|
لخبراء الـMod Security <div>السلام عليكم لدي بعض السكربتات على السيرفر لاتعمل وأشك في Mod Security وهذا هو الـ Mod Security الموجود على سيرفري أريد ملاحظاتكم عليه وماهو الذي تسبب في تعطل بعض السكربتات !! <div style="margin:20px; margin-top:5px"> رمز Code: # Server masking is optional #fake server banner no one needs to know what we are using SecServerSignature "Secured By : XXXXX.COM" #And now* the rules #Remove any of these Include lines you do not use or have rules for. #First* add in your exclusion rules: #These MUST come first! Include /etc/modsecurity/exclude.conf #Application protection rules Include /etc/modsecurity/rules.conf #Known bad software* rootkits and other malware Include /etc/modsecurity/rootkits.conf #Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x Include /etc/modsecurity/apache2-rules.conf #None Include /etc/modsecurity/recons.conf #Spam WordPress Include /etc/modsecurity/hidden_spam_patch.conf SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I ".htaccess" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "sql_passwd" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "public_html" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/etc" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/root" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/boot" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/var" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/bin" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/cgi-bin" SecRule REQUEST_FILENAME "\.pl" SecRule REQUEST_FILENAME "\.ch" SecRule REQUEST_FILENAME "\.cgi-bin" SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;" SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl" SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)" SecRule ARGS|HTTP_Content-Length|REQUEST_COOKIES "/etc" #Don't accept chunked encodings #modsecurity can not look at these* so this is a hole #that can bypass your rules* the rule before this one #should cover this* but hey paranoia is cheap SecRule HTTP_Transfer-Encoding "chunked" "id:300003*rev:1*severity:2*msg:'Chunked Transfer Encoding denied'" #Code injection via content length SecRule HTTP_Content-Length "\;(system|passthru|exec)\(" "id:330003*rev:1*severity:2*msg:'Code Injection in Content-Length header'" ##generic recursion signatures SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain*id:300004*rev:2*severity:2*msg:'Generic Path Recursion denied'" SecRule REQUEST_URI "\.\./\.\./" #generic path recurision sig #generic bogus path sigs SecRule REQUEST_URI "\.\.\./" "id:300006*rev:1*severity:2*msg:'Bogus Path denied'" #Generic PHP exploit signatures SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|pro c_open|shell_exec|exec|proc_nice|proc_terminate|pr oc_get_status|proc_close|pfsockopen|leak|apache_ch ild_terminate|posix_kill|posix_mkfifo|posix_setpgi d|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001*rev:1*severity:2*msg:'Generic PHP exploit pattern denied'" #Generic PHP exploit signatures SecRule REQUEST_BODY|REQUEST_URI "" #XSS in referrer and UA headers SecRule HTTP_REFERER|HTTP_USER_AGENT ".*(script|about|applet|activex|chrome)[[:space:]]*>" #PHP Injection Attack generic signature SecRule REQUEST_URI "\.php" chain SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|con tent|dir|name|menu|pm_path|path|pathtoroot|cat|pag ina|path|include_location|root|page|gorumDir|site| topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))" #PHP Injection Attack generic signature SecRule REQUEST_URI "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|actio n|content|dir|name|menu|pm_path|pagina|path|pathto root|cat|include_location|gorumDir|root|page|site| topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))" #Generic PHP remote file inclusion attack signature SecRule REQUEST_URI "\.php\?" chain SecRule REQUEST_URI "(http|https|ftp)\:/" chain SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #Generic PHP remote file inclusion attack signature with command SecRule REQUEST_URI "\.php\?" chain SecRule REQUEST_URI "(http|https|ftp)\:/" chain SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #really broad furl_fopen attack sig #tune this for your system SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain*id:300018*rev:3*severity:2*msg:'Generic PHP code injection protection via ARGS'" SecRule REQUEST_URI "\.php(3|4|5)?(\?