3 - Official Web access rules for OSSEC.
5 - Copyright (C) 2009 Trend Micro Inc.
8 - This program is a free software; you can redistribute it
9 - and/or modify it under the terms of the GNU General Public
10 - License (version 2) as published by the FSF - Free Software
13 - License details: http://www.ossec.net/en/licensing.html
17 <group name="web,accesslog,">
18 <rule id="31100" level="0">
19 <category>web-log</category>
20 <description>Access log messages grouped.</description>
23 <rule id="31108" level="0">
24 <if_sid>31100</if_sid>
26 <compiled_rule>is_simple_http_request</compiled_rule>
27 <description>Ignored URLs (simple queries).</description>
30 <rule id="31101" level="5">
31 <if_sid>31100</if_sid>
33 <description>Web server 400 error code.</description>
36 <rule id="31102" level="0">
37 <if_sid>31101</if_sid>
38 <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$</url>
39 <compiled_rule>is_simple_http_request</compiled_rule>
40 <description>Ignored extensions on 400 error codes.</description>
43 <rule id="31103" level="6">
44 <if_sid>31100</if_sid>
45 <url>='|select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
46 <url>union+|where+|null,null|xp_cmdshell</url>
47 <description>SQL injection attempt.</description>
48 <group>attack,sql_injection,</group>
51 <rule id="31104" level="6">
52 <if_sid>31100</if_sid>
54 <!-- Attempt to do directory transversal, simple sql injections,
55 - or access to the etc or bin directory (unix). -->
56 <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..|</url>
57 <url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url>
58 <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|</url>
59 <url>cat%20|exec%20|rm%20</url>
60 <description>Common web attack.</description>
61 <group>attack,</group>
64 <rule id="31105" level="6">
65 <if_sid>31100</if_sid>
66 <url>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url>
67 <url>%20ONLOAD=|INPUT%20|iframe%20</url>
68 <description>XSS (Cross Site Scripting) attempt.</description>
69 <group>attack,</group>
72 <rule id="31106" level="6">
73 <if_sid>31103, 31104, 31105</if_sid>
75 <description>A web attack returned code 200 (success).</description>
76 <group>attack,</group>
79 <!-- If your site have a search engine, you may need to ignore
82 <rule id="31107" level="0">
83 <if_sid>31103, 31104, 31105</if_sid>
84 <url>^/search.php?search=|^/index.php?searchword=</url>
85 <description>Ignored URLs for the web attacks</description>
88 <rule id="31115" level="13" maxsize="2900">
89 <if_sid>31100</if_sid>
90 <description>URL too long. Higher than allowed on most </description>
91 <description>browsers. Possible attack.</description>
92 <group>invalid_access,</group>
95 <!-- 500 error codes, server error
96 - http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
98 <rule id="31120" level="5">
99 <if_sid>31100</if_sid>
101 <description>Web server 500 error code (server error).</description>
104 <rule id="31121" level="4">
105 <if_sid>31120</if_sid>
107 <description>Web server 501 error code (Not Implemented).</description>
110 <rule id="31122" level="5">
111 <if_sid>31120</if_sid>
113 <options>alert_by_email</options>
114 <description>Web server 500 error code (Internal Error).</description>
115 <group>system_error,</group>
118 <rule id="31123" level="4">
119 <if_sid>31120</if_sid>
121 <options>alert_by_email</options>
122 <description>Web server 503 error code (Service unavailable).</description>
126 <!-- Rules to ignore crawlers -->
127 <rule id="31140" level="0">
128 <if_sid>31101</if_sid>
129 <compiled_rule>is_valid_crawler</compiled_rule>
130 <description>Ignoring google/msn/yahoo bots.</description>
134 <rule id="31151" level="10" frequency="10" timeframe="120">
135 <if_matched_sid>31101</if_matched_sid>
137 <description>Mutiple web server 400 error codes </description>
138 <description>from same source ip.</description>
139 <group>web_scan,recon,</group>
142 <rule id="31152" level="10" frequency="6" timeframe="120">
143 <if_matched_sid>31103</if_matched_sid>
145 <description>Multiple SQL injection attempts from same </description>
146 <description>souce ip.</description>
147 <group>attack,sql_injection,</group>
150 <rule id="31153" level="10" frequency="8" timeframe="120">
151 <if_matched_sid>31104</if_matched_sid>
153 <description>Multiple common web attacks from same souce ip.</description>
154 <group>attack,</group>
157 <rule id="31154" level="10" frequency="8" timeframe="120">
158 <if_matched_sid>31105</if_matched_sid>
160 <description>Multiple XSS (Cross Site Scripting) attempts </description>
161 <description>from same souce ip.</description>
162 <group>attack,</group>
165 <rule id="31161" level="10" frequency="8" timeframe="120">
166 <if_matched_sid>31121</if_matched_sid>
168 <description>Multiple web server 501 error code (Not Implemented).</description>
169 <group>web_scan,recon,</group>
172 <rule id="31162" level="10" frequency="5" timeframe="120">
173 <if_matched_sid>31122</if_matched_sid>
175 <description>Multiple web server 500 error code (Internal Error).</description>
176 <group>system_error,</group>
179 <rule id="31163" level="10" frequency="8" timeframe="120">
180 <if_matched_sid>31123</if_matched_sid>
182 <description>Multiple web server 503 error code (Service unavailable).</description>
183 <group>web_scan,recon,</group>
185 </group> <!-- Web access log -->