Scribd Logo
Carica

Benvenuto in Scribd!

  • Ossec

    Caricato da

    Soumya Rout
    371 visualizzazioni23 pagine
    CERT: Advisory CA-2001-19 "Code red" worm exploiting buffer Overflow In IIS Indexing Service DLL. 30101 client sent malformed Host header Code Red attack.

    Descrizione originale:

    Titolo originale

    ossec

    Copyright

    © © All Rights Reserved

    Formati disponibili

    TXT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    CERT: Advisory CA-2001-19 "Code red" worm exploiting buffer Overflow In IIS Indexing Service DLL. 30101 client sent malformed Host header Code Red attack.

    Copyright:

    © All Rights Reserved
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    371 visualizzazioni23 pagine

    Ossec

    Caricato da

    Soumya Rout
    CERT: Advisory CA-2001-19 "Code red" worm exploiting buffer Overflow In IIS Indexing Service DLL. 30101 client sent malformed Host header Code Red attack.

    Copyright:

    © All Rights Reserved
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 23

    <rule id="30101" level="0"> <if_sid>30100</if_sid> <match>^[error] </match> <description>Apache error messages grouped.

    </description> </rule> <rule id="30101" level="0"> <if_sid>30100</if_sid> <match>^[error] </match> <description>Apache error messages grouped.</description> </rule> <rule id="30101" level="0"> <if_sid>30100</if_sid> <match>^[error] </match> <description>Apache error messages grouped.</description> </rule> <rule id="30101" level="0"> <if_sid>30100</if_sid> <match>^[error] </match> <description>Apache error messages grouped.</description> </rule> <rule id="30101" level="0"> <if_sid>30100</if_sid> <match>^[error] </match> <description>Apache error messages grouped.</description> </rule> <rule id="30107" level="6"> <if_sid>30101</if_sid> <match>Client sent malformed Host header</match> <description>Code Red attack.</description> <info type="link">http://www.cert.org/advisories/CA-2001-19.html</info> <info type="text">CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffe r Overflow In IIS Indexing Service DLL</info> <group>automatic_attack,</group> </rule> <rule id="30115" level="5"> <if_sid>30101</if_sid> <match>Invalid URI in request</match> <description>Invalid URI (bad client request).</description> <group>invalid_request,</group> </rule> <rule id="30116" level="10" frequency="8" timeframe="120"> <if_matched_sid>30115</if_matched_sid> <same_source_ip /> <description>Multiple Invalid URI requests from </description> <description>same source.</description> <group>invalid_request,</group> </rule> <rule id="30118" level="6"> <if_sid>30101</if_sid> <match>mod_security: Access denied|ModSecurity: Access denied</match> <description>Access attempt blocked by Mod Security.</description> <group>access_denied,</group> </rule> <rule id="30116" level="10" frequency="8" timeframe="120"> <if_matched_sid>30115</if_matched_sid> <same_source_ip /> <description>Multiple Invalid URI requests from </description> <description>same source.</description> <group>invalid_request,</group>

    </rule> <rule id="30201" level="6"> <if_sid>30200</if_sid> <match>^mod_security-message: Access denied </match> <description>Modsecurity access denied.</description> <group>access_denied,</group> </rule> <rule id="30202" level="10" frequency="8" timeframe="120"> <if_matched_sid>30201</if_matched_sid> <description>Multiple attempts blocked by Mod Security.</description> <group>access_denied,</group> </rule> <!-- Attack signatures --> <group name="syslog,attacks,"> <rule id="40101" level="12"> <if_group>authentication_success</if_group> <user>$SYS_USERS</user> <description>System user successfully logged to the system.</description> <group>invalid_login,</group> </rule> <rule id="40102" level="14"> <regex>^rpc.statd[\d+]: gethostbyname error for \W+</regex> <description>Buffer overflow attack on rpc.statd</description> <group>exploit_attempt,</group> </rule> <rule id="40103" level="14"> <regex>ftpd[\d+]: \S+ FTP LOGIN FROM \.+ 0bin0sh</regex> <description>Buffer overflow on WU-FTPD versions prior to 2.6</description> <group>exploit_attempt,</group> </rule> <rule id="40104" level="13"> <match>?????????????????????</match> <description>Possible buffer overflow attempt.</description> <group>exploit_attempt,</group> </rule> <rule id="40105" level="12"> <match>changed by \(\(null\)</match> <description>"Null" user changed some information.</description> <group>exploit_attempt,</group> </rule> <rule id="40106" level="12"> <match>@@@@@@@@@@@@@@@@@@@@@@@@@</match> <description>Buffer overflow attempt (probably on yppasswd).</description> <group>exploit_attempt,</group> </rule> <rule id="40107" level="14"> <regex>cachefsd: Segmentation Fault - core dumped</regex> <description>Heap overflow in the Solaris cachefsd service.</description> <info type='cve'>2002-0033</info> <group>exploit_attempt,</group> </rule>

