in a small type = likely a bot -->
163 <rule id="31530" level="3">
164 <if_sid>31100</if_sid>
165 <match>] "POST </match>
166 <options>no_log</options>
167 <description>POST request received.</description>
170 <rule id="31531" level="0">
171 <if_sid>31530</if_sid>
172 <url>/wp-admin/|/administrator/|/admin/</url>
173 <description>Ignoring often post requests inside /wp-admin and /admin.</description>
176 <rule id="31533" level="10" timeframe="20" frequency="6">
177 <if_matched_sid>31530</if_matched_sid>
179 <description>High amount of POST requests in a small period of time (likely bot).</description>
182 <!-- Anomaly rules - Used on common web attacks -->
183 <rule id="31550" level="6">
184 <if_sid>31100</if_sid>
186 <regex> "GET /\S+.php?\S+%00</regex>
187 <description>Anomaly URL query (attempting to pass null termination).</description>