首页 | 电脑 | 安全 | 安全工具

snort规则之常见web漏洞扫描器

2017年02月22日 原文

snort规则之常见web漏洞扫描器。之前工作中搭建开源IDS,架构是suricata+barnyard2+snort规则。跟同事测试写了一些常见web漏洞扫描器的规则,分享出来。很多都是根据UA来识别的,因此比较简单,可能也会有误报。

#Web app scan tools rules

#

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Sqlmap found"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| sqlmap"; classtype:web-application-attack; sid:90000001; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-Scan-Memo"; classtype:web-application-attack; sid:90000003; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"CustomCookie"; classtype:web-application-attack; sid:90000004; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-WIPP"; classtype:web-application-attack; sid:90000005; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Netsparker found"; content:"netsparker"; classtype:web-application-attack; sid:90000006; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Appscan found"; content:"Appscan"; classtype:web-application-attack; sid:90000007; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bugscan found"; content:"XSS@HERE"; classtype:web-application-attack; sid:90000008; rev:11;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Nmap found"; content:"nmap"; classtype:web-application-attack; sid:90000009; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Awvscan found"; flow:to_server; content:"acunetix"; classtype:web-application-attack; sid:90000010; rev:11;)

#Web vul rules

#

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"%20and%201=1"; classtype:web-application-attack; sid:80000001; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found "; content:"%20and%201=2"; classtype:web-application-attack; sid:80000002; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union/**/"; classtype:web-application-attack; sid:80000003; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union select"; classtype:web-application-attack; sid:80000004; rev:11;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xss found"; flow:to_server,established; pcre:"/((%3C)|)/iU"; classtype:Web-application-attack; sid:80000005; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xss found"; flow:to_server,established; uricontent:"; classtype:web-application-attack; sid:80000006; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; content:"..boot.ini"; classtype:web-application-attack; sid:80000009; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; content:"../../etc/passwd"; classtype:web-application-attack; sid:80000010; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; content:"eval($_POST["; classtype:web-application-attack; sid:80000011; rev:11;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; content:"echo system"; classtype:web-application-attack; sid:80000012; rev:11;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; content:"exec("; classtype:web-application-attack; sid:80000013; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CRLF found"; flow:to_server,established; pcre:"/(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|odragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/iU"; classtype:web-application-attack; sid:80000069; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CRLF found"; flow:to_server,established; pcre:"/%00|%0b|%0d|%c0%ae|%0a/iU"; classtype:web-application-attack; sid:80000070; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bak File found"; flow:to_server,established; pcre:"/.(bak|inc|old|mdb|sql|backup|java|class)/isU"; classtype:web-application-attack; sid:80000071; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; flow:to_server,established; pcre:"/((.*)/(attachments|js|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(w+).(php|jsp))/iUs"; classtype:web-application-attack; sid:80000072; rev:11;)

{C}alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; pcre:"//proc/(d+|self)/environ/iUs"; classtype:web-application-attack; sid:80000073; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; content:"GET"; http_method; uricontent:"javascript|3a|"; nocase; classtype:web-application-attack; sid:80000074; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; content:"GET"; http_method; uricontent:"lang|2e|Runtime"; nocase; classtype:web-application-attack; sid:80000075; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; flow:to_server,established; content:"GET"; http_method; uricontent:"getInputStream"; nocase; classtype:web-application-attack; sid:80000076; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; flow:to_server,established; content:"GET"; http_method; uricontent:"getRuntime"; nocase; classtype:web-application-attack; sid:80000077; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; content:"GET"; http_method; uricontent:"|29 2e|exec|28|"; nocase; classtype:web-application-attack; sid:80000078; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bak File found"; flow:to_server,established; content:"GET"; http_method; pcre:"/(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*.rar/iUs"; classtype:web-application-attack; sid:80000079; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/order(.*)by(.*)d/is"; classtype:web-application-attack; sid:80000080; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:alters*w+.*characters+sets+w+)|(";s*waitfors+times+")/is"; classtype:web-application-attack; sid:80000081; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:Wselect.+W*from)/is"; classtype:web-application-attack; sid:80000082; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:(?:select|create|rename|truncate|alter|delete|update|insert|desc)s+(?:(?:group_)concat|char|load_file)s?(?)|(?:ends*);)|("s+regexpW)|(?:[s(]load_files*()/is"; classtype:web-application-attack; sid:80000083; rev:11;)

#oracle inject

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:merge.*usings*()|(executes*immediates*")|(?:W+d*s*havings*[^s-])|(?:matchs*[w(),+-]+s*againsts*()/is"; classtype:web-application-attack; sid:80000084; rev:11;)

#mssql inject

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:procedures+analyses*()|(?:creates+(procedure|function)s*w+s*(s*)s*-)|(?:declare[^w]+[@#]s*w+)|(execs*(s*@)/is"; classtype:web-application-attack; sid:80000085; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:(select|;)s+(?:benchmark|if|sleep)s*?(s*(?s*w+)/is"; classtype:web-application-attack; sid:80000086; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:sexecs+xp_cmdshell)|(?:fromW+information_schemaW)|(?:(?:(?:current_)?user|database|schema|connection_id)s*([^)]*)|(?:execs+master.)|(?:unionx20selectx20@)|(?:union[w(s]*select)|(?:select.*w?user()|(?:into[s+]+(?:dump|out)files*")/is"; classtype:web-application-attack; sid:80000087; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XML Injection found"; flow:to_server,established; pcre:"//is"; classtype:web-application-attack; sid:80000090; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; pcre:"/(?:w.exe??s)|(?:d.dx|)|(?:%(?:c0.|af.|5c.))|(?:/(?:%2e){2})/is"; classtype:web-application-attack; sid:80000091; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; pcre:"/is"; classtype:web-application-attack; sid:80000092; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; pcre:"/$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)[/is"; classtype:web-application-attack; sid:80000093; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; flow:to_server,established; pcre:"/(?:b(?:.(?:ht(?:access|passwd|group)|www_?acl)|global.asa|httpd.conf|boot.ini)b|/etc/)/iUs"; classtype:web-application-attack; sid:80000094; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; flow:to_server,established; content:"GET"; http_method; uricontent:"phpinfo"; nocase; classtype:web-application-attack; sid:80000095; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; pcre:"/(?:wscript:|@import[^w]|;base64|base64,)/is"; classtype:web-application-attack; sid:80000100; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; pcre:"/(fromcharcode|alert|eval)s*(/is"; classtype:web-application-attack; sid:80000101; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; content:"allowscriptaccess"; nocase; classtype:web-application-attack; sid:80000102; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; pcre:"/is"; classtype:web-application-attack; sid:80000103; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; conten

相关链接