From 1c8ef60e95081ceedb31fc46178e138a17d6b458 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Tue, 27 Oct 2009 21:09:05 -0400 Subject: Add converted snort rules from early October --- config/apache_mod_security/apache_mod_security.xml | 15 +- .../rules/snortmodsec-rules.txt | 2610 ++++++++++++++++++++ 2 files changed, 2622 insertions(+), 3 deletions(-) create mode 100644 config/apache_mod_security/rules/snortmodsec-rules.txt diff --git a/config/apache_mod_security/apache_mod_security.xml b/config/apache_mod_security/apache_mod_security.xml index 57621e8d..c4196e7d 100644 --- a/config/apache_mod_security/apache_mod_security.xml +++ b/config/apache_mod_security/apache_mod_security.xml @@ -101,7 +101,11 @@ Site name sitename - + + + input @@ -142,7 +146,11 @@ Preserve Proxy hostname preserveproxyhostname - When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address. + + + checkbox @@ -152,7 +160,8 @@ Leave blank and define the IP Address / port above for IP site proxy (i.e. not named site proxy) - ]]> + ]]> + 40 input diff --git a/config/apache_mod_security/rules/snortmodsec-rules.txt b/config/apache_mod_security/rules/snortmodsec-rules.txt new file mode 100644 index 00000000..0e46aa1e --- /dev/null +++ b/config/apache_mod_security/rules/snortmodsec-rules.txt @@ -0,0 +1,2610 @@ +# WEB-ATTACKS ps command attempt +SecFilterSelective THE_REQUEST "/bin/ps" + +# WEB-ATTACKS /bin/ps command attempt +SecFilterSelective THE_REQUEST "ps\x20" + +# WEB-ATTACKS wget command attempt +SecFilter "wget\x20" + +# WEB-ATTACKS uname -a command attempt +SecFilter "uname\x20-a" + +# WEB-ATTACKS /usr/bin/id command attempt +SecFilter "/usr/bin/id" + +# WEB-ATTACKS id command attempt +SecFilter "\;id" + +# WEB-ATTACKS echo command attempt +SecFilter "/bin/echo" + +# WEB-ATTACKS kill command attempt +SecFilter "/bin/kill" + +# WEB-ATTACKS chmod command attempt +SecFilter "/bin/chmod" + +# WEB-ATTACKS chgrp command attempt +SecFilter "/chgrp" + +# WEB-ATTACKS chown command attempt +SecFilter "/chown" + +# WEB-ATTACKS chsh command attempt +SecFilter "/usr/bin/chsh" + +# WEB-ATTACKS tftp command attempt +SecFilter "tftp\x20" + +# WEB-ATTACKS /usr/bin/gcc command attempt +SecFilter "/usr/bin/gcc" + +# WEB-ATTACKS gcc command attempt +SecFilter "gcc\x20-o" + +# WEB-ATTACKS /usr/bin/cc command attempt +SecFilter "/usr/bin/cc" + +# WEB-ATTACKS cc command attempt +SecFilter "cc\x20" + +# WEB-ATTACKS /usr/bin/cpp command attempt +SecFilter "/usr/bin/cpp" + +# WEB-ATTACKS cpp command attempt +SecFilter "cpp\x20" + +# WEB-ATTACKS /usr/bin/g++ command attempt +SecFilter "/usr/bin/g\+\+" + +# WEB-ATTACKS g++ command attempt +SecFilter "g\+\+\x20" + +# WEB-ATTACKS bin/python access attempt +SecFilter "bin/python" + +# WEB-ATTACKS python access attempt +SecFilter "python\x20" + +# WEB-ATTACKS bin/tclsh execution attempt +SecFilter "bin/tclsh" + +# WEB-ATTACKS tclsh execution attempt +SecFilter "tclsh8\x20" + +# WEB-ATTACKS bin/nasm command attempt +SecFilter "bin/nasm" + +# WEB-ATTACKS nasm command attempt +SecFilter "nasm\x20" + +# WEB-ATTACKS /usr/bin/perl execution attempt +SecFilter "/usr/bin/perl" + +# WEB-ATTACKS perl execution attempt +SecFilter "perl\x20" + +# WEB-ATTACKS nt admin addition attempt +SecFilter "net localgroup administrators /add" + +# WEB-ATTACKS traceroute command attempt +SecFilter "traceroute\x20" + +# WEB-ATTACKS ping command attempt +SecFilter "/bin/ping" + +# WEB-ATTACKS netcat command attempt +SecFilter "nc\x20" + +# WEB-ATTACKS nmap command attempt +SecFilter "nmap\x20" + +# WEB-ATTACKS xterm command attempt +SecFilter "/usr/X11R6/bin/xterm" + +# WEB-ATTACKS X application to remote host attempt +SecFilter "\x20-display\x20" + +# WEB-ATTACKS lsof command attempt +SecFilter "lsof\x20" + +# WEB-ATTACKS rm command attempt +SecFilter "rm\x20" + +# WEB-ATTACKS mail command attempt +SecFilter "/bin/mail" + +# WEB-ATTACKS mail command attempt +SecFilter "mail\x20" + +# WEB-ATTACKS /bin/ls command attempt +SecFilterSelective THE_REQUEST "/bin/ls" + +# WEB-ATTACKS /etc/inetd.conf access +SecFilter "/etc/inetd\.conf" log,pass + +# WEB-ATTACKS /etc/motd access +SecFilter "/etc/motd" log,pass + +# WEB-ATTACKS /etc/shadow access +SecFilter "/etc/shadow" log,pass + +# WEB-ATTACKS conf/httpd.conf attempt +SecFilter "conf/httpd\.conf" log,pass + +# WEB-ATTACKS .htgroup access +SecFilterSelective THE_REQUEST "\.htgroup" log,pass + +# WEB-CGI HyperSeek hsx.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/hsx\.cgi" chain +SecFilter "\x00" + +# WEB-CGI HyperSeek hsx.cgi access +SecFilterSelective THE_REQUEST "/hsx\.cgi" log,pass + +# WEB-CGI SWSoft ASPSeek Overflow attempt +SecFilterSelective THE_REQUEST "/s\.cgi" chain +SecFilter "tmpl=" + +# WEB-CGI webspeed access +SecFilterSelective THE_REQUEST "/wsisa\.dll/WService=" chain +SecFilter "WSMadmin" + +# WEB-CGI yabb.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/YaBB\.pl" chain +SecFilter "\.\./" + +# WEB-CGI yabb.cgi access +SecFilterSelective THE_REQUEST "/YaBB\.pl" + +# WEB-CGI /wwwboard/passwd.txt access +SecFilterSelective THE_REQUEST "/wwwboard/passwd\.txt" + +# WEB-CGI webdriver access +SecFilterSelective THE_REQUEST "/webdriver" + +# WEB-CGI whois_raw.cgi access +SecFilterSelective THE_REQUEST "/whois_raw\.cgi" + +# WEB-CGI websitepro path access +SecFilter " /HTTP/1\." + +# WEB-CGI webplus version access +SecFilterSelective THE_REQUEST "/webplus\?about" + +# WEB-CGI webplus directory traversal +SecFilterSelective THE_REQUEST "/webplus\?script" chain +SecFilter "\.\./" + +# WEB-CGI websendmail access +SecFilterSelective THE_REQUEST "/websendmail" + +# WEB-CGI dcforum.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/dcforum\.cgi" chain +SecFilter "forum=\.\./\.\." + +# WEB-CGI dcforum.cgi access +SecFilterSelective THE_REQUEST "/dcforum\.cgi" + +# WEB-CGI dcboard.cgi invalid user addition attempt +SecFilterSelective THE_REQUEST "/dcboard\.cgi" chain +SecFilter "\x7cadmin" + +# WEB-CGI dcboard.cgi access +SecFilterSelective THE_REQUEST "/dcboard\.cgi" + +# WEB-CGI mmstdod.cgi access +SecFilterSelective THE_REQUEST "/mmstdod\.cgi" + +# WEB-CGI anaconda directory transversal attempt +SecFilterSelective THE_REQUEST "/apexec\.pl" chain +SecFilter "template=\.