    <rule id="40109" level="12"> <match>attempt to execute code on stack by</match> <description>Stack overflow attempt or program exiting </description> <description>with SEGV (Solaris).</description> <info type="link">http://snap.nlc.dcccd.edu/reference/sysadmin/julian/ch18/3 89-392.html</info> <group>exploit_attempt,</group> </rule> <rule id="40111" level="10" frequency="10" timeframe="160"> <if_matched_group>authentication_failed</if_matched_group> <description>Multiple authentication failures.</description> <group>authentication_failures,</group> </rule> <rule id="40112" level="12" timeframe="240"> <if_group>authentication_success</if_group> <if_matched_group>authentication_failures</if_matched_group> <same_source_ip /> <description>Multiple authentication failures followed </description> <description>by a success.</description> </rule> <rule id="40113" level="12" frequency="6" timeframe="360"> <if_matched_group>virus</if_matched_group> <description>Multiple viruses detected - Possible outbreak.</description> <group>virus,</group> </rule> </group> <!-- SYSLOG, ATTACKS, -->

    <!-- Privilege scalation messages --> <group name="syslog,elevation_of_privilege,"> <rule id="40501" level="15" timeframe="300" frequency="2"> <if_group>adduser</if_group> <if_matched_group>attacks</if_matched_group> <description>Attacks followed by the addition </description> <description>of an user.</description> </rule> </group> <!-- SYSLOG, ELEVATION_OF_PRIVILEGE, -->

    <!-- Scan signatures --> <group name="syslog,recon,"> <rule id="40601" level="10" frequency="10" timeframe="90" ignore="90"> <if_matched_group>connection_attempt</if_matched_group> <description>Network scan from same source ip.</description> <same_source_ip /> <info type="link">http://project.honeynet.org/papers/enemy2/</info> </rule> <rule id="40112" level="12" timeframe="240"> <if_group>authentication_success</if_group> <if_matched_group>authentication_failures</if_matched_group> <same_source_ip /> <description>Multiple authentication failures followed </description> <description>by a success.</description> </rule>

    <rule id="40113" level="12" frequency="6" timeframe="360"> <if_matched_group>virus</if_matched_group> <description>Multiple viruses detected - Possible outbreak.</description> <group>virus,</group> </rule> </group> <!-- SYSLOG, ATTACKS, -->

    <!-- Privilege scalation messages --> <group name="syslog,elevation_of_privilege,"> <rule id="40501" level="15" timeframe="300" frequency="2"> <if_group>adduser</if_group> <if_matched_group>attacks</if_matched_group> <description>Attacks followed by the addition </description> <description>of an user.</description> </rule> </group> <!-- SYSLOG, ELEVATION_OF_PRIVILEGE, -->

    <!-- Scan signatures --> <group name="syslog,recon,"> <rule id="40601" level="10" frequency="10" timeframe="90" ignore="90"> <if_matched_group>connection_attempt</if_matched_group> <description>Network scan from same source ip.</description> <same_source_ip /> <info type="link">http://project.honeynet.org/papers/enemy2/</info> </rule> <rule id="40112" level="12" timeframe="240"> <if_group>authentication_success</if_group> <if_matched_group>authentication_failures</if_matched_group> <same_source_ip /> <description>Multiple authentication failures followed </description> <description>by a success.</description> </rule> <rule id="40113" level="12" frequency="6" timeframe="360"> <if_matched_group>virus</if_matched_group> <description>Multiple viruses detected - Possible outbreak.</description> <group>virus,</group> </rule> </group> <!-- SYSLOG, ATTACKS, -->

    <!-- Privilege scalation messages --> <group name="syslog,elevation_of_privilege,"> <rule id="40501" level="15" timeframe="300" frequency="2"> <if_group>adduser</if_group> <if_matched_group>attacks</if_matched_group> <description>Attacks followed by the addition </description> <description>of an user.</description> </rule> </group> <!-- SYSLOG, ELEVATION_OF_PRIVILEGE, -->

