github.com/rvaralda/deis@v1.4.1/router/firewall/web_server.rules (about) 1 2 ########################################################################## 3 # 4 # doxi_rulesets - rules fo nginx+naxsi 5 # desc : WEB_SERVER 6 # file : web_server.rules 7 # created : 2014-09-28 - 12:29 8 # by : nginx-goodies 9 # download : https://bitbucket.org/lazy_dogtown/doxi-rules 10 # 11 ########################################################################### 12 13 # 14 # sid: 42000397 | date: 2014-09-27 - 17:26 15 # 16 # http://security.stackexchange.com/questions/68408/how-does-this-shellshock-scan-work 17 # 18 MainRule "str:/dev/udp/" "msg:possible UDP-Bind-Attempt (/dev/udp/)" "mz:BODY|ARGS|HEADERS" "s:$ATTACK:8" id:42000397 ; 19 20 21 # 22 # sid: 42000396 | date: 2014-09-27 - 17:23 23 # 24 # http://security.stackexchange.com/questions/68408/how-does-this-shellshock-scan-work 25 # 26 MainRule "str:/dev/tcp/" "msg:possible TCP-Bind-Attempt (/dev/tcp)" "mz:BODY|URL|ARGS|HEADERS" "s:$ATTACK:8" id:42000396 ; 27 28 29 # 30 # sid: 42000393 | date: 2014-09-25 - 02:18 31 # 32 # http://seclists.org/oss-sec/2014/q3/649 # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ # http://seclists.org/oss-sec/2014/q3/650 # http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/ 33 # 34 MainRule "str:() {" "msg:Possible Remote code execution through Bash CVE-2014-6271" "mz:BODY|HEADERS" "s:$ATTACK:8" id:42000393 ; 35 36 37 # 38 # sid: 42000392 | date: 2014-09-24 - 16:42 39 # 40 # known_hosts - access 41 # 42 MainRule "str:/known_hosts" "msg:known_hosts Access" "mz:URL" "s:$UWA:8" id:42000392 ; 43 44 45 # 46 # sid: 42000391 | date: 2014-09-24 - 16:41 47 # 48 # ssh authorized_keys - access 49 # 50 MainRule "str:/authorized_keys" "msg:authorized_keys - Access" "mz:URL" "s:$UWA:8" id:42000391 ; 51 52 53 # 54 # sid: 42000386 | date: 2014-09-02 - 08:40 55 # 56 # http://security.stackexchange.com/questions/66414/getting-null-byte-injection-attacks-to-work-with-php-5-2-17 57 # 58 MainRule "str:\0" "msg:Nullbyte - Termination \0" "mz:BODY|URL|ARGS" "s:$ATTACK:8" id:42000386 ; 59 60 61 # 62 # sid: 42000382 | date: 2014-05-21 - 23:38 63 # 64 # http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf 65 # 66 MainRule "str:file://" "msg:local File access via file://" "mz:BODY|ARGS" "s:$UWA:8" id:42000382 ; 67 68 69 # 70 # sid: 42000381 | date: 2014-05-08 - 15:28 71 # 72 # 73 # 74 MainRule "str:meterpreter" "msg:Meterpreter-UA detected" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000381 ; 75 76 77 # 78 # sid: 42000368 | date: 2014-04-27 - 08:03 79 # 80 # http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/ # https://www.mare-system.de/news/mare/1398410520/ 81 # 82 MainRule "str:facebookexternalhit" "msg:Facebook External Hit" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:7" id:42000368 ; 83 84 85 # 86 # sid: 42000345 | date: 2014-03-18 - 13:50 87 # 88 # 89 # 90 MainRule "str:roulette" "msg:Possible Casino-Spam (roulette in URL)" "mz:URL" "s:$UWA:8" id:42000345 ; 91 92 93 # 94 # sid: 42000344 | date: 2014-03-18 - 13:49 95 # 96 # http://www.heise.de/security/meldung/Hunderte-Typo3-Webseiten-gehackt-2148372.html 97 # 98 MainRule "str:casino" "msg:Possible Casino-Spam (casino in URL)" "mz:URL" "s:$UWA:8" id:42000344 ; 99 100 101 # 102 # sid: 42000343 | date: 2014-03-23 - 17:13 103 # 104 # multiple vulns found lately # http://karmainsecurity.com/analysis-of-the-joomla-php-object-injection-vulnerability # https://www.mare-system.de/news/secbulletin/1392018237/ # http://vagosec.org/2013/09/wordpress-php-object-injection/ # http://blog.sucuri.net/2014/03/security-exploit-patched-on-vbulletin-php-object-injection.html # http://www.exploit-db.com/exploits/32439/ # http://www.php.net/manual/de/function.serialize.php 105 # 106 MainRule "rx:O:\d+:.