\./" + +# WEB-CGI imagemap.exe overflow attempt +SecFilterSelective THE_REQUEST "/imagemap\.exe\?" + +# WEB-CGI imagemap.exe access +SecFilterSelective THE_REQUEST "/imagemap\.exe" log,pass + +# WEB-CGI cvsweb.cgi access +SecFilterSelective THE_REQUEST "/cvsweb\.cgi" + +# WEB-CGI php.cgi access +SecFilterSelective THE_REQUEST "/php\.cgi" + +# WEB-CGI glimpse access +SecFilterSelective THE_REQUEST "/glimpse" + +# WEB-CGI htmlscript attempt +SecFilterSelective THE_REQUEST "/htmlscript\?\.\./\.\." + +# WEB-CGI htmlscript access +SecFilterSelective THE_REQUEST "/htmlscript" + +# WEB-CGI info2www access +SecFilterSelective THE_REQUEST "/info2www" + +# WEB-CGI maillist.pl access +SecFilterSelective THE_REQUEST "/maillist\.pl" + +# WEB-CGI nph-test-cgi access +SecFilterSelective THE_REQUEST "/nph-test-cgi" + +# WEB-CGI NPH-publish access +SecFilterSelective THE_REQUEST "/nph-maillist\.pl" + +# WEB-CGI NPH-publish access +SecFilterSelective THE_REQUEST "/nph-publish" + +# WEB-CGI rguest.exe access +SecFilterSelective THE_REQUEST "/rguest\.exe" + +# WEB-CGI rwwwshell.pl access +SecFilterSelective THE_REQUEST "/rwwwshell\.pl" + +# WEB-CGI test-cgi attempt +SecFilterSelective THE_REQUEST "/test-cgi/*\?*" + +# WEB-CGI test-cgi access +SecFilterSelective THE_REQUEST "/test-cgi" + +# WEB-CGI testcgi access +SecFilterSelective THE_REQUEST "/testcgi" log,pass + +# WEB-CGI test.cgi access +SecFilterSelective THE_REQUEST "/test\.cgi" log,pass + +# WEB-CGI textcounter.pl access +SecFilterSelective THE_REQUEST "/textcounter\.pl" + +# WEB-CGI uploader.exe access +SecFilterSelective THE_REQUEST "/uploader\.exe" + +# WEB-CGI webgais access +SecFilterSelective THE_REQUEST "/webgais" + +# WEB-CGI finger access +SecFilterSelective THE_REQUEST "/finger" + +# WEB-CGI perlshop.cgi access +SecFilterSelective THE_REQUEST "/perlshop\.cgi" + +# WEB-CGI pfdisplay.cgi access +SecFilterSelective THE_REQUEST "/pfdisplay\.cgi" + +# WEB-CGI aglimpse access +SecFilterSelective THE_REQUEST "/aglimpse" + +# WEB-CGI anform2 access +SecFilterSelective THE_REQUEST "/AnForm2" + +# WEB-CGI args.bat access +SecFilterSelective THE_REQUEST "/args\.bat" + +# WEB-CGI args.cmd access +SecFilterSelective THE_REQUEST "/args\.cmd" + +# WEB-CGI AT-admin.cgi access +SecFilterSelective THE_REQUEST "/AT-admin\.cgi" + +# WEB-CGI AT-generated.cgi access +SecFilterSelective THE_REQUEST "/AT-generated\.cgi" + +# WEB-CGI bnbform.cgi access +SecFilterSelective THE_REQUEST "/bnbform\.cgi" + +# WEB-CGI campas access +SecFilterSelective THE_REQUEST "/campas" + +# WEB-CGI view-source directory traversal +SecFilterSelective THE_REQUEST "/view-source" chain +SecFilter "\.