    <!-- Scan signatures --> <group name="syslog,recon,"> <rule id="40601" level="10" frequency="10" timeframe="90" ignore="90"> <if_matched_group>connection_attempt</if_matched_group> <description>Network scan from same source ip.</description> <same_source_ip /> <info type="link">http://project.honeynet.org/papers/enemy2/</info> </rule> <rule id="52000" level="0"> <decoded_as>bro-ids</decoded_as> <description>Grouping for all bro-ids events.</description> </rule> <rule id="52007" level="4"> <if_sid>52000</if_sid> <match>no=ZoneTransfer</match> <description>Bro-ids Zone Transfer alert.</description> </rule> <rule id="52008" level="4"> <if_sid>52000</if_sid> <match>no=SensitivePortMapperAccess</match> <description>Bro-ids detected acces to the portmapper port.</description> </rule> </group> <!-- SYSLOG,SCANS --> <rule id="52009" level="4"> <if_sid>52000</if_sid> <match>no=PortScan </match> <description>Bro-ids detected a portscan.</description> </rule> <rule id="52500" level="0" noalert="1"> <decoded_as>clamd</decoded_as> <description>Grouping of the clamd rules.</description> </rule> <rule id="52502" level="8"> <if_sid>52500</if_sid> <match>FOUND</match> <description>Virus detected</description> <group>virus</group> </rule> <group name="firewall,"> <rule id="4100" level="0"> <category>firewall</category> <description>Firewall rules grouped.</description> </rule> <!-- We don't log firewall events, because they go - to their own log file. --> <rule id="4101" level="5"> <if_sid>4100</if_sid> <action>DROP</action> <options>no_log</options> <description>Firewall drop event.</description> <group>firewall_drop,</group> </rule>

    <rule id="4151" level="10" frequency="16" timeframe="45" ignore="240"> <if_matched_sid>4101</if_matched_sid> <same_source_ip /> <description>Multiple Firewall drop events from same source.</description> <group>multiple_drops,</group> </rule> </group> <rule id="11107" level="5"> <if_sid>11100</if_sid> <match>refused connect from</match> <group>access_denied,</group> <description>Connection blocked by Tcp Wrappers.</description> </rule> <rule id="11108" level="5"> <if_sid>11100</if_sid> <match>warning: can't verify hostname: |gethostbyaddr: </match> <description>Reverse lookup error (bad ISP config).</description> <group>client_misconfig,</group> </rule> <rule id="11109" level="10"> <if_sid>11100</if_sid> <match>repeated login failures</match> <description>Multiple FTP failed login attempts.</description> <group>authentication_failures,</group> </rule> <rule id="11111" level="9"> <if_sid>11100</if_sid> <match>PAM_ERROR_MSG: Account is disabled</match> <description>Attempt to login with disabled account.</description> <group>authentication_failed,</group> </rule> <rule id="11111" level="9"> <if_sid>11100</if_sid> <match>PAM_ERROR_MSG: Account is disabled</match> <description>Attempt to login with disabled account.</description> <group>authentication_failed,</group> </rule> <rule id="31100" level="0"> <category>web-log</category> <description>Access log messages grouped.</description> </rule> <rule id="31103" level="6"> <if_sid>31100</if_sid> <url>='|select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url> <url>union+|where+|null,null|xp_cmdshell</url> <description>SQL injection attempt.</description> <group>attack,sql_injection,</group> </rule> <rule id="31104" level="6"> <if_sid>31100</if_sid> <!-- Attempt to do directory transversal, simple sql injections, - or access to the etc or bin directory (unix). --> <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..|</url> <url>cmd.exe|.exe|_mem_bin|msadc|/winnt/|</url> <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|</url> <url>cat%20|exec%20|rm%20</url> <description>Common web attack.</description>

    <group>attack,</group> </rule> <rule id="31105" level="6"> <if_sid>31100</if_sid> <url>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url> <url>%20ONLOAD=|INPUT%20|iframe%20</url> <description>XSS (Cross Site Scripting) attempt.</description> <group>attack,</group> </rule> <rule id="31106" level="6"> <if_sid>31103, 31104, 31105</if_sid> <id>^200</id> <description>A web attack returned code 200 (success).</description> <group>attack,</group> </rule> <rule id="31110" level="6"> <if_sid>31100</if_sid> <url>?-d|?-s|?-a|?-b|?-w</url> <description>PHP CGI-bin vulnerability attempt.</description> <group>attack,</group> </rule> <rule id="31109" level="6"> <if_sid>31100</if_sid> <url>+as+varchar(8000)</url> <regex>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\ )%2Bchar\(\d+\)</regex> <description>MSSQL Injection attempt (/ur.php, urchin.js)</description> <group>attack,</group> </rule> <!-- If your site have a search engine, you may need to ignore - it in here. --> <rule id="31107" level="0"> <if_sid>31103, 31104, 31105</if_sid> <url>^/search.php?search=|^/index.php?searchword=</url> <description>Ignored URLs for the web attacks</description> </rule>

    <rule id="31152" level="10" frequency="6" timeframe="120"> <if_matched_sid>31103</if_matched_sid> <same_source_ip /> <description>Multiple SQL injection attempts from same </description> <description>souce ip.</description> <group>attack,sql_injection,</group> </rule> <rule id="31153" level="10" frequency="8" timeframe="120"> <if_matched_sid>31104</if_matched_sid> <same_source_ip /> <description>Multiple common web attacks from same souce ip.</description> <group>attack,</group> </rule>

