X-Git-Url: http://ftp.carnet.hr/pub/carnet-debian/scm?a=blobdiff_plain;f=etc%2Frules%2Fapache_rules.xml;h=5bb6a7d3586d71f52ac437a29af035d77904e69a;hb=HEAD;hp=f823886cd0f6249b16c00a54cd876f476a315520;hpb=301048b51990573e58a30dc4a5bb4ec285cad554;p=ossec-hids.git
diff --git a/etc/rules/apache_rules.xml b/etc/rules/apache_rules.xml
old mode 100755
new mode 100644
index f823886..5bb6a7d
--- a/etc/rules/apache_rules.xml
+++ b/etc/rules/apache_rules.xml
@@ -1,4 +1,5 @@
-
-
+
apache-errorlog
Apache messages grouped.
-
+
30100
^[error]
Apache error messages grouped.
-
+
30100
^[warn]
Apache warn messages grouped.
-
+
30100
^[notice]
@@ -79,7 +81,7 @@
30101
- user \S+ not found
+ user \S+ not found|user \S+ in realm \.* not found
Attempt to login using a non-existent user.
invalid_login,
@@ -96,7 +98,7 @@
File does not exist: |
failed to open stream: No such file or directory|
Failed opening
- Attempt to access an non-existent file (those are reported on the access.log).
+ Attempt to access an non-existent file (those are reported on the access.log).
unknown_resource,
@@ -139,14 +141,14 @@
Multiple attempts blocked by Mod Security.
access_denied,
-
+
30101
Resource temporarily unavailable:
Apache without resources to run.
service_availability,
-
+
^mod_security-message:
Modsecurity alert.
@@ -158,14 +160,166 @@
Modsecurity access denied.
access_denied,
-
+
30201
Multiple attempts blocked by Mod Security.
access_denied,
-
+
+
+ 30100
+ [\S*:error]
+ Apache error messages grouped.
+
+
+
+ 30100
+ [\S+:warn]
+ Apache warn messages grouped.
+
+
+
+ 30100
+ [\S+:notice]
+ Apache notice messages grouped.
+
+
+
+ 30303
+ exit signal Segmentation Fault
+ Apache segmentation fault.
+ http://www.securityfocus.com/infocus/1633
+ service_availability,
+
+
+
+ 30301
+ AH01630
+ Attempt to access forbidden file or directory.
+ access_denied,
+
+
+
+ 30301
+ AH01276
+ Attempt to access forbidden directory index.
+ access_denied,
+
+
+
+ 30301
+ AH00550
+ Client sent malformed Host header. Possible Code Red attack.
+ http://www.cert.org/advisories/CA-2001-19.html
+ CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL
+ automatic_attack,
+
+
+
+ 30301
+ AH01617|AH01807|AH01694|AH01695|AH02009|AH02010
+ User authentication failed.
+ authentication_failed,
+
+
+
+ 30301
+ AH01618|AH01808|AH01790
+ Attempt to login using a non-existent user.
+ invalid_login,
+
+
+
+ 30309
+
+ Multiple authentication failures with invalid user.
+ authentication_failures,
+
+
+
+ 30301
+ File does not exist: |
+ failed to open stream: No such file or directory|
+ Failed opening
+ Attempt to access an non-existent file (those are reported on the access.log).
+ unknown_resource,
+
+
+
+ 30301
+ AH00126
+ Invalid URI (bad client request).
+ invalid_request,
+
+
+
+ 30315
+
+ Multiple Invalid URI requests from
+ same source.
+ invalid_request,
+
+
+
+ 30301
+ AH00565
+ Invalid URI, file name too long.
+ invalid_request,
+
+
+
+ 30301
+ PHP Notice:
+ PHP Notice in Apache log
+
+
+
+ 30301
+ AH00036
+ File name too long:
+ File name too long.
+
+
+
+ 30301
+ Permission denied: | client denied by server configuration:
+ Permission denied.
+
+
+
+ 30301
+ AH02811
+ script not found
+ A script cannot be accessed.
+
+
+
+
+ 30301
+ ModSecurity: Warning
+ ModSecurity Warning messages grouped
+
+
+
+ 30301
+ ModSecurity: Access denied
+ ModSecurity Access denied messages grouped
+
+
+
+ 30301
+ ModSecurity: Audit log:
+ ModSecurity Audit log messages grouped
+
+
+
+ 30402
+ with code 403
+ ModSecurity rejected a query
+
+