1<!-- @(#) $Id: ./etc/rules/web_rules.xml, 2013/02/28 dcid Exp $
2
3  -
4  -  Official Web access rules for OSSEC.
5  -
6  -  Copyright (C) 2009 Trend Micro Inc.
7  -  All rights reserved.
8  -
9  -  This program is a free software; you can redistribute it
10  -  and/or modify it under the terms of the GNU General Public
11  -  License (version 2) as published by the FSF - Free Software
12  -  Foundation.
13  -
14  -  License details: http://www.ossec.net/en/licensing.html
15  -->
16
17
18<group name="web,accesslog,">
19  <rule id="31100" level="0">
20    <category>web-log</category>
21    <description>Access log messages grouped.</description>
22  </rule>
23
24  <rule id="31108" level="0">
25    <if_sid>31100</if_sid>
26    <id_pcre2>^2|^3</id_pcre2>
27    <compiled_rule>is_simple_http_request</compiled_rule>
28    <description>Ignored URLs (simple queries).</description>
29   </rule>
30
31  <rule id="31101" level="5">
32    <if_sid>31100</if_sid>
33    <id_pcre2>^4</id_pcre2>
34    <description>Web server 400 error code.</description>
35  </rule>
36
37  <rule id="31102" level="0">
38    <if_sid>31101</if_sid>
39    <url_pcre2>\.jpg$|\.gif$|favicon\.ico$|\.png$|robots\.txt$|\.css$|\.js$|\.jpeg$</url_pcre2>
40    <compiled_rule>is_simple_http_request</compiled_rule>
41    <description>Ignored extensions on 400 error codes.</description>
42  </rule>
43
44  <rule id="31103" level="6">
45    <if_sid>31100,31108</if_sid>
46    <url_pcre2>=select%20|select\+|insert%20|%20from%20|%20where%20|union%20|</url_pcre2>
47    <url_pcre2>union\+|where\+|null,null|xp_cmdshell</url_pcre2>
48    <description>SQL injection attempt.</description>
49    <group>attack,sql_injection,</group>
50  </rule>
51
52  <rule id="31104" level="6">
53    <if_sid>31100</if_sid>
54
55    <!-- Attempt to do directory transversal, simple sql injections,
56      -  or access to the etc or bin directory (unix). -->
57    <url_pcre2>%027|%00|%01|%7f|%2E%2E|%0A|%0D|\.\./\.\.|\.\.\\\.\.|echo;|</url_pcre2>
58    <url_pcre2>cmd\.exe|root\.exe|_mem_bin|msadc|/winnt/|/boot\.ini|</url_pcre2>
59    <url_pcre2>/x90/|default\.ida|/sumthin|nsiislog\.dll|chmod%|wget%|cd%20|</url_pcre2>
60    <url_pcre2>exec%20|\.\./\.\.//|%5C\.\./%5C|\./\./\./\./|2e%2e%5c%2e|\\x5C\\x5C</url_pcre2>
61    <description>Common web attack.</description>
62    <group>attack,</group>
63  </rule>
64
65  <rule id="31105" level="6">
66    <if_sid>31100</if_sid>
67    <url_pcre2>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url_pcre2>
68    <url_pcre2>%20ONLOAD=|INPUT%20|iframe%20</url_pcre2>
69    <description>XSS (Cross Site Scripting) attempt.</description>
70    <group>attack,</group>
71  </rule>
72
73  <rule id="31106" level="6">
74    <if_sid>31103, 31104, 31105</if_sid>
75    <id_pcre2>^200</id_pcre2>
76    <description>A web attack returned code 200 (success).</description>
77    <group>attack,</group>
78  </rule>
79
80  <rule id="31110" level="6">
81    <if_sid>31100</if_sid>
82    <url_pcre2>\?-d|\?-s|\?-a|\?-b|\?-w</url_pcre2>
83    <description>PHP CGI-bin vulnerability attempt.</description>
84    <group>attack,</group>
85  </rule>
86
87  <rule id="31109" level="6">
88    <if_sid>31100</if_sid>
89    <url_pcre2>\+as\+varchar</url_pcre2>
90    <pcre2>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)</pcre2>
91    <description>MSSQL Injection attempt (/ur.php, urchin.js)</description>
92    <group>attack,</group>
93  </rule>
94
95
96  <!-- If your site have a search engine, you may need to ignore
97    - it in here.