\./" + +# WEB-CGI view-source access +SecFilterSelective THE_REQUEST "/view-source" + +# WEB-CGI wais.pl access +SecFilterSelective THE_REQUEST "/wais\.pl" + +# WEB-CGI wwwwais access +SecFilterSelective THE_REQUEST "/wwwwais" + +# WEB-CGI files.pl access +SecFilterSelective THE_REQUEST "/files\.pl" + +# WEB-CGI wguest.exe access +SecFilterSelective THE_REQUEST "/wguest\.exe" + +# WEB-CGI wrap access +SecFilterSelective THE_REQUEST "/wrap" + +# WEB-CGI classifieds.cgi access +SecFilterSelective THE_REQUEST "/classifieds\.cgi" + +# WEB-CGI environ.cgi access +SecFilterSelective THE_REQUEST "/environ\.cgi" + +# WEB-CGI faxsurvey attempt (full path) +SecFilterSelective THE_REQUEST "/faxsurvey\?/" + +# WEB-CGI faxsurvey arbitrary file read attempt +SecFilterSelective THE_REQUEST "/faxsurvey\?cat\x20" + +# WEB-CGI faxsurvey access +SecFilterSelective THE_REQUEST "/faxsurvey" log,pass + +# WEB-CGI filemail access +SecFilterSelective THE_REQUEST "/filemail\.pl" + +# WEB-CGI man.sh access +SecFilterSelective THE_REQUEST "/man\.sh" + +# WEB-CGI snork.bat access +SecFilterSelective THE_REQUEST "/snork\.bat" + +# WEB-CGI w3-msql access +SecFilterSelective THE_REQUEST "/w3-msql/" + +# WEB-CGI day5datacopier.cgi access +SecFilterSelective THE_REQUEST "/day5datacopier\.cgi" + +# WEB-CGI day5datanotifier.cgi access +SecFilterSelective THE_REQUEST "/day5datanotifier\.cgi" + +# WEB-CGI post-query access +SecFilterSelective THE_REQUEST "/post-query" + +# WEB-CGI visadmin.exe access +SecFilterSelective THE_REQUEST "/visadmin\.exe" + +# WEB-CGI dumpenv.pl access +SecFilterSelective THE_REQUEST "/dumpenv\.pl" + +# WEB-CGI calendar_admin.pl access +SecFilterSelective THE_REQUEST "/calendar_admin\.pl" log,pass + +# WEB-CGI calendar-admin.pl access +SecFilterSelective THE_REQUEST "/calendar-admin\.pl" log,pass + +# WEB-CGI calender.pl access +SecFilterSelective THE_REQUEST "/calender\.pl" + +# WEB-CGI calendar access +SecFilterSelective THE_REQUEST "/calendar" + +# WEB-CGI user_update_admin.pl access +SecFilterSelective THE_REQUEST "/user_update_admin\.pl" + +# WEB-CGI user_update_passwd.pl access +SecFilterSelective THE_REQUEST "/user_update_passwd\.pl" + +# WEB-CGI snorkerz.cmd access +SecFilterSelective THE_REQUEST "/snorkerz\.cmd" + +# WEB-CGI survey.cgi access +SecFilterSelective THE_REQUEST "/survey\.cgi" + +# WEB-CGI scriptalias access +SecFilterSelective THE_REQUEST "///" + +# WEB-CGI win-c-sample.exe access +SecFilterSelective THE_REQUEST "/win-c-sample\.exe" + +# WEB-CGI w3tvars.pm access +SecFilterSelective THE_REQUEST "/w3tvars\.pm" + +# WEB-CGI admin.pl access +SecFilterSelective THE_REQUEST "/admin\.pl" + +# WEB-CGI LWGate access +SecFilterSelective THE_REQUEST "/LWGate" + +# WEB-CGI archie access +SecFilterSelective THE_REQUEST "/archie" + +# WEB-CGI flexform access +SecFilterSelective THE_REQUEST "/flexform" + +# WEB-CGI formmail arbitrary command execution attempt +SecFilterSelective THE_REQUEST "/formmail" chain +SecFilter "\x0a" + +# WEB-CGI formmail access +SecFilterSelective THE_REQUEST "/formmail" log,pass + +# WEB-CGI phf arbitrary command execution attempt +SecFilterSelective THE_REQUEST "/phf" chain +SecFilter "\x0a/" + +# WEB-CGI phf access +SecFilterSelective THE_REQUEST "/phf" log,pass + +# WEB-CGI www-sql access +SecFilterSelective THE_REQUEST "/www-sql" + +# WEB-CGI wwwadmin.pl access +SecFilterSelective THE_REQUEST "/wwwadmin\.pl" + +# WEB-CGI ppdscgi.exe access +SecFilterSelective THE_REQUEST "/ppdscgi\.exe" + +# WEB-CGI sendform.cgi access +SecFilterSelective THE_REQUEST "/sendform\.cgi" + +# WEB-CGI upload.pl access +SecFilterSelective THE_REQUEST "/upload\.pl" + +# WEB-CGI AnyForm2 access +SecFilterSelective THE_REQUEST "/AnyForm2" + +# WEB-CGI MachineInfo access +SecFilterSelective THE_REQUEST "/MachineInfo" + +# WEB-CGI bb-hist.sh attempt +SecFilterSelective THE_REQUEST "/bb-hist\.sh\?HISTFILE=\.\./\.\." + +# WEB-CGI bb-hist.sh access +SecFilterSelective THE_REQUEST "/bb-hist\.sh" + +# WEB-CGI bb-histlog.sh access +SecFilterSelective THE_REQUEST "/bb-histlog\.sh" + +# WEB-CGI bb-histsvc.sh access +SecFilterSelective THE_REQUEST "/bb-histsvc\.sh" + +# WEB-CGI bb-hostscv.sh attempt +SecFilterSelective THE_REQUEST "/bb-hostsvc\.sh\?HOSTSVC\?\.\./\.\." + +# WEB-CGI bb-hostscv.sh access +SecFilterSelective THE_REQUEST "/bb-hostsvc\.sh" log,pass + +# WEB-CGI bb-rep.sh access +SecFilterSelective THE_REQUEST "/bb-rep\.sh" + +# WEB-CGI bb-replog.sh access +SecFilterSelective THE_REQUEST "/bb-replog\.sh" + +# WEB-CGI redirect access +SecFilterSelective THE_REQUEST "/redirect" + +# WEB-CGI wayboard attempt +SecFilterSelective THE_REQUEST "/way-board/way-board\.cgi" chain +SecFilter "\.\./\.\." + +# WEB-CGI way-board access +SecFilterSelective THE_REQUEST "/way-board" log,pass + +# WEB-CGI pals-cgi arbitrary file access attempt +SecFilterSelective THE_REQUEST "/pals-cgi" chain +SecFilter "documentName=" + +# WEB-CGI pals-cgi access +SecFilterSelective THE_REQUEST "/pals-cgi" + +# WEB-CGI commerce.cgi arbitrary file access attempt +SecFilterSelective THE_REQUEST "/commerce\.cgi" chain +SecFilter "/\.\./" + +# WEB-CGI commerce.cgi access +SecFilterSelective THE_REQUEST "/commerce\.cgi" + +# WEB-CGI Amaya templates sendtemp.pl directory traversal attempt +SecFilterSelective THE_REQUEST "/sendtemp\.pl" chain +SecFilter "templ=" + +# WEB-CGI Amaya templates sendtemp.pl access +SecFilterSelective THE_REQUEST "/sendtemp\.pl" log,pass + +# WEB-CGI webspirs.cgi directory traversal attempt +SecFilterSelective THE_REQUEST "/webspirs\.cgi" chain +SecFilter "\.\./\.\./" + +# WEB-CGI webspirs.cgi access +SecFilterSelective THE_REQUEST "/webspirs\.cgi" + +# WEB-CGI tstisapi.dll access +SecFilterSelective THE_REQUEST "tstisapi\.dll" + +# WEB-CGI sendmessage.cgi access +SecFilterSelective THE_REQUEST "/sendmessage\.cgi" + +# WEB-CGI lastlines.cgi access +SecFilterSelective THE_REQUEST "/lastlines\.cgi" + +# WEB-CGI zml.cgi attempt +SecFilterSelective THE_REQUEST "/zml\.cgi" chain +SecFilter "file=\.\./" log,pass + +# WEB-CGI zml.cgi access +SecFilterSelective THE_REQUEST "/zml\.cgi" log,pass + +# WEB-CGI AHG search.cgi access +SecFilterSelective THE_REQUEST "/publisher/search\.cgi" chain +SecFilter "template=" log,pass + +# WEB-CGI agora.cgi attempt +SecFilterSelective THE_REQUEST "/store/agora\.cgi\?cart_id=