1<!-- @(#) $Id: ./etc/rules/web_rules.xml, 2013/02/28 dcid Exp $ 2 3 - 4 - Official Web access rules for OSSEC. 5 - 6 - Copyright (C) 2009 Trend Micro Inc. 7 - All rights reserved. 8 - 9 - This program is a free software; you can redistribute it 10 - and/or modify it under the terms of the GNU General Public 11 - License (version 2) as published by the FSF - Free Software 12 - Foundation. 13 - 14 - License details: http://www.ossec.net/en/licensing.html 15 --> 16 17 18<group name="web,accesslog,"> 19 <rule id="31100" level="0"> 20 <category>web-log</category> 21 <description>Access log messages grouped.</description> 22 </rule> 23 24 <rule id="31108" level="0"> 25 <if_sid>31100</if_sid> 26 <id_pcre2>^2|^3</id_pcre2> 27 <compiled_rule>is_simple_http_request</compiled_rule> 28 <description>Ignored URLs (simple queries).</description> 29 </rule> 30 31 <rule id="31101" level="5"> 32 <if_sid>31100</if_sid> 33 <id_pcre2>^4</id_pcre2> 34 <description>Web server 400 error code.</description> 35 </rule> 36 37 <rule id="31102" level="0"> 38 <if_sid>31101</if_sid> 39 <url_pcre2>\.jpg$|\.gif$|favicon\.ico$|\.png$|robots\.txt$|\.css$|\.js$|\.jpeg$</url_pcre2> 40 <compiled_rule>is_simple_http_request</compiled_rule> 41 <description>Ignored extensions on 400 error codes.</description> 42 </rule> 43 44 <rule id="31103" level="6"> 45 <if_sid>31100,31108</if_sid> 46 <url_pcre2>=select%20|select\+|insert%20|%20from%20|%20where%20|union%20|</url_pcre2> 47 <url_pcre2>union\+|where\+|null,null|xp_cmdshell</url_pcre2> 48 <description>SQL injection attempt.</description> 49 <group>attack,sql_injection,</group> 50 </rule> 51 52 <rule id="31104" level="6"> 53 <if_sid>31100</if_sid> 54 55 <!-- Attempt to do directory transversal, simple sql injections, 56 - or access to the etc or bin directory (unix). --> 57 <url_pcre2>%027|%00|%01|%7f|%2E%2E|%0A|%0D|\.\./\.\.|\.\.\\\.\.|echo;|</url_pcre2> 58 <url_pcre2>cmd\.exe|root\.exe|_mem_bin|msadc|/winnt/|/boot\.ini|</url_pcre2> 59 <url_pcre2>/x90/|default\.ida|/sumthin|nsiislog\.dll|chmod%|wget%|cd%20|</url_pcre2> 60 <url_pcre2>exec%20|\.\./\.\.//|%5C\.\./%5C|\./\./\./\./|2e%2e%5c%2e|\\x5C\\x5C</url_pcre2> 61 <description>Common web attack.</description> 62 <group>attack,</group> 63 </rule> 64 65 <rule id="31105" level="6"> 66 <if_sid>31100</if_sid> 67 <url_pcre2>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url_pcre2> 68 <url_pcre2>%20ONLOAD=|INPUT%20|iframe%20</url_pcre2> 69 <description>XSS (Cross Site Scripting) attempt.</description> 70 <group>attack,</group> 71 </rule> 72 73 <rule id="31106" level="6"> 74 <if_sid>31103, 31104, 31105</if_sid> 75 <id_pcre2>^200</id_pcre2> 76 <description>A web attack returned code 200 (success).</description> 77 <group>attack,</group> 78 </rule> 79 80 <rule id="31110" level="6"> 81 <if_sid>31100</if_sid> 82 <url_pcre2>\?-d|\?-s|\?-a|\?-b|\?-w</url_pcre2> 83 <description>PHP CGI-bin vulnerability attempt.</description> 84 <group>attack,</group> 85 </rule> 86 87 <rule id="31109" level="6"> 88 <if_sid>31100</if_sid> 89 <url_pcre2>\+as\+varchar</url_pcre2> 90 <pcre2>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)</pcre2> 91 <description>MSSQL Injection attempt (/ur.php, urchin.js)</description> 92 <group>attack,</group> 93 </rule> 94 95 96 <!-- If your site have a search engine, you may need to ignore 97 - it in here. 98 --> 99 <rule id="31107" level="0"> 100 <if_sid>31103, 31104, 31105</if_sid> 101 <url_pcre2>^/search\.php\?search=|^/index\.php\?searchword=</url_pcre2> 102 <description>Ignored URLs for the web attacks</description> 103 </rule> 104 105 <rule id="31115" level="13" maxsize="7900"> 106 <if_sid>31100</if_sid> 107 <description>URL too long. Higher than allowed on most </description> 108 <description>browsers. Possible attack.</description> 109 <group>invalid_access,</group> 110 </rule> 111 112 113 <!