    <rule id="31154" level="10" frequency="8" timeframe="120"> <if_matched_sid>31105</if_matched_sid> <same_source_ip /> <description>Multiple XSS (Cross Site Scripting) attempts </description> <description>from same souce ip.</description> <group>attack,</group> </rule> <rule id="31163" level="10" frequency="8" timeframe="120"> <if_matched_sid>31123</if_matched_sid> <same_source_ip /> <description>Multiple web server 503 error code (Service unavailable).</desc ription> <group>web_scan,recon,</group> </rule> <rule id="5700" level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages grouped.</description> </rule> <group name="ossec,"> <rule id="500" level="0"> <category>ossec</category> <decoded_as>ossec</decoded_as> <description>Grouping of ossec rules.</description> </rule>

    <rule id="509" level="0"> <category>ossec</category> <decoded_as>rootcheck</decoded_as> <description>Rootcheck event.</description> <group>rootcheck,</group> </rule> <rule id="510" level="7"> <if_sid>509</if_sid> <description>Host-based anomaly detection event (rootcheck).</description> <group>rootcheck,</group> <if_fts /> </rule> <rule id="511" level="0"> <if_sid>510</if_sid> <match>^NTFS Alternate data stream found</match> <regex>Thumbs.db:encryptable'.|:Zone.Identifier'.|</regex> <regex>Exchsrvr/Mailroot/vsi</regex> <description>Ignored common NTFS ADS entries.</description> <group>rootcheck,</group> </rule> <rule id="513" level="9"> <if_sid>510</if_sid> <match>^Windows Malware</match>

    <description>Windows malware detected.</description> <group>rootcheck,</group> </rule> <rule id="514" level="2"> <if_sid>510</if_sid> <match>^Application Found</match> <description>Windows application monitor event.</description> <group>rootcheck,</group> </rule> <rule id="515" level="0"> <if_sid>510</if_sid> <match>^Starting rootcheck scan|^Ending rootcheck scan.|</match> <match>^Starting syscheck scan|^Ending syscheck scan.</match> <description>Ignoring rootcheck/syscheck scan messages.</description> <group>rootcheck,syscheck</group> </rule> <rule id="518" level="9"> <if_sid>514</if_sid> <match>Adware|Spyware</match> <description>Windows Adware/Spyware application found.</description> <group>rootcheck,</group> </rule> <rule id="519" level="7"> <if_sid>516</if_sid> <match>^System Audit: Web vulnerability</match> <description>System Audit: Vulnerable web application found.</description> <group>rootcheck,</group> </rule> <!-- Process monitoring rules -->

    <rule id="533" level="7"> <if_sid>530</if_sid> <match>ossec: output: 'netstat -tan</match> <check_diff /> <description>Listened ports status (netstat) changed (new port opened or clo sed).</description> </rule>

    <rule id="552" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_3rd</decoded_as> <description>Integrity checksum changed again (3rd time).</description> <group>syscheck,</group>

    </rule> <rule id="553" level="7"> <category>ossec</category> <decoded_as>syscheck_deleted</decoded_as> <description>File deleted. Unable to retrieve checksum.</description> <group>syscheck,</group> </rule> <rule id="554" level="0"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group> </rule> <rule id="555" level="7"> <if_sid>500</if_sid> <match>^ossec: agentless: </match> <description>Integrity checksum for agentless device changed.</description> <group>syscheck,agentless</group> </rule> <!-- Hostinfo rules --> <rule id="580" level="8"> <category>ossec</category> <decoded_as>hostinfo_modified</decoded_as> <description>Host information changed.</description> <group>hostinfo,</group> </rule> <rule id="581" level="8"> <category>ossec</category> <decoded_as>hostinfo_new</decoded_as> <description>Host information added.</description> <group>hostinfo,</group> </rule> <!-- File rotation/reducded rules --> <rule id="591" level="3"> <if_sid>500</if_sid> <match>^ossec: File rotated </match> <description>Log file rotated.</description> </rule>

    <rule id="593" level="9"> <if_sid>500</if_sid> <match>^ossec: Event log cleared</match> <description>Microsoft Event log cleared.</description> <group>logs_cleared,</group> </rule>

    <rule id="596" level="5"> <category>ossec</category>

    <if_sid>552</if_sid> <hostname>syscheck-registry</hostname> <group>syscheck,</group> <description>Registry Integrity Checksum Changed Again (3rd time)</descripti on> </rule> <rule id="597" level="5"> <category>ossec</category> <if_sid>553</if_sid> <hostname>syscheck-registry</hostname> <group>syscheck,</group> <description>Registry Entry Deleted. Unable to Retrieve Checksum</descriptio n> </rule> <rule id="598" level="5"> <category>ossec</category> <if_sid>554</if_sid> <hostname>syscheck-registry</hostname> <group>syscheck,</group> <description>Registry Entry Added to the System</description> </rule>

