Commits

Daniel Cid committed 42e2cec Draft

Fixing reports location to allow a . in the agent name. Increasing the size of the reports too ot be easier to read.

*a few more app_sec rules from tony@sucuri.net

Comments (0)

Files changed (4)

etc/rules/web_appsec_rules.xml

   <!-- BAD/Annoying user agents -->
   <rule id="31508" level="6">
     <if_sid>31100</if_sid>
-    <match> "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto</match>
+    <match> "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af.sourceforge.net</match>
     <description>Blacklisted user agent (known malicious user agent).</description>
   </rule>
 
     <if_sid>31100</if_sid>
     <url>uploadify.php</url>
     <regex> "GET /\S+/uploadify.php?src=http://\S+.php</regex>
-    <description>TimThumb vulnerability exploit attempt.</description>
+    <description>Uploadify vulnerability exploit attempt.</description>
    </rule>
 
   <!-- BBS delete.php skin_path.

etc/rules/web_rules.xml

     <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|</url>
     <url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url>
     <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|</url>
-    <url>cat%20|exec%20|rm%20</url>
+    <url>cat%20|exec%20|rm%20|../..//|%5C../%5C|././././|2e%2e%5c%2e</url>
     <description>Common web attack.</description>
     <group>attack,</group>
   </rule>

src/config/reports-config.c

         if((*mystr >= 'a' && *mystr <= 'z') ||
            (*mystr >= 'A' && *mystr <= 'Z') ||
            (*mystr >= '0' && *mystr <= '9') ||
-           *mystr == '-' || *mystr == '_')
+           *mystr == '-' || *mystr == '_' || *mystr == '.')
         {
             mystr++;
         }

src/shared/report_op.c

         /* With location we leave more space to be clearer. */
         if(!print_related)
         {
-            if(strlen(lkey) > 46)
+            if(strlen(lkey) > 76)
             {
-                lkey[44] = '.';
-                lkey[45] = '.';
-                lkey[46] = '\0';
+                lkey[74] = '.';
+                lkey[75] = '.';
+                lkey[76] = '\0';
             }
 
             if(!dopdout)
                 _os_header_print(print_related, hname);
                 dopdout = 1;
             }
-            l_print_out("%-48s|%-8d|", (char *)next_node->key, st_data->currently_size);
+            l_print_out("%-78s|%-8d|", (char *)next_node->key, st_data->currently_size);
         }
 
 
                 _os_header_print(print_related, hname);
                 dopdout = 1;
             }
-            l_print_out("%-48s|%-8d|", (char *)next_node->key, st_data->currently_size);
+            l_print_out("%-78s|%-8d|", (char *)next_node->key, st_data->currently_size);
 
             if(print_related & REPORT_REL_LOCATION)
                 _os_report_print_related(REPORT_REL_LOCATION, st_data);