|&)" chain SecRule ARGS "(ht|f)tps?:/" SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain*id:300040*rev:1*severity:2*msg:'Generic PHP code injection protection in URI'" SecRule REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/" #Genenric PHP body attack SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc _open|shell_exec|exec|proc_nice|proc_terminate|pro c_get_status|proc_close|pfsockopen|leak|apache_chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid |posix_setsid|posix_setuid|phpinfo)" chain SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #Generic PHP remote file injection SecRule REQUEST_URI "!(/do_command)" chain SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)=" #script* perl* etc. code in HTTP_Referer string SecRule HTTP_Referer "\#\!.*/" #generic command line attack SecRule REQUEST_URI|ARGS "\|*id\;echo*\|" #remote file inclusion generic attack signature SecRule REQUEST_URI "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root| page|open)=(http|https|ftp)|(cmd|command|inc)=)" #remote file inclusion generic attack signature SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain SecRule ARGS "\?\&(cmd|inc|name)=" #remote file inclusion generic attack signature SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|n ame)=" #remote file inclusion generic attack signature SecRule REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?&cmd=" #Bogus file extensions generic signature SecRule REQUEST_URI "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt" #PHP remote path attach generic signature SecRule REQUEST_URI "\.ph(p(3|4)?).*path=(http|https|ftp)\:/" SecRule REQUEST_URI "\.php.*path=(http|https|ftp)\:/" #generic attack sig SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)" # WEB-ATTACKS uname -a command attempt SecRule REQUEST_URI "uname" chain SecRule REQUEST_URI "\x20-a" #Generic argument protection rule against bad meta characters #SecRule "ARGS" "!^[A-Za-z0-9.&/?@_%=:;* -]*$" #generic php attack sigs SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command) =|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(c md|command)=|\.php\?&(cmd|command)=)" # WEB-ATTACKS xterm command attempt SecRule REQUEST_URI "/usr/X11R6/bin/xterm" # WEB-ATTACKS /etc/shadow access SecRule REQUEST_URI "/etc/shadow" # WEB-ATTACKS /bin/ps command attempt SecRule REQUEST_URI "/bin/ps" # WEB-ATTACKS /usr/bin/id command attempt SecRule REQUEST_URI "/usr/bin/id" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS echo command attempt SecRule REQUEST_URI "/bin/echo" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS kill command attempt SecRule REQUEST_URI "/bin/kill" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS chmod command attempt SecRule REQUEST_URI "/bin/chmod" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS chsh command attempt SecRule REQUEST_URI "/usr/bin/chsh" # WEB-ATTACKS gcc command attempt SecRule REQUEST_URI "gcc" chain SecRule REQUEST_URI "x20-o" # WEB-ATTACKS /usr/bin/cc command attempt SecRule REQUEST_URI "/usr/bin/cc" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS /usr/bin/cpp command attempt SecRule REQUEST_URI "/usr/bin/cpp" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS /usr/bin/g++ command attempt SecRule REQUEST_URI "/usr/bin/g\+\+" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS g++ command attempt SecRule REQUEST_URI "g\+\+\x20" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS bin/python access attempt SecRule REQUEST_URI "bin/python" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS python access attempt #SecRule "python\x20" # WEB-ATTACKS bin/tclsh execution attempt SecRule REQUEST_URI "bin/tclsh" # WEB-ATTACKS tclsh execution attempt SecRule REQUEST_URI "tclsh8\x20" # WEB-ATTACKS bin/nasm command attempt SecRule REQUEST_URI "bin/nasm" # WEB-ATTACKS nasm command attempt SecRule REQUEST_URI "nasm\x20" # WEB-ATTACKS /usr/bin/perl execution attempt SecRule REQUEST_URI "/usr/bin/perl" # WEB-ATTACKS traceroute command attempt SecRule REQUEST_URI "traceroute" chain SecRule REQUEST_URI "\x20([0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" # WEB-ATTACKS ping command attempt SecRule REQUEST_URI "/bin/ping" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS X application to remote host attempt SecRule REQUEST_URI "\x20-display\x20" # WEB-ATTACKS mail command attempt SecRule REQUEST_URI "/bin/mail" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS /bin/ls command attempt SecRule REQUEST_URI "/bin/ls" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS /etc/inetd.conf access SecRule REQUEST_URI "/etc/inetd\.conf" # WEB-ATTACKS /etc/motd access SecRule REQUEST_URI "/etc/motd" # WEB-ATTACKS conf/httpd.conf attempt SecRule REQUEST_URI "conf/httpd\.conf" # WEB-MISC .htpasswd access SecRule REQUEST_URI "\.htpasswd" # WEB-MISC /etc/passwd access SecRule REQUEST_URI "/etc/passwd" # WEB-MISC nessus 1.X 404 probe SecRule REQUEST_URI "/nessus_is_probing_you_" # WEB-MISC nessus 2.x 404 probe SecRule REQUEST_URI "/NessusTest" # WEB-MISC ls%20-l SecRule REQUEST_URI "ls" chain SecRule REQUEST_URI "\x20-l" # WEB-MISC apache directory disclosure attempt SecRule REQUEST_URI "////////" #musicat empower attempt SecRule REQUEST_URI "/empower\?DB=" # WEB-MISC *%0a.pl access SecRule REQUEST_URI "/*\x0a\.pl" #PHPBB worm sigs SecRule REQUEST_URI "!(tiki-searchindex\.php)" chain SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" #PHP defenses SecRule ARGS:PHPSESSID "!^[0-9a-z]*$" #PHP defenses SecRule ARGS "^(globals($|\[)|php:/)" #PHP defenses SecRule REQUEST_COOKIES:PHPSESSID "!^[0-9a-z]*$" #PHP defenses SecRule REQUEST_COOKIES:sessionid "!^[0-9a-z\.]*$" # Web-attacks chdir SecRule REQUEST_URI "&(cmd|command)=chdir\x20" # TIKIWIKI SecRule REQUEST_URI "/tiki-map.phtml\?mapfile=\.\./\.\./" #SMTP redirects SecRule REQUEST_URI_RAW ^(http|https)\:/.+:25 #These are VERY experiemental* please report false positives/negatives* etc. #very experimental generic remote download sig #foo IP or FQDN* or foo http/https/ftp://whatever SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)| wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20 ((http|https|ftp)\:/|[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2*4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" #Command inline detection SecRule REQUEST_URI "( |\;|/|\'|*|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2*4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" #very experimental connect command sig SecRule REQUEST_URI "( |\;|/|\'|*|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|[A-Za-z|0-9]\.[a-zA-Z]{2*4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" #Commands* also need a major rework* these also have issues SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" #SecRule REQUEST_URI "echo\x20" SecRule REQUEST_URI "links -dump " SecRule REQUEST_URI "links -dump-(charset|width) " SecRule REQUEST_URI "links (http|https|ftp)\:/" SecRule REQUEST_URI "links -source " #SecRule REQUEST_URI "mkdir\x20" SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)" SecRule REQUEST_URI "cd \.\." SecRule REQUEST_URI "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$" #generic block for fwrite fopen uploads SecRule REQUEST_URI "fwrite" chain SecRule REQUEST_URI "fopen" #generic sig for more bad PHP functions SecRule REQUEST_URI "chr\(([0-9]{1*3})\)" SecRule ARGS_NAMES "^php:/" # WEB-MISC Tomcat view source attempt SecRule REQUEST_URI "\x252ejsp" # WEB-MISC whisker HEAD/./ #SecRule "HEAD/./" # WEB-FRONTPAGE .... request SecRule REQUEST_URI "\.\.\.\./" #experimental CSS rule #SecRule REQUEST_URI "/(\x3C|)" #Generic attack rules pcre format #cross site scripting attempt IMG onerror or onload SecRule REQUEST_URI "\]expression[\s]*\(" #cross site scripting attempt STYLE + EXPRESSION SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*" # cross site scripting attempt using XML SecRule REQUEST_URI "SCRIPT" #cross site scripting attempt executing hidden Javascript SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)" #cross site scripting attempt executing hidden Javascript SecRule REQUEST_URI "window\.execScript[\s]*\(" #cross site scripting attempt to execute Javascript code SecRule REQUEST_URI "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]" #cross site scripting stealth attempt to execute Javascript code #may false alarm for some language sets SecRule REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain SecRule REQUEST_URI|REQUEST_BODY "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]" #Apache /server-info accessible SecRule REQUEST_URI "/server-info" chain SecRule REMOTE_ADDR "!^127\.0\.0\.1$" #Apache /server-status accessible #Modified so apache-protect can run SecRule REQUEST_URI "^/server-status/$" chain SecRule REMOTE_ADDR "!