    <rule id="600" level="0"> <decoded_as>ar_log</decoded_as> <description>Active Response Messages Grouped</description> <group>active_response,</group> </rule> <rule id="601" level="3"> <if_sid>600</if_sid> <action>firewall-drop.sh</action> <status>add</status> <description>Host Blocked by firewall-drop.sh Active Response</description> <group>active_response,</group> </rule>

    <rule id="603" level="3"> <if_sid>600</if_sid> <action>host-deny.sh</action> <status>add</status> <description>Host Blocked by host-deny.sh Active Response</description> <group>active_response,</group> </rule>

    <rule id="605" level="3"> <if_sid>600</if_sid> <action>route-null.sh</action> <status>add</status> <description>Host Blocked by route-null.sh Active Response</description> <group>active_response,</group> </rule>

    <rule id="12119" level="3"> <if_sid>12100</if_sid> <match>starting BIND</match> <description>BIND has been started</description> </rule> <rule id="12120" level="1"> <if_sid>12100</if_sid> <match>has no address records</match> <description>Missing A or AAAA record</description> </rule> <rule id="12121" level="1"> <if_sid>12100</if_sid> <regex>zone \S+: \(master\) removed</regex> <description>Zone has been removed from a master server</description> </rule> <rule id="12122" level="1"> <if_sid>12100</if_sid> <regex>loading from master file \S+ failed: not at top of zone$</regex> <description>Origin of zone and owner name of SOA do not match.</description > </rule> <rule id="12123" level="0"> <if_sid>12100</if_sid> <match>already exists previous definition</match> <description>Zone has been duplicated</description> </rule> <rule id="12125" level="3"> <if_sid>12100</if_sid> <match>reloading configuration failed: unexpected end of input</match> <description>BIND Configuration error.</description> </rule> <rule id="12126" level="0"> <if_sid>12100</if_sid> <regex>zone \S+: \(master\) removed</regex> <description>Zone has been removed from a master server</description> </rule> <rule id="12127" level="1"> <if_sid>12100</if_sid> <regex>loading from master file \S+ failed: not at top of zone$</regex> <description>Origin of zone and owner name of SOA do not match.</description > </rule> <rule id="12128" level="1"> <if_sid>12100</if_sid> <match>^transfer of|</match> <match>AXFR started$</match> <description>Zone transfer.</description> </rule> <rule id="12129" level="4"> <if_sid>12128</if_sid>

    <match>failed to connect: connection refused</match> <description>Zone transfer failed, unable to connect to master.</description > </rule> <rule id="12130" level="2"> <if_sid>12100</if_sid> <match>IPv6 interfaces failed</match> <description>Could not listen on IPv6 interface.</description> </rule> <rule id="12131" level="2"> <if_sid>12100</if_sid> <match>failed; interface ignored</match> <description>Could not bind to an interface.</description> </rule> <rule id="12132" level="0"> <if_sid>12128</if_sid> <match>failed while receiving responses: not authoritative</match> <description>Master is not authoritative for zone.</description> </rule> <rule id="12133" level="4"> <if_sid>12100</if_sid> <regex>open: \S+: permission denied$</regex> <description>Could not open configuration file, permission denied.</descript ion> </rule> <rule id="12134" level="4"> <if_sid>12100</if_sid> <match>loading configuration: permission denied</match> <description>Could not open configuration file, permission denied.</descript ion> </rule> <rule id="12135" level="0"> <if_sid>12100</if_sid> <match>IN SOA -E</match> <description>Domain in SOA -E.</description> </rule> <rule id="12136" level="4"> <if_sid>12128</if_sid> <match>failed to connect: host unreachable</match> <description>Master appears to be down.</description> </rule> <rule id="12137" level="0"> <if_sid>12100</if_sid> <match>IN AXFR -</match> <description>Domain is queried for a zone transferred.</description> </rule> <rule id="12138" level="0"> <if_sid>12100</if_sid> <match> IN A +</match> <description>Domain A record found.</description> </rule>