*:\d+:{(s|S):\d+:.*;.*}" "msg:possible PHP Object Injection" "mz:BODY|ARGS" "s:$ATTACK:8" id:42000343 ; 107 108 109 # 110 # sid: 42000341 | date: 2014-03-16 - 00:07 111 # 112 # credits: # - sensepost.com for a nice generic vuln- analysis # http://sensepost.com/blog/10178.html # - Reginaldo Silva for his blogpost about a sever facebook-vuln # http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution 113 # 114 MainRule "rx:<!ENTITY(\s+)(%*\s*)([a-zA-Z1-9_-]*)(\s+)SYSTEM" "msg:possible XML/XXE-Exploitation atempt" "mz:BODY" "s:$UWA:8" id:42000341 ; 115 116 117 # 118 # sid: 42000337 | date: 2013-11-28 - 12:06 119 # 120 # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823 121 # 122 MainRule "str:/cgi-bin/php" "msg:PHP-CGI-Scan" "mz:URL" "s:$ATTACK:8" id:42000337 ; 123 124 125 # 126 # sid: 42000334 | date: 2013-10-31 - 16:09 127 # 128 # http://seclists.org/fulldisclosure/2013/Oct/279 # http://www.exploit-db.com/exploits/29290/ 129 # 130 MainRule "str:/cgi-bin/" "msg:CGI-BIN - Scan" "mz:URL" "s:$UWA:8" id:42000334 ; 131 132 133 # 134 # sid: 42000333 | date: 2013-10-30 - 09:05 135 # 136 # http://www.exploit-db.com/exploits/29290/ 137 # 138 MainRule "str:<?" "msg:PHP-Opener ( <? ) found" "mz:URL|HEADERS|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "s:$UWA:8" id:42000333 ; 139 140 141 # 142 # sid: 42000331 | date: 2013-10-28 - 23:09 143 # 144 # http://www.exploit-db.com/exploits/25980/ 145 # 146 MainRule "str:/struts2-blank/" "msg:ApacheStruts - Exploit-Scan" "mz:URL" "s:$UWA:8" id:42000331 ; 147 148 149 # 150 # sid: 42000330 | date: 2013-10-28 - 19:42 151 # 152 # 153 # 154 MainRule "rx:^connect" "msg:CONNECT-Request Attempt " "mz:URL" "s:$UWA:8" id:42000330 ; 155 156 157 # 158 # sid: 42000329 | date: 2013-10-21 - 09:09 159 # 160 # http://www.exploit-db.com/google-dorks/ 161 # 162 MainRule "str:/.ssh/" "msg:SSH-Homedir-Access" "mz:URL" "s:$ATTACK:8" id:42000329 ; 163 164 165 # 166 # sid: 42000325 | date: 2013-10-17 - 09:11 167 # 168 # http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/# et: 2017590# http://blog.erratasec.com/2013/10/that-dlink-bug-masscan.html 169 # 170 MainRule "str:xmlset_roodkcableoj28840ybtide" "msg:Dlink-Router Backdoor-Scan" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000325 ; 171 172 173 # 174 # sid: 42000318 | date: 2013-10-04 - 21:25 175 # 176 # http://localhost.re/p/whmcs-527-vulnerability 177 # 178 MainRule "str:aes_encrypt" "msg:Possible WHMCS Exploit" "mz:BODY|ARGS" "s:$ATTACK:8" id:42000318 ; 179 180 181 # 182 # sid: 42000308 | date: 2013-08-14 - 08:43 183 # 184 # http://ddecode.com/phpdecoder/?results=0db52ac37807e6646a3617ff4e33533d 185 # 186 MainRule "str:cghwaw5mbygpoyag" "msg:Base64Encoded phpinfo" "mz:URL|BODY|ARGS|HEADERS" "s:$UWA:8" id:42000308 ; 187 188 189 # 190 # sid: 42000303 | date: 2013-08-05 - 15:29 191 # 192 # 193 # 194 MainRule "str:stats/agent" "msg:AWSTATS - Access (2)" "mz:URL" "s:$UWA:8" id:42000303 ; 195 196 197 # 198 # sid: 42000302 | date: 2013-08-05 - 15:29 199 # 200 # 201 # 202 MainRule "str:/awstats/data" "msg:AWSTATS - Access" "mz:URL" "s:$UWA:8" id:42000302 ; 