98    -->
99  <rule id="31107" level="0">
100    <if_sid>31103, 31104, 31105</if_sid>
101    <url_pcre2>^/search\.php\?search=|^/index\.php\?searchword=</url_pcre2>
102    <description>Ignored URLs for the web attacks</description>
103  </rule>
104
105  <rule id="31115" level="13" maxsize="7900">
106    <if_sid>31100</if_sid>
107    <description>URL too long. Higher than allowed on most </description>
108    <description>browsers. Possible attack.</description>
109    <group>invalid_access,</group>
110  </rule>
111
112
113  <!-- 500 error codes, server error
114    - http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
115    -->
116  <rule id="31120" level="5">
117    <if_sid>31100</if_sid>
118    <id_pcre2>^50</id_pcre2>
119    <description>Web server 500 error code (server error).</description>
120  </rule>
121
122  <rule id="31121" level="4">
123    <if_sid>31120</if_sid>
124    <id_pcre2>^501</id_pcre2>
125    <description>Web server 501 error code (Not Implemented).</description>
126  </rule>
127
128  <rule id="31122" level="5">
129    <if_sid>31120</if_sid>
130    <id_pcre2>^500</id_pcre2>
131    <options>alert_by_email</options>
132    <description>Web server 500 error code (Internal Error).</description>
133    <group>system_error,</group>
134  </rule>
135
136  <rule id="31123" level="4">
137    <if_sid>31120</if_sid>
138    <id_pcre2>^503</id_pcre2>
139    <options>alert_by_email</options>
140    <description>Web server 503 error code (Service unavailable).</description>
141  </rule>
142
143
144  <!-- Rules to ignore crawlers -->
145  <rule id="31140" level="0">
146    <if_sid>31101</if_sid>
147    <compiled_rule>is_valid_crawler</compiled_rule>
148    <description>Ignoring google/msn/yahoo bots.</description>
149  </rule>
150
151  <!-- Ignoring nginx 499's -->
152  <rule id="31141" level="0">
153    <if_sid>31101</if_sid>
154    <id_pcre2>^499</id_pcre2>
155    <description>Ignored 499's on nginx.</description>
156  </rule>
157
158
159  <rule id="31151" level="10" frequency="12" timeframe="90">
160    <if_matched_sid>31101</if_matched_sid>
161    <same_source_ip />
162    <description>Multiple web server 400 error codes </description>
163    <description>from same source ip.</description>
164    <group>web_scan,recon,</group>
165  </rule>
166
167  <rule id="31152" level="10" frequency="6" timeframe="120">
168    <if_matched_sid>31103</if_matched_sid>
169    <same_source_ip />
170    <description>Multiple SQL injection attempts from same </description>
171    <description>source ip.</description>
172    <group>attack,sql_injection,</group>
173  </rule>
174
175  <rule id="31153" level="10" frequency="8" timeframe="120">
176    <if_matched_sid>31104</if_matched_sid>
177    <same_source_ip />
178    <description>Multiple common web attacks from same source ip.</description>
179    <group>attack,</group>
180  </rule>
181
182  <rule id="31154" level="10" frequency="8" timeframe="120">
183    <if_matched_sid>31105</if_matched_sid>
184    <same_source_ip />
185    <description>Multiple XSS (Cross Site Scripting) attempts </description>
186    <description>from same source ip.</description>
187    <group>attack,</group>
188  </rule>
189
190  <rule id="31161" level="10" frequency="12" timeframe="120">
191    <if_matched_sid>31121</if_matched_sid>
192    <same_source_ip />
193    <description>Multiple web server 501 error code (Not Implemented).</description>
194    <group>web_scan,recon,</group>
195  </rule>
196
197  <rule id="31162" level="10" frequency="12" timeframe="120">
198    <if_matched_sid>31122</if_matched_sid>
199    <same_source_ip />
200    <description>Multiple web server 500 error code (Internal Error).</description>
201    <group>system_error,</group>
202  </rule>
203
204  <rule id="31163" level="10" frequency="12" timeframe="120">
205    <if_matched_sid>31123</if_matched_sid>
206    <same_source_ip />
207    <description>Multiple web server 503 error code (Service unavailable).</description>
208    <group>web_scan,recon,</group>
209  </rule>
210
211  <rule id="31164" level="6">
212    <if_sid>31100</if_sid>
213    <url_pcre2>=%27|select%2B|insert%2B|%2Bfrom%2B|%2Bwhere%2B|%2Bunion%2B</url_pcre2>
214    <description>SQL injection attempt.</description>
215    <group>attack,sqlinjection,</group>
216  </rule>
217
218  <rule id="31165" level="6">
219    <if_sid>31100</if_sid>
220    <url_pcre2>%EF%BC%87|%EF%BC%87|%EF%BC%87|%2531|%u0053%u0045</url_pcre2>
221    <description>SQL injection attempt.</description>
222    <group>attack,sqlinjection,</group>
223  </rule>
224
225</group> <!-- Web access log -->
226