    <rule id="12139" level="3"> <if_sid>12100</if_sid> <regex>client \S+: bad zone transfer request: \S+: non-authoritative zone \( NOTAUTH\)</regex> <description>Bad zone transfer request.</description> </rule> <rule id="12140" level="2"> <if_sid>12100</if_sid> <match>refresh: failure trying master</match> <description>Cannot refresh a domain from the master server.</description> </rule> <rule id="12141" level="1"> <if_sid>12100</if_sid> <match>SOA record not at top of zone</match> <description>Origin of zone and owner name of SOA do not match.</description > </rule> <rule id="12142" level="0"> <if_sid>12100</if_sid> <match>command channel listening on</match> <description>named command channel is listening.</description> </rule> <rule id="12143" level="0"> <if_sid>12100</if_sid> <match>automatic empty zone</match> <description>named has created an automatic empty zone.</description> </rule> <rule id="12144" level="9"> <if_sid>12100</if_sid> <match>reloading configuration failed: out of memory</match> <description>Server does not have enough memory to reload the configuration. </description> </rule> <rule id="12145" level="1"> <if_sid>12100</if_sid> <regex>zone transfer \S+ denied</regex> <description>zone transfer denied</description> </rule> <rule id="12146" level="0"> <if_sid>12100</if_sid> <match>error sending response: host unreachable$</match> <description>Cannot send a DNS response.</description> </rule> <rule id="12147" level="0"> <if_sid>12100</if_sid> <regex>update forwarding \.+ denied$</regex> <description>Cannot update forwarding domain.</description> </rule> <rule id="12148" level="0"> <if_sid>12100</if_sid>

    <match>: parsing failed$</match> <description>Parsing of a configuration file has failed.</description> </rule> </group> <!-- SYSLOG,NAMED --> [root@localhost rules]# cat named_rules.xml <!-- @(#) $Id: ./etc/rules/named_rules.xml, 2011/09/08 dcid Exp $ - Example of Named rules for OSSEC. - Copyright (C) 2009 Trend Micro Inc. - All rights reserved. - This program is a free software; you can redistribute it - and/or modify it under the terms of the GNU General Public - License (version 2) as published by the FSF - Free Software - Foundation. - License details: http://www.ossec.net/en/licensing.html --> <group name="syslog,named,"> <rule id="12100" level="0"> <decoded_as>named</decoded_as> <description>Grouping of the named rules</description> </rule> <rule id="12101" level="12"> <if_sid>12100</if_sid> <match>dropping source port zero packet from</match> <description>Invalid DNS packet. Possibility of attack.</description> <group>invalid_access,</group> </rule> <rule id="12102" level="9"> <if_sid>12100</if_sid> <match>denied AXFR from</match> <description>Failed attempt to perform a zone transfer.</description> <group>access_denied,</group> </rule> <rule id="12103" level="4"> <if_sid>12100</if_sid> <match>denied update from|unapproved update from</match> <description>DNS update denied. </description> <description>Generally mis-configuration.</description> <info type="link">http://seclists.org/incidents/2000/May/217</info> <group>client_misconfig,</group> </rule> <rule id="12104" level="4"> <if_sid>12100</if_sid> <match>unable to rename log file</match> <description>Log permission misconfiguration in Named.</description> <group>system_error,</group> </rule> <rule id="12105" level="4"> <if_sid>12100</if_sid>

    <match>unexpected RCODE </match> <description>Unexpected error while resolving domain.</description> </rule> <rule id="12106" level="4"> <if_sid>12100</if_sid> <match>refused notify from non-master</match> <description>DNS configuration error.</description> </rule> <rule id="12107" level="0"> <if_sid>12100</if_sid> <regex>update \S+ denied</regex> <description>DNS update using RFC2136 Dynamic protocol.</description> </rule>

    <rule id="12113" level="0"> <if_sid>12100</if_sid> <match>zone transfer deferred due to quota</match> <description>Zone transfer deferred.</description> </rule>

    <rule id="12117" level="1"> <if_sid>12100</if_sid> <regex>refresh: retry limit for master \S+ exceeded</regex> <description>Zone transfer rety limit exceeded</description> </rule> <rule id="12118" level="1"> <if_sid>12100</if_sid> <match>already exists previous definition</match> <description>Zone has been duplicated.</description> </rule>

    <rule id="12122" level="1"> <if_sid>12100</if_sid> <regex>loading from master file \S+ failed: not at top of zone$</regex> <description>Origin of zone and owner name of SOA do not match.</description > </rule>

    <rule id="12127" level="1"> <if_sid>12100</if_sid> <regex>loading from master file \S+ failed: not at top of zone$</regex> <description>Origin of zone and owner name of SOA do not match.</description > </rule> <rule id="12128" level="1"> <if_sid>12100</if_sid> <match>^transfer of|</match> <match>AXFR started$</match> <description>Zone transfer.</description> </rule>

    <rule id="12133" level="4"> <if_sid>12100</if_sid> <regex>open: \S+: permission denied$</regex> <description>Could not open configuration file, permission denied.</descript ion> </rule> <rule id="12134" level="4"> <if_sid>12100</if_sid> <match>loading configuration: permission denied</match> <description>Could not open configuration file, permission denied.</descript ion> </rule>

    <rule id="12143" level="0"> <if_sid>12100</if_sid> <match>automatic empty zone</match> <description>named has created an automatic empty zone.</description> </rule>