203 204 205 # 206 # sid: 42000301 | date: 2013-08-04 - 22:41 207 # 208 # et: 2009044 209 # 210 MainRule "str:exec%20master%2e%2exp%5fcmdshell" "msg:SQLNinja Attempt To Create xp_cmdshell Session" "mz:URL|ARGS" "s:$UWA:8" id:42000301 ; 211 212 213 # 214 # sid: 42000299 | date: 2013-08-04 - 22:36 215 # 216 # et: 2009823 217 # 218 MainRule "str:xp_ntsec_enumdomains" "msg:Attempt To Access MSSQL xp_ntsec_enumdomains Stored Procedure Via URI" "mz:URL|ARGS" "s:$UWA:8" id:42000299 ; 219 220 221 # 222 # sid: 42000298 | date: 2013-08-04 - 22:35 223 # 224 # et: 2009823 225 # 226 MainRule "str:xp_enumgroups" "msg:Attempt To Access MSSQLxp_enumgroups Stored Procedure Via URI" "mz:URL|ARGS" "s:$UWA:8" id:42000298 ; 227 228 229 # 230 # sid: 42000297 | date: 2013-08-04 - 22:34 231 # 232 # et: 2009823 233 # 234 MainRule "str:xp_enumdsn" "msg:Attempt To Access MSSQL xp_enumdsn Stored Procedure Via URI" "mz:URL|ARGS" "s:$UWA:8" id:42000297 ; 235 236 237 # 238 # sid: 42000296 | date: 2013-08-04 - 22:33 239 # 240 # 241 # 242 MainRule "str:xp_readerrorlogs" "msg:Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI" "mz:URL|ARGS" "s:$UWA:8" id:42000296 ; 243 244 245 # 246 # sid: 42000295 | date: 2013-08-04 - 22:32 247 # 248 # et: 2009820 249 # 250 MainRule "str:xp_enumerrorlogs" "msg:Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI" "mz:URL|ARGS" "s:$UWA:8" id:42000295 ; 251 252 253 # 254 # sid: 42000294 | date: 2013-08-04 - 22:31 255 # 256 # et: 2009819 257 # 258 MainRule "str:xp_fileexist" "msg:Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI" "mz:URL|ARGS" "s:$UWA:8" id:42000294 ; 259 260 261 # 262 # sid: 42000293 | date: 2013-08-04 - 22:30 263 # 264 # et: 2009818 265 # 266 MainRule "str:xp_regdeletekey" "msg:Attempt To Access MSSQL xp_regdeletekey Stored Procedure Via URI" "mz:URL|ARGS" "s:$UWA:8" id:42000293 ; 267 268 269 # 270 # sid: 42000292 | date: 2013-08-04 - 22:28 271 # 272 # et: 2009818 273 # 274 MainRule "str:xp_regdeletevalue" "msg:Attempt To Access MSSQL xp_regdeletevalue Stored Procedure Via URI" "mz:URL|ARGS" "s:$UWA:8" id:42000292 ; 275 276 277 # 278 # sid: 42000291 | date: 2013-08-04 - 22:27 279 # 280 # et: 2009818 281 # 282 MainRule "str:xp_regwrite" "msg:Attempt To Access MSSQL xp_regwrite Stored Procedure Via URI" "mz:URL|ARGS" "s:$UWA:8" id:42000291 ; 283 284 285 # 286 # sid: 42000290 | date: 2013-08-04 - 22:26 287 # 288 # et: 2009818 289 # 290 MainRule "str:xp_regread" "msg:Attempt To Access MSSQL xp_regread Stored Procedure Via URI" "mz:URL|ARGS" "s:$UWA:8" id:42000290 ; 291 292 293 # 294 # sid: 42000289 | date: 2013-08-04 - 22:24 295 # 296 # et: 2009816 297 # 298 MainRule "str:xp_servicecontrol" "msg:Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI" "mz:URL|ARGS" "s:$UWA:8" id:42000289 ; 299 300 301 # 302 # sid: 42000285 | date: 2013-08-04 - 18:51 303 # 304 # http://pastebin.com/5HXNY6Pq # http://www.exploit-db.com/exploits/17734/ 305 # 306 MainRule "str:/images/stories/" "msg:Joomla JCE-Exploit-Scan" "mz:URL" "s:$ATTACK:8" id:42000285 ; 307 308 309 # 310 # sid: 42000284 | date: 2013-07-28 - 09:48 311 # 312 # possible scan fpor open proxies, generic 313 # 314 MainRule "rx:^http" "msg:Open-Proxy-Scan" "mz:URL" "s:$UWA:8" id:42000284 ; 315 316 317 # 318 # sid: 42000282 | date: 2013-07-21 - 10:36 319 # 320 # https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_40_generic_attacks.conf 321 # 322 MainRule "str:," "msg:HTTP Request Smuggling - Multiple Values