^127\.0\.0\.1$" #generic Common HTTP vulnerability SecRule REQUEST_URI "/\?cwd=/" #General [url] php forum protections (phpbb and others* to protect against script injection attacks in url links) SecRule REQUEST_URI "\.php\?" chain SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex )\:/.*\].*\[/url\]" #Experimental XML-RPC generic attack sigs SecRule REQUEST_BODY "\'\*\'\'\)\)\;" SecRule REQUEST_BODY "\\.*\'\)\;" #MTS #XML-RPC generic attack sigs SecRule REQUEST_HEADERS "^Content-Type\: application/xml" chain SecRule REQUEST_BODY "(\" #Specific XML-RPC attacks on xmlrpc.php SecRule REQUEST_URI "(xmlrpc|xmlrpc.*)\.php" chain SecRule REQUEST_BODY "(\" #generic remote file inclusion vulns SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/" SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/" SecRule REQUEST_URI "/index\.php\?libDir=http://xxxxxxxx" SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/" #catch smuggling attacks #SecRule "^(GET|POST).*Host:.*^(GET|POST)" #Drupal remote command execution vulnerability exploit signature #This is already covered in another generic signature* but just in case you leave it out* here it is #again with a slightly tigher regexp SecRule REQUEST_BODY "\" #Slightly stronger version of the above SecRule REQUEST_BODY "\" #Generic PHP attack sig SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)" #Generic Nessus request filter SecRule REQUEST_URI "NessusTest*\.html" #Generic PHP payload command injection and upload vulnerabilities SecRule REQUEST_BODY "" #Fake image file shell attacvk SecRule REQUEST_HEADERS:Content-Type "image/.*" SecRule REQUEST_BODY "chr\(" #bogus graphics file SecRule REQUEST_HEADERS:Content-Disposition "\.php" chain SecRule REQUEST_HEADERS:Content-Type "(image/gif|image/jpg|image/png|image/bmp)" #wormsign SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC" #Special account protection SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/" #Generic PHP fopen sig SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\(" SecRule REQUEST_URI "!(horde/services/go\.php)" "chain*id:390144*rev:1*severity:2*msg:'Rootkit attack: Generic Attempt to install rootkit'" SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat |txt|js|html?|tmp|asp)\x20?\?" SecRule REQUEST_URI "!(horde/services/go\.php)" "chain*id:390145*rev:1*severity:2*msg:'Rootkit attack: Generic Attempt to install rootkit'" SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat |txt|js|html?|tmp|asp)\?" SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|da t|txt|js|html?|tmp|php|asp)\?" SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|da t|txt|js|html?|tmp|php|asp) " SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?" SecRule REQUEST_URI "/\.it/viewde" SecRule REQUEST_URI "/cmd\?&(command|cmd)=" SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)=" SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)=" SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.( c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm |html|tmp|php|asp).\?&(cmd|command)=" SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\ .(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|h tm|html|tmp|php|asp)\?" SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tm l)\?" SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?" #Known rootkits SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)" SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;" SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c" SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)" #Generic remote perl execution with .pl extension SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;" SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl" #Known rootkit Defacing Tool 2.0 SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|comm and)=" SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|c ommand)=" SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd |command)=" SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&? (cmd|command)=" #other known tools SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)=" SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php" #New kit SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)" SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\ w)" #new kir SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)=" #suntzu SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd=" #proxysx.gif? SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?" #phpbackdoor SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd=" #new unknown kit SecRule REQUEST_URI "/oops?