    <rule id="12145" level="1"> <if_sid>12100</if_sid> <regex>zone transfer \S+ denied</regex> <description>zone transfer denied</description> </rule>

    <rule id="12147" level="0"> <if_sid>12100</if_sid> <regex>update forwarding \.+ denied$</regex> <description>Cannot update forwarding domain.</description> </rule> <group name="syslog,msftp,"> <rule id="11500" level="0"> <decoded_as>msftp</decoded_as> <description>Grouping for the Microsoft ftp rules.</description> </rule> <rule id="11501" level="3"> <if_sid>11500</if_sid> <action>USER</action> <description>New FTP connection.</description> <group>connection_attempt,</group> </rule> <rule id="11502" level="5"> <if_sid>11500</if_sid> <action>PASS</action> <id>530</id> <description>FTP Authentication failed.</description> <group>authentication_failed,</group> </rule> <rule id="11503" level="3"> <if_sid>11500</if_sid> <action>PASS</action> <id>230</id> <description>FTP Authentication success.</description> <group>authentication_success,</group> </rule> <rule id="11504" level="4"> <if_sid>11500</if_sid> <id>^5</id> <description>FTP client request failed.</description> </rule> <rule id="11510" level="10" frequency="6" timeframe="120"> <if_matched_sid>11502</if_matched_sid> <description>FTP brute force (multiple failed logins).</description> <group>authentication_failures,</group> </rule> <rule id="11511" level="10" frequency="8" timeframe="30"> <if_matched_sid>11501</if_matched_sid> <same_source_ip /> <description>Multiple connection attempts from same source.</description> <group>recon,</group> </rule> <rule id="11512" level="10" frequency="6" timeframe="120"> <if_matched_sid>11504</if_matched_sid> <same_source_ip /> <description>Multiple FTP errors from same source.</description> </rule>

    </group> <!-- SYSLOG,PURE-FTPD --> <group>group_changed,win_group_changed,</group> <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event. aspx?eventid=633</info> </rule> <!-- Kerberos failures that may indicate an attack --> <rule id="18170" level="10"> <if_sid>18139</if_sid> <match>Failure Code: 0x1F</match> <description>Windows DC integrity check on decrypted </description> <description>field failed.</description> <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</in fo> <group>win_authentication_failed,attacks,</group> </rule> <rule id="18171" level="10"> <if_sid>18139</if_sid> <match>Failure Code: 0x22</match> <description>Windows DC - Possible replay attack.</description> <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</in fo> <group>win_authentication_failed,attacks,</group> </rule> <rule id="18172" level="7"> <if_sid>18139</if_sid> <match>Failure Code: 0x25</match> <description>Windows DC - Clock skew too great.</description> <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</in fo> <group>win_authentication_failed,attacks,</group> </rule> <rule id="18156" level="10" frequency="$MS_FREQ" timeframe="240"> <if_matched_sid>18125</if_matched_sid> <description>Multiple remote access login failures.</description> <group>authentication_failures,</group> </rule> </group> <rule id="31501" level="6"> <if_sid>31100</if_sid> <match>POST /</match> <url>/wp-comments-post.php</url> <regex>Googlebot|MSNBot|BingBot</regex> <description>WordPress Comment Spam (coming from a fake search engine UA).</ description> </rule> <!-- Timthumb scans. --> <rule id="31502" level="6"> <if_sid>31100</if_sid> <url>thumb.php|timthumb.php</url> <regex> "GET \S+thumb.php?src=\S+.php</regex> <description>TimThumb vulnerability exploit attempt.</description> </rule>

    <!-- osCommerce login.php bypass --> <rule id="31503" level="6"> <if_sid>31100</if_sid> <url>login.php</url> <regex> "POST /\S+.php/login.php?cPath=</regex> <description>osCommerce login.php bypass attempt.</description> </rule> <!-- osCommerce file manager login.php bypass --> <rule id="31504" level="6"> <if_sid>31100</if_sid> <url>login.php</url> <regex> "GET /\S+/admin/file_manager.php/login.php</regex> <description>osCommerce file manager login.php bypass attempt.</description> </rule> <!-- Timthumb backdoor access. --> <rule id="31505" level="6"> <if_sid>31100</if_sid> <url>/cache/external</url> <regex> "GET /\S+/cache/external\S+.php</regex> <description>TimThumb backdoor access attempt.</description> </rule> <!-- Timthumb backdoor access. --> <rule id="31506" level="6"> <if_sid>31100</if_sid> <url>cart.php</url> <regex> "GET /\S+cart.php?\S+templatefile=../</regex> <description>Cart.php directory transversal attempt.</description> </rule> <!-- MSSQL IIS inject rules --> <rule id="31507" level="6"> <if_sid>31100</if_sid> <url>DECLARE%20@S%20CHAR|%20AS%20CHAR</url> <description>MSSQL Injection attempt (ur.php, urchin.js).</description> </rule> <!-- BAD/Annoying user agents --> <rule id="31508" level="6"> <if_sid>31100</if_sid> <match> "ZmEu"| "libwww-perl/</match> <description>Blacklisted user agent (known malicious user agent).</descripti on> </rule> <!-- WordPress wp-login.php brute force --> <rule id="31509" level="3"> <if_sid>31108</if_sid> <url>wp-login.php</url> <regex>] "POST \S+wp-login.php</regex> <description>WordPress login attempt.</description> </rule> <!-- If we see frequent wp-login POST's, it is likely a bot. -->