in Transfer-Encoding" "mz:$HEADERS_VAR:Transfer-Encoding" "s:$EVADE:8" id:42000282 ; 323 324 325 # 326 # sid: 42000280 | date: 2013-07-21 - 10:30 327 # 328 # https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_40_generic_attacks.conf 329 # 330 MainRule "str:" "msg:HTTP Request Smuggling - Comma in Content-Length" "mz:$HEADERS_VAR:Content-Length" "s:$EVADE:8" id:42000280 ; 331 332 333 # 334 # sid: 42000279 | date: 2013-07-21 - 10:29 335 # 336 # https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_40_generic_attacks.conf 337 # 338 MainRule "str:," "msg:HTTP Request Smuggling - Comma in Content-Type" "mz:$HEADERS_VAR:Content-Type" "s:$EVADE:8" id:42000279 ; 339 340 341 # 342 # sid: 42000278 | date: 2013-07-21 - 10:26 343 # 344 # https://www.owasp.org/index.php/HTTP_Request_Smuggling 345 # 346 MainRule "str:\n\r" "msg:HTTP - Smuggling-Attempt (NewLine in URI)" "mz:URL" "s:$EVADE:8" id:42000278 ; 347 348 349 # 350 # sid: 42000277 | date: 2013-07-21 - 10:20 351 # 352 # https://www.owasp.org/index.php/HTTP_Request_Smuggling 353 # 354 MainRule "str:post http" "msg:HTTP - Smuggling-Attempt (Proxy-POST in Headers)" "mz:HEADERS" "s:$EVADE:8" id:42000277 ; 355 356 357 # 358 # sid: 42000275 | date: 2013-07-21 - 09:59 359 # 360 # https://www.owasp.org/index.php/HTTP_Request_Smuggling 361 # 362 MainRule "str:post /" "msg:HTTP - Smuggling-Attempt (POST in Headers)" "mz:HEADERS" "s:$EVADE:8" id:42000275 ; 363 364 365 # 366 # sid: 42000274 | date: 2013-07-21 - 09:48 367 # 368 # et: # https://www.owasp.org/index.php/HTTP_Request_Smuggling 369 # 370 MainRule "str:get /" "msg:HTTP - Smuggling-Attempt (GET in Headers)" "mz:HEADERS" "s:$EVADE:8" id:42000274 ; 371 372 373 # 374 # sid: 42000271 | date: 2013-07-08 - 09:31 375 # 376 # http://www.projecthoneypot.org/ip_95.168.162.43 # http://security.stackexchange.com/questions/8153/what-on-earth-is-this-log-entry-in-apache 377 # 378 MainRule "str:++++++++result" "msg:ForumSpammer Access " "mz:URL" "s:$UWA:8" id:42000271 ; 379 380 381 # 382 # sid: 42000270 | date: 2013-06-25 - 12:16 383 # 384 # https://lists.emergingthreats.net/pipermail/emerging-sigs/2010-June/007990.html 385 # 386 MainRule "str:pymills-spider/" "msg:Possible Fast-Track Tool Spidering User-Agent Detected" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000270 ; 387 388 389 # 390 # sid: 42000269 | date: 2013-06-24 - 07:50 391 # 392 # http://localhost.re/p/solusvm-whmcs-module-316-vulnerability 393 # 394 MainRule "str:/rootpassword.php" "msg:Possible Scan for SolusVM WHMCS Module 3.16 Vulnerability" "mz:URL" "s:$ATTACK:8" id:42000269 ; 395 396 397 # 398 # sid: 42000268 | date: 2013-06-17 - 20:07 399 # 400 # http://localhost.re/p/solusvm-11303-vulnerabilities # blog.soluslabs.com/2013/06/16/important-security-alert-new-update/ # http://www.lowendbox.com/blog/a-days-recap-solusvm-exploit-released-ramnode-downtime-and-robert-clarke/ 401 # 402 MainRule "str:/centralbackup.php" "msg:Possible SolusVM - Exploit-attempt" "mz:URL" "s:$ATTACK:8" id:42000268 ; 403 404 405 # 406 # sid: 42000267 | date: 2013-06-10 - 13:55 407 # 408 # in case developers forgot to exlucde .idea/ from repos, checkouts or deployments; i wouldd opt-in for a htaccess-rule to prevent access (apache) or location-denied (nginx) 409 # 410 MainRule "str:/.idea/" "msg:JetBrains IDE - Workspace-Scan" "mz:URL" "s:$UWA:8" id:42000267 ; 411 412 413 # 414 # sid: 42000265 | date: 2013-06-05 - 21:44 415 # 416 # http://seclists.org/fulldisclosure/2013/Jun/21 # # http://www.reddit.com/r/netsec/comments/1fqe4g/plesk_apache_remote_0_day_king_cope/ 417 # 418 MainRule "str:/phppath/" "msg:Plesk Apache Zeroday Remote Exploit - possible scan" "mz:URL" "s:$UWA:8" id:42000265 ; 419 420 421 # 422 # sid: 42000264 | date: 2013-04-24 - 20:48 423 # 424 # 425 # 426 MainRule "str:/.htpasswd" "msg:.htpasswd - Access" "mz:URL|BODY|ARGS" "s:$UWA:8" id:42000264 ; 427 428 429 # 430 # sid: 42000263 | date: 2013-04-24 - 20:48 431 # 432 # 433 # 434 MainRule "str:/.htaccess" "msg:.htaccess - Access" "mz:URL|BODY|ARGS" "s:$UWA:8" id:42000263 ; 435 436 437 # 438 # sid: 42000262 | date: 2013-04-13 - 11:31 439 # 440 # http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/ # http://blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html # http://blog.sucuri.net/2013/04/protecting-against-wordpress-brute-force-attacks.html 441 # 442 MainRule "str:/wp-admin" "msg:possible WP-Scan (wp-admin)" "mz:URL" "s:$UWA:8" id:42000262 ; 443 444 445 # 446 # sid: 42000261 | date: 2013-04-13 - 11:31 447 # 448 # http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/# http://blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html# http://blog.sucuri.net/2013/04/protecting-against-wordpress-brute-force-attacks.html 449 # 450 MainRule "str:/wp-login.php" "msg:possible WP-Scan (wp-login)" "mz:URL" "s:$UWA:8" id:42000261 ; 451 452 453 # 454 # sid: 42000259 | date: 2013-02-23 - 11:26 455 # 456 # 457 # 458 MainRule "str:gzinflate(" "msg:gzinflate in URI" "mz:URL|BODY|ARGS" "s:$UWA:8" id:42000259 ; 459 460 461 # 462 # sid: 42000257 | date: 2013-02-23 - 11:15 463 # 464 # 465 # 466 MainRule "str:/bin/sh" "msg:/bin/sh in URI" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "s:$UWA:8" id:42000257 ; 467 468 469 # 470 # sid: 42000254 | date: 2013-02-23 - 11:08 471 # 472 # 473 # 474 MainRule "str:.ini" "msg:possible INI - File - Access" "mz:URL" "s:$UWA:8" id:42000254 ; 475 476 477 # 478 # sid: 42000253 | date: 2013-02-23 - 11:08 479 # 480 # 481 # 482 MainRule "str:.inc" "msg:possible INC - File - Access" "mz:URL" "s:$UWA:8" id:42000253 ; 483 484 485 # 486 # sid: 42000252 | date: 2013-02-23 - 11:07 487 # 488 # 489 # 490 MainRule "str:.conf" "msg:possible CONF-File - Access" "mz:URL" "s:$UWA:8" id:42000252 ; 491 492 493 # 494 # sid: 42000247 | date: 2013-02-17 - 17:55 495 # 496 # http://blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SpiderlabsAnterior+%28SpiderLabs+Anterior%29 497 # 498 MainRule "str:<?php" "msg:UA-PHP-Injection-Attack" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000247 ; 499 500 501 # 502 # sid: 42000246 | date: 2013-02-17 - 17:55 503 # 504 # http://blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SpiderlabsAnterior+%28SpiderLabs+Anterior%29 505 # 506 MainRule "str:<?php" "msg:UA-PHP-Injection-Attack" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000246 ; 507 508 509 # 510 # sid: 42000245 | date: 2013-02-12 - 19:21 511 # 512 # http://freecode.com/projects/phpshell # # sciddos forget to remove the request to css 513 # 514 MainRule "str:/phpshell.css" "msg:PHPShell - Access detected" "mz:URL" "s:$ATTACK:8" id:42000245 ; 515 516 517 # 518 # sid: 42000236 | date: 2013-01-15 - 10:41 519 # 520 # in opposite to core-rule 1200; this detects directory traversal only 521 # 522 MainRule "str:../" "msg:DoubleDot in URL" "mz:URL" "s:$UWA:8" id:42000236 ; 523 524 525 # 526 # sid: 42000228 | date: 2013-01-08 - 15:52 527 # 528 # 529 # 530 MainRule "str:l2v0yy9wyxnzd2q=" "msg:/etc/passwd encoded as Base64 " "mz:URL|BODY|ARGS|$HEADERS_VAR:Cookie" "s:$UWA:8" id:42000228 ; 531 532 533 # 534 # sid: 42000121 | date: 2012-12-21 - 13:47 535 # 536 # 537 # 538 MainRule "str:gzinflate" "msg:GZINFALTE in URL" "mz:URL|ARGS" "s:$ATTACK:8" id:42000121 ; 539 540 541 # 542 # sid: 42000114 | date: 2012-12-18 - 22:29 543 # 544 # 545 # 546 MainRule "str:php.ini" "msg:PHPINI in URL" "mz:URL|ARGS" "s:$ATTACK:8,$UWA:8" id:42000114 ; 547 548 549 # 550 # sid: 42000090 | date: 2012-12-18 - 16:18 551 # 552 # http://www.exploit-db.com/exploits/17299/ 553 # 554 MainRule "str:passthru" "msg:PHP - Command Passthru detected" "mz:URL|BODY|ARGS" "s:$ATTACK:8" id:42000090 ; 555 556 557 # 558 # sid: 42000084 | date: 2012-11-25 - 11:36 559 # 560 # http://blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html 561 # 562 MainRule "str:/sftp-config.json" "msg:SFTP-config-file access" "mz:URL|BODY" "s:$ATTACK:8,$UWA:8" id:42000084 ; 563 564 565 # 566 # sid: 42000082 | date: 2012-11-01 - 00:51 567 # 568 # 569 # 570 MainRule "str:/manager" "msg:Tomcat - Manager - Access" "mz:URL" "s:$UWA:8" id:42000082 ; 571 572 573 # 574 # sid: 42000081 | date: 2012-11-01 - 00:49 575 # 576 # 577 # 578 MainRule "str:/balancer-manager" "msg:Apache BalancerManager - Access" "mz:URL" "s:$UWA:8" id:42000081 ; 579 580 581 # 582 # sid: 42000080 | date: 2012-11-01 - 00:48 583 # 584 # 585 # 586 MainRule "str:/server-status" "msg:Apache ServerStatus - Access" "mz:URL" "s:$UWA:8" id:42000080 ; 587 588 589 # 590 # sid: 42000079 | date: 2012-10-22 - 05:38 591 # 592 # http://msdn.microsoft.com/en-us/library/bb862916(v=office.12).aspx # http://social.technet.microsoft.com/Forums/en-US/sharepointadmin/thread/9d496bd1-170f-4b87-b4b3-5f9ec760921f/ 593 # 594 MainRule "str:/_vti_rpc" "msg:VTI_RPC - Access" "mz:URL|BODY" "s:$UWA:8" id:42000079 ; 595 596 597 # 598 # sid: 42000078 | date: 2012-10-22 - 05:35 599 # 600 # http://msdn.microsoft.com/en-us/library/bb862916(v=office.12).aspx 601 # 602 MainRule "str:/_vti_adm/" "msg:VTI_ADM - Access" "mz:URL" "s:$UWA:8" id:42000078 ; 603 604 605 # 606 # sid: 42000077 | date: 2012-10-20 - 11:30 607 # 608 # 609 # 610 MainRule "str:libwww-perl/" "msg:LIBWWW_perl-UA detected" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:4" id:42000077 ; 611 612 613 # 614 # sid: 42000075 | date: 2012-10-20 - 11:25 615 # 616 # et 2011402 # http://ddos.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/ 617 # 618 MainRule "str:keep-alivf" "msg:Yoyo-DDOS-Bot detected (Keep-Alivf))" "mz:$HEADERS_VAR:Connection" "s:$ATTACK:8" id:42000075 ; 619 620 621 # 622 # sid: 42000074 | date: 2012-10-20 - 11:24 623 # 624 # http://ddos.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/ 625 # 626 MainRule "str:g{ip;" "msg:Yoyo-DDOS-Bot detected" "mz:$HEADERS_VAR:Accept-Encoding" "s:$ATTACK:8" id:42000074 ; 627 628 629 # 630 # sid: 42000072 | date: 2012-10-18 - 09:39 631 # 632 # 633 # 634 MainRule "str:globals[" "msg:Generic GLOBALS[] in Request" "mz:URL|BODY|ARGS" "s:$UWA:8" id:42000072 ; 635 636 637 # 638 # sid: 42000070 | date: 2012-10-18 - 09:35 639 # 640 # 641 # 642 MainRule "str:cast(" "msg:possible sql-injection (CAST())" "mz:URL|BODY|ARGS" "s:$SQL:8" id:42000070 ; 643 644 645 # 646 # sid: 42000069 | date: 2012-10-18 - 09:34 647 # 648 # see dt - sigs 16000129 - 16000134 649 # 650 MainRule "str:ddos" "msg:misc DDOS-UAs " "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000069 ; 651 652 653 # 654 # sid: 42000068 | date: 2012-10-18 - 09:31 655 # 656 # 657 # 658 MainRule "str:.jar" "msg:JAR - Download Request" "mz:URL" "s:$UWA:8" id:42000068 ; 659 660 661 # 662 # sid: 42000067 | date: 2012-10-18 - 09:29 663 # 664 # http://www.contextis.com/research/blog/reverseproxybypass/ 665 # 666 MainRule "rx:^@" "msg:Apache mod_proxy Reverse Proxy Exposure (v1)" "mz:URL" "s:$UWA:8" id:42000067 ; 667 668 669 # 670 # sid: 42000066 | date: 2012-10-18 - 09:25 671 # 672 # http://www.contextis.com/research/blog/reverseproxybypass/ 673 # 674 MainRule "str::@" "msg:Apache mod_proxy Reverse Proxy Exposure " "mz:URL" "s:$ATTACK:8,$UWA:8" id:42000066 ; 675 676 677 # 678 # sid: 42000062 | date: 2012-10-18 - 08:40 679 # 680 # 681 # 682 MainRule "str:com_" "msg:Generic JOOMLA-Exploit-Attempt (option=com_)" "mz:$ARGS_VAR:option" "s:$ATTACK:8,$UWA:8" id:42000062 ; 683 684 685 # 686 # sid: 42000061 | date: 2012-10-18 - 08:39 687 # 688 # http://exploitsdownload.com/search/Arbitrary%20File%20Upload/27 689 # 690 MainRule "str:.php.pjpg" "msg: Possible Remote PHP Code Execution (php.pjpg)" "mz:URL|BODY" "s:$ATTACK:8" id:42000061 ; 691 692 693 # 694 # sid: 42000054 | date: 2012-10-12 - 16:05 695 # 696 # 697 # 698 MainRule "str:hex(" "msg:HEX_string found" "mz:URL|BODY|ARGS" "s:$ATTACK:8,$SQL:8,$UWA:8" id:42000054 ; 699 700 701 # 702 # sid: 42000053 | date: 2012-10-11 - 22:40 703 # 704 # in case some webdevs have unclean deployments 705 # 706 MainRule "str:.git/" "msg:GIT_Repo-Access" "mz:URL" "s:$UWA:8" id:42000053 ; 707 708 709 # 710 # sid: 42000052 | date: 2012-10-11 - 22:39 711 # 712 # in case some webdevs have unclean deployments :) 713 # 714 MainRule "str:.svn/" "msg:SVN_Repo-Access" "mz:URL" "s:$UWA:8" id:42000052 ; 715 716 717 # 718 # sid: 42000050 | date: 2012-10-11 - 16:03 719 # 720 # 721 # 722 MainRule "str:exec(" "msg:PHP_EXEC_COMAND" "mz:URL|BODY|ARGS" "s:$ATTACK:8,$UWA:8" id:42000050 ; 723 724 725 # 726 # sid: 42000049 | date: 2012-10-11 - 16:02 727 # 728 # 729 # 730 MainRule "str:system(" "msg:PHP_SYSTEM_CMD" "mz:URL|BODY|ARGS" "s:$ATTACK:8,$UWA:8" id:42000049 ; 731 732 733 # 734 # sid: 42000048 | date: 2014-04-14 - 21:07 735 # 736 # attempt to execute phpinfo() 737 # 738 MainRule "str:phpinfo" "msg:PHPINFO - in URL/ARGS" "mz:URL|ARGS" "s:$UWA:8" id:42000048 ; 739 740 741 # 742 # sid: 42000047 | date: 2012-10-11 - 15:30 743 # 744 # 745 # 746 MainRule "str:/scripts/setup.php" "msg:PHPMyAdmin - Scripts/Setup-Request" "mz:URL" "s:$ATTACK:8,$UWA:8" id:42000047 ; 747 748 749 # 750 # sid: 42000033 | date: 2012-10-11 - 14:38 751 # 752 # 753 # 754 MainRule "str:base64" "msg:Base64Decode in URI" "mz:URL|BODY|ARGS" "s:$ATTACK:8" id:42000033 ; 755 756 757 # 758 # sid: 42000032 | date: 2012-10-11 - 14:38 759 # 760 # 761 # 762 MainRule "str:eval(" "msg:PHP-EVAL - Attempt " "mz:URL|BODY|ARGS" "s:$ATTACK:8" id:42000032 ; 763 764 765 # 766 # sid: 42000030 | date: 2012-10-11 - 14:34 767 # 768 # 769 # 770 MainRule "str:/proc/self/" "msg:/proc/self - Access in URI" "mz:URL|BODY|ARGS" "s:$UWA:8" id:42000030 ; 771 772 773 # 774 # sid: 42000029 | date: 2012-10-11 - 14:18 775 # 776 # 777 # 778 MainRule "str:/bin/sh" "msg:/bin/sh in URI Possible Shell Command Execution Attempt" "mz:URL|ARGS" "s:$ATTACK:8" id:42000029 ; 779 780 781 # 782 # sid: 42000028 | date: 2012-10-11 - 14:17 783 # 784 # 785 # 786 MainRule "str:/bin/bash" "msg:/bin/bash in URI Possible