[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-dev] ossec-hids: apache_rules.xml (HEAD) squid_rules.xml (HEAD) web_rules.xml (HEAD) [dcid]
- To: dancid@xxxxxxxxxxxxxxx
- Subject: [ossec-dev] ossec-hids: apache_rules.xml (HEAD) squid_rules.xml (HEAD) web_rules.xml (HEAD) [dcid]
- From: OSSEC CVS <cvs-commit@xxxxxxxxx>
- Date: Thu, 14 Sep 2006 22:39:41 -0300 (ADT)
- Content-transfer-encoding: 8bit
Module name: ossec-hids
Changes by: dcid 06/09/14 22:39:38
Modified files:
apache_rules.xml squid_rules.xml web_rules.xml
Log message:
Description: Adding more apache and squid rules.
Reviewed by: dcid
Bug:
Index: apache_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/apache_rules.xml,v
diff -u -r1.24 -r1.25
--- apache_rules.xml 13 Sep 2006 14:13:05 -0000 1.24
+++ apache_rules.xml 15 Sep 2006 01:39:38 -0000 1.25
@@ -127,6 +127,19 @@
<match>File name too long|request failed: URI too long</match>
<description>Invalid URI, file name too long.</description>
</rule>
+
+ <!-- Mod security rules by <ossec ( at ) sioban.net -->
+ <rule id="30118" level="6">
+ <if_sid>30101</if_sid>
+ <match>mod_security: Access denied</match>
+ <description>Access attempt blocked by Mod Security.</description>
+ </rule>
+
+ <rule id="30119" level="12" frequency="6" timeframe="120">
+ <if_matched_sid>30118</if_matched_sid>
+ <same_source_ip />
+ <description>Multiple attempts blocked by Mod Security.</description>
+ </rule>
</group> <!-- ERROR_LOG,APACHE -->
Index: squid_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/squid_rules.xml,v
diff -u -r1.22 -r1.23
--- squid_rules.xml 12 Sep 2006 18:46:26 -0000 1.22
+++ squid_rules.xml 15 Sep 2006 01:39:38 -0000 1.23
@@ -28,8 +28,8 @@
<rule id="35002" level="4">
<if_sid>35000</if_sid>
- <id>^4</id>
- <description>Squid generic 400 error code.</description>
+ <id>^4|^5|^6</id>
+ <description>Squid generic error codes.</description>
</rule>
<rule id="35003" level="5">
@@ -71,6 +71,12 @@
<id>^4</id>
<description>Squid 400 error code (request failed).</description>
</rule>
+
+ <rule id="35009" level="5">
+ <if_sid>35002</if_sid>
+ <id>^5|^6</id>
+ <description>Squid 500/600 error code (server error).</description>
+ </rule>
<!-- Special rules for 403/404 errors -->
<rule id="35021" level="6">
@@ -156,6 +162,12 @@
<if_matched_sid>35008</if_matched_sid>
<same_source_ip />
<description>Multiple 400 error codes (requests failed).</description>
+ </rule>
+
+ <rule id="35058" level="10" frequency="$SQUID_FREQ" timeframe="240">
+ <if_matched_sid>35009</if_matched_sid>
+ <same_source_ip />
+ <description>Multiple 500/600 error codes (server error).</description>
</rule>
<rule id="35095" level="0" frequency="2" timeframe="360">
Index: web_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/web_rules.xml,v
diff -u -r1.16 -r1.17
--- web_rules.xml 12 Sep 2006 18:46:26 -0000 1.16
+++ web_rules.xml 15 Sep 2006 01:39:38 -0000 1.17
@@ -14,12 +14,13 @@
<rule id="31101" level="5">
<if_sid>31100</if_sid>
- <id>^40</id>
+ <id>^4</id>
<description>Web server 400 error code.</description>
</rule>
<rule id="31102" level="0">
<if_sid>31101</if_sid>
+ <id>^403|^404</id>
<url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$</url>
<!-- Add any other url to be ignored in here
@@ -73,11 +74,38 @@
<rule id="31115" level="13" maxsize="2900">
<if_sid>31100</if_sid>
- <description>Very large HTTP URL. Higher than allowed on most browsers.</description>
- <description>Possible attack or attempt to bypass detection.</description>
+ <description>URL too long. Higher than allowed on most browsers. Possible attack.</description>
</rule>
-
+ <!-- 500 error codes, server error
+ - http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
+ -->
+ <rule id="31120" level="5">
+ <if_sid>31100</if_sid>
+ <id>^50</id>
+ <description>Web server 500 error code (server error).</description>
+ </rule>
+
+ <rule id="31121" level="4">
+ <if_sid>31120</if_sid>
+ <id>^501</id>
+ <description>Web server 501 error code (Not Implemented).</description>
+ </rule>
+
+ <rule id="31122" level="5">
+ <if_sid>31120</if_sid>
+ <id>^500</id>
+ <options>alert_by_email</options>
+ <description>Web server 500 error code (Internal Error).</description>
+ </rule>
+
+ <rule id="31123" level="4">
+ <if_sid>31120</if_sid>
+ <id>^503</id>
+ <options>alert_by_email</options>
+ <description>Web server 503 error code (Service unavailable).</description>
+ </rule>
+
<rule id="31151" level="10" frequency="10" timeframe="120">
<if_matched_sid>31101</if_matched_sid>
<same_source_ip />
@@ -105,4 +133,21 @@
<description>from same souce ip.</description>
</rule>
+ <rule id="31161" level="10" frequency="8" timeframe="120">
+ <if_matched_sid>31121</if_matched_sid>
+ <same_source_ip />
+ <description>Multiple web server 501 error code (Not Implemented).</description>
+ </rule>
+
+ <rule id="31162" level="10" frequency="5" timeframe="120">
+ <if_matched_sid>31122</if_matched_sid>
+ <same_source_ip />
+ <description>Multiple web server 500 error code (Internal Error).</description>
+ </rule>
+
+ <rule id="31163" level="10" frequency="8" timeframe="120">
+ <if_matched_sid>31123</if_matched_sid>
+ <same_source_ip />
+ <description>Multiple web server 503 error code (Service unavailable).</description>
+ </rule>
</group> <!-- Web access log -->
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.