web-cgi.rules

入侵检测系统.linux下与MySql连用的例子

# $Id: web-cgi.rules,v 1.12 2001/07/29 16:36:35 cazz Exp $
#--------------
# WEB-CGI RULES
#--------------
#

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI HyperSeek directory traversal attempt"; uricontent:"/hsx.cgi"; content:"../../"; content:"%00"; flags:A+; reference:bugtraq,2314; reference:cve,CAN-2001-0253; classtype:attempted-recon; sid:803; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI SWSoft ASPSeek Overflow attempt"; uricontent:"/s.cgi"; nocase; content:"tmpl="; dsize:>500; flags:A+; reference:bugtraq,2492; classtype:attempted-dos; sid:804; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI webspeed access"; flags: A+; uricontent: "/wsisa.dll/WService="; nocase; content: "WSMadmin"; nocase;reference:arachnids,467; classtype:attempted-user; sid:805; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI yabb access"; flags: A+; uricontent: "/YaBB.pl"; content: "../";reference:arachnids,462; classtype:attempted-recon; sid:806; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI wwwboard passwd access"; flags: A+; uricontent: "/wwwboard/passwd.txt"; nocase;reference:arachnids,463; classtype:attempted-recon; sid:807; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI webdriver access"; flags: A+; uricontent: "/webdriver"; nocase;reference:arachnids,473;classtype:attempted-recon; sid:808; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI whoisraw attempt"; flags: A+; uricontent: "/whois_raw.cgi?"; content: "|0a|";reference:arachnids,466;classtype:attempted-recon; sid:809; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI whoisraw access"; flags: A+; uricontent: "/whois_raw.cgi"; reference:arachnids,466;classtype:attempted-recon; sid:810; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI websitepro path access"; flags: A+; uricontent: " /HTTP/1."; nocase;reference:arachnids,468;classtype:attempted-recon; sid:811; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI webplus version access"; flags: A+; uricontent: "/webplus?about "; nocase;reference:arachnids,470;classtype:attempted-recon; sid:812; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI webplus directory trasversal"; flags: A+; uricontent: "/webplus?script"; nocase; content: "../";reference:arachnids,471;classtype:attempted-recon; sid:813; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI websendmail access"; flags: A+; uricontent: "/websendmail"; nocase; reference:cve,CVE-1999-0196; reference:arachnids,469; reference:bugtraq,2077; classtype:attempted-recon; sid:815; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI dcforum.cgi invalid user addition attempt"; flags:A+; uricontent:"/dcboard.cgi"; content:"command=register"; content:"%7cadmin"; classtype:attempted-admin; sid:817; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI dcforum.cgi access"; flags: A+; uricontent:"/dcforum.cgi"; flags:a+;classtype:attempted-recon; sid:818; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI mmstdod.cgi access"; uricontent:"/mmstdod.cgi"; nocase; flags:a+;classtype:attempted-recon; sid:819; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI anaconda directory transversal attempt"; flags: A+; uricontent:"/apexec.pl"; content:"template=../"; nocase; reference:cve,CVE-2000-0975; reference:bugtraq,2388;classtype:attempted-recon; sid:820; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI imagemap overflow attempt"; dsize: >1000; flags: A; uricontent: "/imagemap.exe?"; depth: 32; nocase; reference:arachnids,412;classtype:attempted-recon; sid:821; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI cvsweb.cgi access"; flags: A+; uricontent:"/cvsweb.cgi"; nocase; reference:cve,CVE-2000-0670; reference:bugtraq,1469;classtype:attempted-recon; sid:823; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI php access";flags: A+; uricontent:"/php.cgi"; nocase; reference:bugtraq,2250; reference:arachnids,232; classtype:attempted-recon; sid:824; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI glimpse access"; flags:A+; uricontent:"/glimpse"; nocase; reference:bugtraq,2026; classtype:attempted-recon; sid:825; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI htmlscript access";flags: A+; uricontent:"/htmlscript"; nocase; reference:bugtraq,2001; reference:cve,CVE-1999-0264; classtype:attempted-recon; sid:826; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI info2www access";flags: A+; uricontent:"/info2www"; nocase; reference:bugtraq,1995; reference:cve,CVE-1999-0266; classtype:attempted-recon; sid:827; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI maillist.pl access";flags: A+; uricontent:"/maillist.pl"; nocase;classtype:attempted-recon; sid:828; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI nph-test-cgi access";flags: A+; uricontent:"/nph-test-cgi"; nocase; reference:arachnids,224; reference:cve,CVE-1999-0045; reference:bugtraq,686; classtype:attempted-recon; sid:829; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI NPH-publish access";flags: A+; uricontent:"/nph-publish"; nocase;classtype:attempted-recon; sid:830; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI perl.exe access";flags: A+; uricontent:"/perl.exe"; nocase; reference:arachnids,219;classtype:attempted-recon; sid:832; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI rguest.exe access";flags: A+; uricontent:"/rguest.exe"; nocase; reference:cve,CAN-1999-0467; reference:bugtraq,2024; classtype:attempted-recon; sid:833; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI rwwwshell.pl  access";flags: A+; uricontent:"/rwwwshell.pl"; nocase;classtype:attempted-recon; sid:834; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI test-cgi access"; flags: A+; uricontent:"/test-cgi"; nocase; reference:cve,CVE-1999-0070; reference:arachnids,218;classtype:attempted-recon; sid:835; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI testcounter.pl access";flags: A+; uricontent:"/textcounter.pl"; nocase;classtype:attempted-recon; sid:836; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI uploader.exe access";flags: A+; uricontent:"/uploader.exe"; nocase;reference:cve,CVE-1999-0177;classtype:attempted-recon; sid:837; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI webgais access";flags: A+; uricontent:"/webgais"; nocase; reference:arachnids,472; reference:bugtraq,2058; reference:cve,CVE-1999-0176;classtype:attempted-recon; sid:838; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI finger access"; flags: A+; uricontent:"/finger"; nocase; reference:arachnids,221; reference:cve,CVE-1999-0612;classtype:attempted-recon; sid:839; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI perlshop.cgi access";flags: A+; uricontent:"/perlshop.cgi"; nocase;classtype:attempted-recon; sid:840; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI pfdisplay.cgi access";flags: A+; uricontent:"/pfdisplay.cgi"; nocase; reference:bugtraq,64; reference:cve,CVE-1999-0270;classtype:attempted-recon; sid:841; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI aglimpse access";flags: A+; uricontent:"/aglimpse"; nocase; reference:cve,CVE-1999-0147; reference:bugtraq,2026; classtype:attempted-recon; sid:842; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI anform2 access";flags: A+; uricontent:"/AnForm2"; nocase; reference:cve,CVE-1999-0066; reference:arachnids,225;classtype:attempted-recon; sid:843; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI args.bat access";flags: A+; uricontent:"/args.bat"; nocase;classtype:attempted-recon; sid:844; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI AT-admin.cgi access";flags: A+; uricontent:"/AT-admin.cgi"; nocase;classtype:attempted-recon; sid:845; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI bnbform.cgi access";flags: A+; uricontent:"/bnbform.cgi"; nocase; reference:cve,CVE-1999-0937; reference:bugtraq,1469; classtype:attempted-recon; sid:846; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI campas access";flags: A+; uricontent:"/campas"; nocase; reference:cve,CVE-1999-0146; reference:bugtraq,1975; classtype:attempted-recon; sid:847; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI view-source directory traversal";flags: A+; uricontent:"/view-source"; nocase; content:"../"; nocase; reference:cve,CVE-1999-0174;classtype:attempted-recon; sid:848; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI view-source access";flags: A+; uricontent:"/view-source"; nocase; reference:cve,CVE-1999-0174;classtype:attempted-recon; sid:849; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI wais.p access";flags: A+; uricontent:"/wais.pl";nocase;classtype:attempted-recon; sid:850; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI files.pl access";flags: A+; uricontent:"/files.pl"; nocase;classtype:attempted-recon; sid:851; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI wguest.exe access";flags: A+; uricontent:"/wguest.exe"; nocase; reference:cve,CAN-1999-0467; reference:bugtraq,2024; classtype:attempted-recon; sid:852; rev:2;)