    <rule id="31510" level="6" frequency="4" timeframe="120" ignore="30"> <if_matched_sid>31509</if_matched_sid> <same_source_ip /> <description>WordPress wp-login.php brute force attempt.</description> </rule> <!-- Nothing wrong with wget per se, but it misses a lot of links - that generates many 404s. Blocking it to avoid the noise. --> <rule id="31511" level="6"> <if_sid>31100</if_sid> <match>" "Wget/</match> <description>Blacklisted user agent (wget).</description> </rule> <!-- Uploadify scans. --> <rule id="31512" level="6"> <if_sid>31100</if_sid> <url>uploadify.php</url> <regex> "GET /\S+/uploadify.php?src=http://\S+.php</regex> <description>TimThumb vulnerability exploit attempt.</description> </rule> <!-- BBS delete.php skin_path. --> <rule id="31513" level="6"> <if_sid>31100</if_sid> <url>delete.php</url> <regex> "GET \S+/delete.php?board_skin_path=http://\S+.php</regex> <description>BBS delete.php exploit attempt.</description> </rule> <!-- Anomaly rules - Used on common web attacks --> <rule id="31550" level="6"> <if_sid>31100</if_sid> <url>%00</url> <regex> "GET /\S+.php?\S+%00</regex> <description>Anomaly URL query (attempting to pass null termination).</descr iption> </rule> <group name="web,accesslog,"> <rule id="31100" level="0"> <category>web-log</category> <description>Access log messages grouped.</description> </rule> <rule id="31108" level="0"> <if_sid>31100</if_sid> <id>^2|^3</id> <compiled_rule>is_simple_http_request</compiled_rule> <description>Ignored URLs (simple queries).</description> </rule> <rule id="31101" level="5"> <if_sid>31100</if_sid> <id>^4</id> <description>Web server 400 error code.</description> </rule>

    <rule id="31102" level="0"> <if_sid>31101</if_sid> <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$</url> <compiled_rule>is_simple_http_request</compiled_rule> <description>Ignored extensions on 400 error codes.</description> </rule> <rule id="31103" level="6"> <if_sid>31100</if_sid> <url>='|select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url> <url>union+|where+|null,null|xp_cmdshell</url> <description>SQL injection attempt.</description> <group>attack,sql_injection,</group> </rule> <rule id="31104" level="6"> <if_sid>31100</if_sid> <!-- Attempt to do directory transversal, simple sql injections, - or access to the etc or bin directory (unix). --> <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..|</url> <url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url> <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|</url> <url>cat%20|exec%20|rm%20</url> <description>Common web attack.</description> <group>attack,</group> </rule> <rule id="31105" level="6"> <if_sid>31100</if_sid> <url>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url> <url>%20ONLOAD=|INPUT%20|iframe%20</url> <description>XSS (Cross Site Scripting) attempt.</description> <group>attack,</group> </rule> <rule id="31106" level="6"> <if_sid>31103, 31104, 31105</if_sid> <id>^200</id> <description>A web attack returned code 200 (success).</description> <group>attack,</group> </rule> <rule id="31110" level="6"> <if_sid>31100</if_sid> <url>?-d|?-s|?-a|?-b|?-w</url> <description>PHP CGI-bin vulnerability attempt.</description> <group>attack,</group> </rule> <rule id="31109" level="6"> <if_sid>31100</if_sid> <url>+as+varchar(8000)</url> <regex>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\ )%2Bchar\(\d+\)</regex> <description>MSSQL Injection attempt (/ur.php, urchin.js)</description> <group>attack,</group> </rule>

    <!-- If your site have a search engine, you may need to ignore - it in here. --> <rule id="31107" level="0"> <if_sid>31103, 31104, 31105</if_sid> <url>^/search.php?search=|^/index.php?searchword=</url> <description>Ignored URLs for the web attacks</description> </rule> <rule id="31115" level="13" maxsize="5900"> <if_sid>31100</if_sid> <description>URL too long. Higher than allowed on most </description> <description>browsers. Possible attack.</description> <group>invalid_access,</group> </rule>

    Potrebbero piacerti anche