forked from nbs-system/naxsi-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Scanner.rules
46 lines (46 loc) · 4.56 KB
/
Scanner.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
MainRule "str:havij" "msg:Havij-SQL_scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000312 ;
MainRule "str:http://http://" "msg:Abnormal double http:// in HTTP header," "mz:HEADERS" "s:$UWA:8" id:42000310 ;
# http://pastebin.com/NP64hTQr# http://blog.initiative-s.de/2013/09/kompromitierte-wordpress-blogs-werden-fuer-ddos-attacken-genutzt/
# If using wp then turn off this rule
MainRule "str:wordpress/" "msg:Wordpress-UA, probably Botnet-Attack" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000317 ;
# https://github.com/robertdavidgraham/masscan
MainRule "str:masscan/" "msg:MASSCAN - UA Detected" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000326 ;
# sensepost Wiko/Nikto-Clone filescan
MainRule "str:sensepostnotthere" "msg:SensePost Wikto-Scanner" "mz:URL" "s:$ATTACK:8" id:42000452 ;
# block acunetix scan
MainRule "str:99999999999999999999999" "msg:acunetix scan nginx buffer size " "mz:$HEADERS_VAR:Content-length" "s:$UWA:8" id:42001326 ;
MainRule "str:acunetix" "msg:acunetix scan website " "mz:URL|BODY|$HEADERS_VAR:Accept|$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42001327 ;
MainRule "str:acunetix/wvs" "msg:acunetix scan website " "mz:$HEADERS_VAR:Accept" "s:$UWA:8" id:42001328 ;
MainRule "str:webmole" "msg:Scanner webmole" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000159 ;
MainRule "str:nlpproject.info" "msg:Some Scanner nlpproject.info" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000454 ;
MainRule "str:cloudmapping" "msg:Cloud-Mapping-Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000453 ;
MainRule "str:sucuri" "msg:Sucuri Vulnerability Scaner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000364 ;
MainRule "str:brutus/" "msg:Brutus - Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000258 ;
MainRule "str:/phpmyadmin" "msg:PHPMyAdmin - Scanner (2) " "mz:URL" "s:$UWA:8" id:42000244 ;
MainRule "str:/pma" "msg:PHPMyAdmin - Scanner" "mz:URL" "s:$UWA:8" id:42000243 ;
MainRule "str:/phppgadmin " "msg:PHPPgAdmin - Scanner" "mz:URL" "s:$UWA:8" id:42000242 ;
MainRule "str:/mysqldumper " "msg:MysqlDumper - Scanner " "mz:URL" "s:$UWA:8" id:42000241 ;
MainRule "str:apachebench" "msg:AB - ApacheBenchmark-Tool detected" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:4" id:42000240 ;
MainRule "str:/netsparker" "msg:Netsparker-Scan in Progress" "mz:URL" "s:$UWA:8" id:42000202 ;
MainRule "str:sqlmap" "msg:Scanner sqlmap sql injection" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000203 ;
MainRule "str:mysqloit" "msg:Scanner Mysqloit - Mysql Injection Takover Tool" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000200 ;
MainRule "str:network-services-auditor" "msg:Scanner IBM NSA User Agent" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000198 ;
MainRule "str:dav.pm" "msg:Scanner DavTest WebDav Vulnerability Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000194 ;
MainRule "str:w3af" "msg:Scanner w3af" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000178 ;
MainRule "str:http_get_vars" "msg:PHP-Injetion on UA" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000174 ;
MainRule "str:whisker" "msg:Scanner whisker" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000171 ;
MainRule "str:whatweb" "msg:Scanner whatweb" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000151 ;
MainRule "str:dirbuster" "msg:DirBuster Web App Scan in Progress" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8,$UWA:8" id:42000036 ;
MainRule "str:gzinflate(" "msg:gzinflate in URI" "mz:URL|BODY|ARGS" "s:$UWA:8" id:42000259 ;
MainRule "str:/bin/sh" "msg:/bin/sh in URI" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "s:$UWA:8" id:42000257 ;
MainRule "str:.conf" "msg:possible CONF-File - Access" "mz:URL" "s:$UWA:8" id:42000252 ;
MainRule "str:.ini" "msg:possible INI - File - Access" "mz:URL" "s:$UWA:8" id:42000254 ;
MainRule "str:/sftp-config.json" "msg:SFTP-config-file access" "mz:URL|BODY" "s:$ATTACK:8,$UWA:8" id:42000084 ;
# https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/
# https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d#diff-a35f2ee9e1d2d3983a3270ee10ec70bf86349c53febdeabdf104f88cb2167961R370
# prevent php supply chain attack
MainRule "str:zerodium" "msg:php supply chain attack " "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000085 ;
# prevent log4j attack
# info https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
# payload check https://github.com/johto89/Some-collections-for-Security-Researcher/blob/master/log4j-all-in-one.md
MainRule "str:${" "msg:log4j attack detection " "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000086;