Commits

Daniel Cid committed 8924550 Draft

Adding some custom rules for web apps vulns.

  • Participants
  • Parent commits ecf7515

Comments (0)

Files changed (1)

File etc/rules/web_appsec_rules.xml

+<!-- @(#) $Id$
+  -
+  -  Web specific rules for OSSEC.
+  -
+  -  Copyright (C) 2012 Daniel B. Cid (dcid@dcid.me)
+  -  All rights reserved.
+  -
+  -  This program is a free software; you can redistribute it
+  -  and/or modify it under the terms of the GNU General Public
+  -  License (version 2) as published by the FSF - Free Software
+  -  Foundation.
+  -
+  -  License details: http://www.ossec.net/en/licensing.html
+  -->
+  
+
+<!-- Collection of rules for common web attacks that we are seeing in the wild.
+  -  The real goal is to stop bots and automated attacks from doing further damage
+  -  on sites that are not updated. 
+  -->  
+<group name="web,appsec,">
+
+
+
+  <!-- Checking POST / requests - WP comment spam coming from fake search engines. 
+    -->
+  <rule id="31501" level="6">
+    <if_sid>31100</if_sid>
+    <match>POST /</match>
+    <url>/wp-comments-post.php</url>
+    <regex>Googlebot|MSNBot|Bing</regex>
+    <description>WordPress Comment Spam (coming from a fake search engine UA).</description>
+   </rule>
+
+  <!-- Timthumb scans.
+    -->
+  <rule id="31502" level="6">
+    <if_sid>31100</if_sid>
+    <url>thumb.php|timthumb.php</url>
+    <regex> "GET \S+thumb.php?src=\S+.php </regex>
+    <description>TimThumb vulnerability exploit attempt.</description>
+   </rule>
+
+  <!-- osCommerce login.php bypass
+    -->
+  <rule id="31503" level="6">
+    <if_sid>31100</if_sid>
+    <url>login.php</url>
+    <regex> "POST /\S+.php/login.php?cPath=</regex>
+    <description>osCommerce login.php bypass attempt.</description>
+   </rule>
+
+  <!-- osCommerce file manager login.php bypass
+    -->
+  <rule id="31504" level="6">
+    <if_sid>31100</if_sid>
+    <url>login.php</url>
+    <regex> "GET /\S+/admin/file_manager.php/login.php</regex>
+    <description>osCommerce file manager login.php bypass attempt.</description>
+   </rule>
+
+  <!-- Timthumb backdoor access.
+    -->
+  <rule id="31505" level="6">
+    <if_sid>31100</if_sid>
+    <url>/cache/external</url>
+    <regex> "GET /\S+/cache/external\S+.php </regex>
+    <description>TimThumb backdoor access attempt.</description>
+   </rule>
+
+  <!-- Timthumb backdoor access.
+    -->
+  <rule id="31506" level="6">
+    <if_sid>31100</if_sid>
+    <url>cart.php</url>
+    <regex> "GET /\S+cart.php?\S+templatefile=../</regex>
+    <description>Cart.php directory transversal attempt.</description>
+   </rule>
+
+
+  <!-- Anomaly rules - Used on common web attacks -->
+  <rule id="31550" level="6">
+    <if_sid>31100</if_sid>
+    <url>%00</url>
+    <regex> "GET /\S+.php?\S+%00</regex>
+    <description>Anomaly URL query (attempting to pass null termination).</description>
+   </rule>
+
+
+
+
+
+
+
+
+</group>