&" # known PHP attack shells #value of these sigs* pretty low* but here to catch # any lose threads* honeypoting* etc. SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)" SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)" SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)" SecRule REQUEST_URI "/phpterm" #Frantastico worm SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )" #new unknown kits SecRule REQUEST_URI "/iblis\.htm\?" SecRule REQUEST_URI "/gif\.gif\?" SecRule REQUEST_URI "/go\.php\.txt\?" SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/zehir\.asp" SecRule REQUEST_URI "/aflast\.txt\?" SecRule REQUEST_URI "/sikat\.txt\?&cmd" SecRule REQUEST_URI "/t\.gif\?" SecRule REQUEST_URI "/phpbb_patch\?&" SecRule REQUEST_URI "/phpbb2_patch\?&" SecRule REQUEST_URI "/lukka\?&" #new kit SecRule REQUEST_URI "/c99shell\.txt" SecRule REQUEST_URI "/c99\.txt\?" #remote bash shell SecRule REQUEST_URI "/shell\.php\&cmd=" SecRule ARGS "/shell\.php\&cmd=" #zencart exploit SecRule REQUEST_URI "/ipn\.php\?cmd=" #new pattern SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "dsoul/tool\?" #generic suntzu payload SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\" #XSS in referrer and UA headers SecRule HTTP_REFERER|HTTP_USER_AGENT ".*(script|about|applet|activex|chrome)[[:space:]]*>" #PHP Injection Attack generic signature SecRule REQUEST_URI "\.php" chain SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|con tent|dir|name|menu|pm_path|path|pathtoroot|cat|pag ina|path|include_location|root|page|gorumDir|site| topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))" #PHP Injection Attack generic signature SecRule REQUEST_URI "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|actio n|content|dir|name|menu|pm_path|pagina|path|pathto root|cat|include_location|gorumDir|root|page|site| topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))" #Generic PHP remote file inclusion attack signature SecRule REQUEST_URI "\.php\?" chain SecRule REQUEST_URI "(http|https|ftp)\:/" chain SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #Generic PHP remote file inclusion attack signature with command SecRule REQUEST_URI "\.php\?" chain SecRule REQUEST_URI "(http|https|ftp)\:/" chain SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #really broad furl_fopen attack sig #tune this for your system SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain*id:300018*rev:3*severity:2*msg:'Generic PHP code injection protection via ARGS'" SecRule REQUEST_URI "\.php(3|4|5)?(\?|&)" chain SecRule ARGS "(ht|f)tps?:/" SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain*id:300040*rev:1*severity:2*msg:'Generic PHP code injection protection in URI'" SecRule REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/" #Genenric PHP body attack SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc _open|shell_exec|exec|proc_nice|proc_terminate|pro c_get_status|proc_close|pfsockopen|leak|apache_chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid |posix_setsid|posix_setuid|phpinfo)" chain SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #Generic PHP remote file injection SecRule REQUEST_URI "!(/do_command)" chain SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)=" #script* perl* etc. code in HTTP_Referer string SecRule HTTP_Referer "\#\!.*/" #generic command line attack SecRule REQUEST_URI|ARGS "\|*id\;echo*\|" #remote file inclusion generic attack signature SecRule REQUEST_URI "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root| page|open)=(http|https|ftp)|(cmd|command|inc)=)" #remote file inclusion generic attack signature SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain SecRule ARGS "\?\&(cmd|inc|name)=" #remote file inclusion generic attack signature SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|n ame)=" #remote file inclusion generic attack signature SecRule REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?&cmd=" #Bogus file extensions generic signature SecRule REQUEST_URI "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt" #PHP remote path attach generic signature SecRule REQUEST_URI "\.ph(p(3|4)?).