Shell Command Execution Attempt" "mz:URL|ARGS" "s:$ATTACK:8" id:42000028 ; 787 788 789 # 790 # sid: 42000027 | date: 2012-10-11 - 14:14 791 # 792 # emerging sid:2010820 793 # 794 MainRule "str:.cgi~" "msg:Tilde in URI, potential .cgi source disclosure vulnerability" "mz:URL" "s:$UWA:8" id:42000027 ; 795 796 797 # 798 # sid: 42000026 | date: 2012-10-11 - 14:14 799 # 800 # emerging sid:2009953 801 # 802 MainRule "str:.aspx~" "msg:Tilde in URI, potential .aspx source disclosure vulnerability" "mz:URL" "s:$UWA:8" id:42000026 ; 803 804 805 # 806 # sid: 42000025 | date: 2012-10-11 - 14:13 807 # 808 # emerging sid:2009952 809 # 810 MainRule "str:.asp~" "msg:Tilde in URI, potential .asp source disclosure vulnerability" "mz:URL" "s:$UWA:8" id:42000025 ; 811 812 813 # 814 # sid: 42000024 | date: 2012-10-11 - 14:12 815 # 816 # emerging sid:2009951 817 # 818 MainRule "str:.conf~" "msg:Tilde in URI, potential .conf source disclosure vulnerability" "mz:URL" "s:$UWA:8" id:42000024 ; 819 820 821 # 822 # sid: 42000023 | date: 2012-10-11 - 14:11 823 # 824 # emerging sid:2009950 825 # 826 MainRule "str:.inc~" "msg:Tilde in URI, potential .inc source disclosure vulnerability" "mz:URL" "s:$UWA:8" id:42000023 ; 827 828 829 # 830 # sid: 42000022 | date: 2012-10-11 - 14:11 831 # 832 # emerging sid:2009949 833 # 834 MainRule "str:.pl~" "msg:Tilde in URI, potential .pl source disclosure vulnerability" "mz:URL" "s:$UWA:8" id:42000022 ; 835 836 837 # 838 # sid: 42000021 | date: 2012-10-11 - 14:10 839 # 840 # emerging sid:2009955 841 # 842 MainRule "str:.php~" "msg:Tilde in URI, potential .php source disclosure vulnerability" "mz:URL" "s:$UWA:8" id:42000021 ; 843 844 845 # 846 # sid: 42000018 | date: 2012-10-11 - 12:49 847 # 848 # emerging sid:2011144 # www.0php.com/php_easter_egg.php 849 # 850 MainRule "str:phpe9568f36-d428-11d2-a769-00aa001acf42" "msg:PHP Easteregg Information-Disclosure (funny-logo)" "mz:ARGS" "s:$UWA:8" id:42000018 ; 851 852 853 # 854 # sid: 42000017 | date: 2012-10-11 - 12:48 855 # 856 # emerging sid:2011143 # www.0php.com/php_easter_egg.php 857 # 858 MainRule "str:phpe9568f35-d428-11d2-a769-00aa001acf42" "msg:PHP Easteregg Information-Disclosure (zend-logo)" "mz:ARGS" "s:$UWA:8" id:42000017 ; 859 860 861 # 862 # sid: 42000016 | date: 2012-10-11 - 12:47 863 # 864 # emerging sid:2011142 # www.0php.com/php_easter_egg.php 865 # 866 MainRule "str:phpe9568f34-d428-11d2-a769-00aa001acf42" "msg:PHP Easteregg Information-Disclosure (php-logo)" "mz:ARGS" "s:$UWA:8" id:42000016 ; 867 868 869 # 870 # sid: 42000015 | date: 2012-10-11 - 12:46 871 # 872 # emerging sid:2011141 # www.0php.com/php_easter_egg.php 873 # 874 MainRule "str:phpb8b5f2a0-3c92-11d3-a3a9-4c7b08c10000" "msg:PHP Easteregg Information-Disclosure (phpinfo)" "mz:ARGS" "s:$UWA:8" id:42000015 ; 875 876 877 # 878 # sid: 42000007 | date: 2012-10-11 - 12:20 879 # 880 # emerging sid:2009362 881 # 882 MainRule "str:/system32/" "msg:/system32/ in Uri - Possible Protected Directory Access Attempt" "mz:URL" "s:$UWA:8" id:42000007 ; 883 884 885 # 886 # sid: 42000006 | date: 2012-10-11 - 12:17 887 # 888 # emerging sid:2009361 889 # 890 MainRule "str:/cmd.exe" "msg:cmd.exe In URI" "mz:URL" "s:$UWA:8" id:42000006 ; 891 892 893 # 894 # sid: 42000005 | date: 2012-10-11 - 12:10 895 # 896 # emerging sid:2010119 897 # 898 MainRule "str:xp_cmdshell" "msg:xp_cmdshell Attempt in Cookie" "mz:$HEADERS_VAR:Cookie|BODY|URL" "s:$ATTACK:8" id:42000005 ; 899 900