-- 500 error codes, server error 114 - http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html 115 --> 116 <rule id="31120" level="5"> 117 <if_sid>31100</if_sid> 118 <id_pcre2>^50</id_pcre2> 119 <description>Web server 500 error code (server error).</description> 120 </rule> 121 122 <rule id="31121" level="4"> 123 <if_sid>31120</if_sid> 124 <id_pcre2>^501</id_pcre2> 125 <description>Web server 501 error code (Not Implemented).</description> 126 </rule> 127 128 <rule id="31122" level="5"> 129 <if_sid>31120</if_sid> 130 <id_pcre2>^500</id_pcre2> 131 <options>alert_by_email</options> 132 <description>Web server 500 error code (Internal Error).</description> 133 <group>system_error,</group> 134 </rule> 135 136 <rule id="31123" level="4"> 137 <if_sid>31120</if_sid> 138 <id_pcre2>^503</id_pcre2> 139 <options>alert_by_email</options> 140 <description>Web server 503 error code (Service unavailable).</description> 141 </rule> 142 143 144 <!-- Rules to ignore crawlers --> 145 <rule id="31140" level="0"> 146 <if_sid>31101</if_sid> 147 <compiled_rule>is_valid_crawler</compiled_rule> 148 <description>Ignoring google/msn/yahoo bots.</description> 149 </rule> 150 151 <!-- Ignoring nginx 499's --> 152 <rule id="31141" level="0"> 153 <if_sid>31101</if_sid> 154 <id_pcre2>^499</id_pcre2> 155 <description>Ignored 499's on nginx.</description> 156 </rule> 157 158 159 <rule id="31151" level="10" frequency="12" timeframe="90"> 160 <if_matched_sid>31101</if_matched_sid> 161 <same_source_ip /> 162 <description>Multiple web server 400 error codes </description> 163 <description>from same source ip.</description> 164 <group>web_scan,recon,</group> 165 </rule> 166 167 <rule id="31152" level="10" frequency="6" timeframe="120"> 168 <if_matched_sid>31103</if_matched_sid> 169 <same_source_ip /> 170 <description>Multiple SQL injection attempts from same </description> 171 <description>source ip.</description> 172 <group>attack,sql_injection,</group> 173 </rule> 174 175 <rule id="31153" level="10" frequency="8" timeframe="120"> 176 <if_matched_sid>31104</if_matched_sid> 177 <same_source_ip /> 178 <description>Multiple common web attacks from same source ip.</description> 179 <group>attack,</group> 180 </rule> 181 182 <rule id="31154" level="10" frequency="8" timeframe="120"> 183 <if_matched_sid>31105</if_matched_sid> 184 <same_source_ip /> 185 <description>Multiple XSS (Cross Site Scripting) attempts </description> 186 <description>from same source ip.</description> 187 <group>attack,</group> 188 </rule> 189 190 <rule id="31161" level="10" frequency="12" timeframe="120"> 191 <if_matched_sid>31121</if_matched_sid> 192 <same_source_ip /> 193 <description>Multiple web server 501 error code (Not Implemented).</description> 194 <group>web_scan,recon,</group> 195 </rule> 196 197 <rule id="31162" level="10" frequency="12" timeframe="120"> 198 <if_matched_sid>31122</if_matched_sid> 199 <same_source_ip /> 200 <description>Multiple web server 500 error code (Internal Error).</description> 201 <group>system_error,</group> 202 </rule> 203 204 <rule id="31163" level="10" frequency="12" timeframe="120"> 205 <if_matched_sid>31123</if_matched_sid> 206 <same_source_ip /> 207 <description>Multiple web server 503 error code (Service unavailable).</description> 208 <group>web_scan,recon,</group> 209 </rule> 210 211 <rule id="31164" level="6"> 212 <if_sid>31100</if_sid> 213 <url_pcre2>=%27|select%2B|insert%2B|%2Bfrom%2B|%2Bwhere%2B|%2Bunion%2B</url_pcre2> 214 <description>SQL injection attempt.</description> 215 <group>attack,sqlinjection,</group> 216 </rule> 217 218 <rule id="31165" level="6"> 219 <if_sid>31100</if_sid> 220 <url_pcre2>%EF%BC%87|%EF%BC%87|%EF%BC%87|%2531|%u0053%u0045</url_pcre2> 221 <description>SQL injection attempt.</description> 222 <group>attack,sqlinjection,</group> 223 </rule> 224 225</group> <!-- Web access log --> 226