*path=(http|https|ftp)\:/" SecRule REQUEST_URI "\.php.*path=(http|https|ftp)\:/" #generic attack sig SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)" # WEB-ATTACKS uname -a command attempt SecRule REQUEST_URI "uname" chain SecRule REQUEST_URI "\x20-a" #Generic argument protection rule against bad meta characters #SecRule "ARGS" "!^[A-Za-z0-9.&/?@_%=:;* -]*$" #generic php attack sigs SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command) =|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(c md|command)=|\.php\?&(cmd|command)=)" # WEB-ATTACKS xterm command attempt SecRule REQUEST_URI "/usr/X11R6/bin/xterm" # WEB-ATTACKS /etc/shadow access SecRule REQUEST_URI "/etc/shadow" # WEB-ATTACKS /bin/ps command attempt SecRule REQUEST_URI "/bin/ps" # WEB-ATTACKS /usr/bin/id command attempt SecRule REQUEST_URI "/usr/bin/id" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS echo command attempt SecRule REQUEST_URI "/bin/echo" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS kill command attempt SecRule REQUEST_URI "/bin/kill" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS chmod command attempt SecRule REQUEST_URI "/bin/chmod" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS chsh command attempt SecRule REQUEST_URI "/usr/bin/chsh" # WEB-ATTACKS gcc command attempt SecRule REQUEST_URI "gcc" chain SecRule REQUEST_URI "x20-o" # WEB-ATTACKS /usr/bin/cc command attempt SecRule REQUEST_URI "/usr/bin/cc" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS /usr/bin/cpp command attempt SecRule REQUEST_URI "/usr/bin/cpp" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS /usr/bin/g++ command attempt SecRule REQUEST_URI "/usr/bin/g\+\+" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS g++ command attempt SecRule REQUEST_URI "g\+\+\x20" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS bin/python access attempt SecRule REQUEST_URI "bin/python" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS python access attempt #SecRule "python\x20" # WEB-ATTACKS bin/tclsh execution attempt SecRule REQUEST_URI "bin/tclsh" # WEB-ATTACKS tclsh execution attempt SecRule REQUEST_URI "tclsh8\x20" # WEB-ATTACKS bin/nasm command attempt SecRule REQUEST_URI "bin/nasm" # WEB-ATTACKS nasm command attempt SecRule REQUEST_URI "nasm\x20" # WEB-ATTACKS /usr/bin/perl execution attempt SecRule REQUEST_URI "/usr/bin/perl" # WEB-ATTACKS traceroute command attempt SecRule REQUEST_URI "traceroute" chain SecRule REQUEST_URI "\x20([0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" # WEB-ATTACKS ping command attempt SecRule REQUEST_URI "/bin/ping" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS X application to remote host attempt SecRule REQUEST_URI "\x20-display\x20" # WEB-ATTACKS mail command attempt SecRule REQUEST_URI "/bin/mail" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS /bin/ls command attempt SecRule REQUEST_URI "/bin/ls" chain SecRule REQUEST_URI "\x20" # WEB-ATTACKS /etc/inetd.conf access SecRule REQUEST_URI "/etc/inetd\.conf" # WEB-ATTACKS /etc/motd access SecRule REQUEST_URI "/etc/motd" # WEB-ATTACKS conf/httpd.conf attempt SecRule REQUEST_URI "conf/httpd\.conf" # WEB-MISC .htpasswd access SecRule REQUEST_URI "\.htpasswd" # WEB-MISC /etc/passwd access SecRule REQUEST_URI "/etc/passwd" # WEB-MISC nessus 1.X 404 probe SecRule REQUEST_URI "/nessus_is_probing_you_" # WEB-MISC nessus 2.x 404 probe SecRule REQUEST_URI "/NessusTest" # WEB-MISC ls%20-l SecRule REQUEST_URI "ls" chain SecRule REQUEST_URI "\x20-l" # WEB-MISC apache directory disclosure attempt SecRule REQUEST_URI "////////" #musicat empower attempt SecRule REQUEST_URI "/empower\?DB=" # WEB-MISC *%0a.pl access SecRule REQUEST_URI "/*\x0a\.pl" #PHPBB worm sigs SecRule REQUEST_URI "!(tiki-searchindex\.php)" chain SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" #PHP defenses SecRule ARGS:PHPSESSID "!^[0-9a-z]*$" #PHP defenses SecRule ARGS "^(globals($|\[)|php:/)" #PHP defenses SecRule REQUEST_COOKIES:PHPSESSID "!^[0-9a-z]*$" #PHP defenses SecRule REQUEST_COOKIES:sessionid "!^[0-9a-z\.]*$" # Web-attacks chdir SecRule REQUEST_URI "&(cmd|command)=chdir\x20" # TIKIWIKI SecRule REQUEST_URI "/tiki-map.phtml\?mapfile=\.\./\.\./" #SMTP redirects SecRule REQUEST_URI_RAW ^(http|https)\:/.