Skip to content
This repository has been archived by the owner on Nov 8, 2023. It is now read-only.

stash example rules

Jump to bottom
bui edited this page Jul 12, 2016 · 1 revision

FIXMEFIXME

Examples

This will look for the string Submit=Run on the url /script, with the POST variable Submit present:

MainRule "msg:detection Submit=Run in POST" "str:Submit=Run" "mz:$URL:/script|$BODY_VAR:Submit" "s:$ATTACK" id: 1230001;

This will look for accesses on the /hidden.html url:

MainRule "msg:detection URL-Access" "str:/hidden.html" "mz:URL" "s:$ATTACK" id:1230002;

This will detect the string jjoplmh in the cms GET variable:

MainRule "str:jjoplmh" "msg:Possible Wordpress-Plugin-Backdoor detected" "mz:$ARGS_VAR:cms" "s:$UWA:8" id:42000347;

naxsi_core.rules contains examples of rules. See as well mex's Doxi rules for more rules examples (doxi is third party rules that will focus on emerging threats).

Clone this wiki locally