+:25 #These are VERY experiemental* please report false positives/negatives* etc. #very experimental generic remote download sig #foo IP or FQDN* or foo http/https/ftp://whatever SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)| wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20 ((http|https|ftp)\:/|[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2*4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" #Command inline detection SecRule REQUEST_URI "( |\;|/|\'|*|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2*4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" #very experimental connect command sig SecRule REQUEST_URI "( |\;|/|\'|*|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|[A-Za-z|0-9]\.[a-zA-Z]{2*4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" #Commands* also need a major rework* these also have issues SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" #SecRule REQUEST_URI "echo\x20" SecRule REQUEST_URI "links -dump " SecRule REQUEST_URI "links -dump-(charset|width) " SecRule REQUEST_URI "links (http|https|ftp)\:/" SecRule REQUEST_URI "links -source " #SecRule REQUEST_URI "mkdir\x20" SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)" SecRule REQUEST_URI "cd \.\." SecRule REQUEST_URI "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$" #generic block for fwrite fopen uploads SecRule REQUEST_URI "fwrite" chain SecRule REQUEST_URI "fopen" #generic sig for more bad PHP functions SecRule REQUEST_URI "chr\(([0-9]{1*3})\)" SecRule ARGS_NAMES "^php:/" # WEB-MISC Tomcat view source attempt SecRule REQUEST_URI "\x252ejsp" # WEB-MISC whisker HEAD/./ #SecRule "HEAD/./" # WEB-FRONTPAGE .... request SecRule REQUEST_URI "\.\.\.\./" #experimental CSS rule #SecRule REQUEST_URI "/(\x3C|)" #Generic attack rules pcre format #cross site scripting attempt IMG onerror or onload SecRule REQUEST_URI "\]expression[\s]*\(" #cross site scripting attempt STYLE + EXPRESSION SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*" # cross site scripting attempt using XML SecRule REQUEST_URI "SCRIPT" #cross site scripting attempt executing hidden Javascript SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)" #cross site scripting attempt executing hidden Javascript SecRule REQUEST_URI "window\.execScript[\s]*\(" #cross site scripting attempt to execute Javascript code SecRule REQUEST_URI "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]" #cross site scripting stealth attempt to execute Javascript code #may false alarm for some language sets SecRule REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain SecRule REQUEST_URI|REQUEST_BODY "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]" #Apache /server-info accessible SecRule REQUEST_URI "/server-info" chain SecRule REMOTE_ADDR "!^127\.0\.0\.1$" #Apache /server-status accessible #Modified so apache-protect can run SecRule REQUEST_URI "^/server-status/$" chain SecRule REMOTE_ADDR "!^127\.0\.0\.1$" #generic Common HTTP vulnerability SecRule REQUEST_URI "/\?cwd=/" #General [url] php forum protections (phpbb and others* to protect against script injection attacks in url links) SecRule REQUEST_URI "\.php\?" chain SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex )\:/.*\].*\[/url\]" #Experimental XML-RPC generic attack sigs SecRule REQUEST_BODY "\'\*\'\'\)\)\;" SecRule REQUEST_BODY "\\.*\'\)\;" #MTS #XML-RPC generic attack sigs SecRule REQUEST_HEADERS "^Content-Type\: application/xml" chain SecRule REQUEST_BODY "(\" #Specific XML-RPC attacks on xmlrpc.php SecRule REQUEST_URI "(xmlrpc|xmlrpc.*)\.php" chain SecRule REQUEST_BODY "(\" #generic remote file inclusion vulns SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/" SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/" SecRule REQUEST_URI "/index\.php\?libDir=http://xxxxxxxx" SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/" #catch smuggling attacks #SecRule "^(GET|POST).*Host:.*^(GET|POST)" #Drupal remote command execution vulnerability exploit signature #This is already covered in another generic signature* but just in case you leave it out* here it is #again with a slightly tigher regexp SecRule REQUEST_BODY "\" #Slightly stronger version of the above SecRule REQUEST_BODY "\" #Generic PHP attack sig SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)" #Generic Nessus request filter SecRule REQUEST_URI "NessusTest*\.html" #Generic PHP payload command injection and upload vulnerabilities SecRule REQUEST_BODY "" #Fake image file shell attacvk SecRule REQUEST_HEADERS:Content-Type "image/.*" SecRule REQUEST_BODY "chr\(" #bogus graphics file SecRule REQUEST_HEADERS:Content-Disposition "\.php" chain SecRule REQUEST_HEADERS:Content-Type "(image/gif|image/jpg|image/png|image/bmp)" #wormsign SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC" #Special account protection SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/" #Generic PHP fopen sig SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\(" SecRule REQUEST_URI "!(horde/services/go\.php)" "chain*id:390144*rev:1*severity:2*msg:'Rootkit attack: Generic Attempt to install rootkit'" SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat |txt|js|html?|tmp|asp)\x20?\?" SecRule REQUEST_URI "!(horde/services/go\.php)" "chain*id:390145*rev:1*severity:2*msg:'Rootkit attack: Generic Attempt to install rootkit'" SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat |txt|js|html?|tmp|asp)\?" SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|da t|txt|js|html?|tmp|php|asp)\?" SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|da t|txt|js|html?|tmp|php|asp) " SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?" SecRule REQUEST_URI "/\.it/viewde" SecRule REQUEST_URI "/cmd\?&(command|cmd)=" SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)=" SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)=" SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.( c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm |html|tmp|php|asp).\?&(cmd|command)=" SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\ .(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|h tm|html|tmp|php|asp)\?" SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tm l)\?" SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?" #Known rootkits SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)" SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;" SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c" SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)" #Generic remote perl execution with .pl extension SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;" SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl" #Known rootkit Defacing Tool 2.0 SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|comm and)=" SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|c ommand)=" SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd |command)=" SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&? (cmd|command)=" #other known tools SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)=" SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php" #New kit SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)" SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\ w)" #new kir SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)=" #suntzu SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd=" #proxysx.gif? SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?" #phpbackdoor SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd=" #new unknown kit SecRule REQUEST_URI "/oops?&" # known PHP attack shells #value of these sigs* pretty low* but here to catch # any lose threads* honeypoting* etc. SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)" SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)" SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)" SecRule REQUEST_URI "/phpterm" #Frantastico worm SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )" #new unknown kits SecRule REQUEST_URI "/iblis\.htm\?" SecRule REQUEST_URI "/gif\.gif\?" SecRule REQUEST_URI "/go\.php\.txt\?" SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/zehir\.asp" SecRule REQUEST_URI "/aflast\.txt\?" SecRule REQUEST_URI "/sikat\.txt\?&cmd" SecRule REQUEST_URI "/t\.gif\?" SecRule REQUEST_URI "/phpbb_patch\?&" SecRule REQUEST_URI "/phpbb2_patch\?&" SecRule REQUEST_URI "/lukka\?&" #new kit SecRule REQUEST_URI "/c99shell\.txt" SecRule REQUEST_URI "/c99\.txt\?" #remote bash shell SecRule REQUEST_URI "/shell\.php\&cmd=" SecRule ARGS "/shell\.php\&cmd=" #zencart exploit SecRule REQUEST_URI "/ipn\.php\?cmd=" #new pattern SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "dsoul/tool\?" #generic suntzu payload SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\ |
| الساعة الآن 07:54 AM |
Powered by vBulletin® Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.5.2 TranZ By
Almuhajir