##### # # Copyright (C) 2004 G Ramon Gomez <gene at gomezbrothers dot com> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # ##### ##### # # The rules included here were developed using mod_security 1.7.6 events # captured in syslog through the Apache directive 'ErrorLog syslog'. # Please report any inconsistencies on other versions to G Ramon Gomez at the # address provided above # ##### #LOG:May 10 08:35:36 somehost httpd[24775]: [error] [client 12.34.56.78] mod_security: Warning. Pattern match "/test\.php" at THE_REQUEST. regex=\[client ([\d\.]+)\] mod_security: Warning. Pattern match "(.+)" at (\S+)\.; \ classification.text=HTTP $3 "$2"; \ id=3100; \ revision=3; \ analyzer(0).name=mod_security; \ analyzer(0).manufacturer=www.modsecurity.org; \ analyzer(0).class=HIDS; \ assessment.impact.severity=medium; \ assessment.impact.completion=succeeded; \ assessment.impact.description=mod_security found pattern match "$2" in HTTP object $3. No reactive action taken.; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ additional_data(0).type=string; \ additional_data(0).meaning=HTTP object; \ additional_data(0).data=$3; \ last #LOG:May 10 08:36:43 somehost httpd[24776]: [error] [client 12.34.56.78] mod_security: Access denied with code 403. Pattern match "/support/common\.php" at THE_REQUEST. regex=\[client ([\d\.]+)\] mod_security: Access denied with code (\d+)\. Pattern match "(.+)" at (\S+)\.; \ classification.text=HTTP $4 "$3" Blocked; \ id=3101; \ revision=3; \ analyzer(0).name=mod_security; \ analyzer(0).manufacturer=www.modsecurity.org; \ analyzer(0).class=HIDS; \ assessment.impact.severity=high; \ assessment.impact.completion=failed; \ assessment.impact.description=mod_security found pattern match "$3" in HTTP object $4.; \ assessment.action(0).category = block-installed; \ assessment.action(0).description = Access was blocked with HTTP response code $2; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ additional_data(0).type=integer; \ additional_data(0).meaning=HTTP code returned; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=HTTP object; \ additional_data(1).data=$4; \ last #No log sample; please submit regex=\[client ([\d\.]+)\] mod_security: Access denied with redirect to (\S+)\. Pattern match "(\S+)" at (\S+)\.; \ classification.text=HTTP $4 "$3" Redirected; \ id=3102; \ revision=3; \ analyzer(0).name=mod_security; \ analyzer(0).manufacturer=www.modsecurity.org; \ analyzer(0).class=HIDS; \ assessment.impact.severity=high; \ assessment.impact.completion=failed; \ assessment.impact.description=mod_security found pattern match "$3" in HTTP object $4.;\ assessment.action(0).category = block-installed; \ assessment.action(0).description = Access was redirected to $2.; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ additional_data(0).type=string; \ additional_data(0).meaning=Redirected to; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=HTTP object; \ additional_data(1).data=$4; \ last #LOG:May 10 08:36:43 somehost httpd[24776]: [client 200.105.93.115] mod_security: Invalid URL encoding #2 detected. regex=\[client ([\d\.]+)\] mod_security: Invalid (.+)\.; \ classification.text=HTTP Invalid $2; \ id=3103; \ revision=3; \ analyzer(0).name=mod_security; \ analyzer(0).manufacturer=www.modsecurity.org; \ analyzer(0).class=HIDS; \ assessment.impact.severity=high; \ assessment.impact.completion=failed; \ assessment.impact.description=mod_security found "Invalid $2"; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ last ##### # # The rules included here were developed using mod_security 1.8 events # captured in syslog through the Apache directive 'ErrorLog syslog'. # Please report any inconsistencies on other versions to G Ramon Gomez at the # address provided above # ##### #LOG:Jun 16 08:42:23 metatron httpd[10837]: [error] [client 127.0.0.1] mod_security: Warning. Pattern match "/cgforum\\.cgi" at THE_REQUEST [hostname "localhost.localdomain"] [uri "/cgi-bin/cgforum.cgi"] [unique_id Kxq9XgoBSmsAACpVN4MAAAAE] regex=\[client ([\d\.]+)\] mod_security: Warning. Pattern match "(.+)" at (\S+) \[hostname "(\S+)"\] \[uri "(.+)"\] \[unique_id (\S+)\]; \ id=3104; \ revision=3; \ classification.ident = $6; \ classification.text=HTTP $3 "$2"; \ analyzer(0).name=mod_security; \ analyzer(0).manufacturer=www.modsecurity.org; \ analyzer(0).class=HIDS; \ assessment.impact.severity=medium; \ assessment.impact.completion=succeeded; \ assessment.impact.description=mod_security found pattern match "$2" in HTTP object $3. No reactive action taken.; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).node.name=$4; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ target(0).service.web_service.url = $5; \ additional_data(0).type=string; \ additional_data(0).meaning=HTTP object; \ additional_data(0).data=$3; \ last #LOG:Feb 14 13:51:28 metatron httpd[6168]: [error] [client 192.168.1.1] mod_security: Access denied with code 500. Pattern match "cmd.exe" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.connectionreset.it"] [uri "/cmd.exe"] [unique_id "M380ssCoDAIAABgYi0QAAAAA"] #LOG:Jun 16 08:42:23 metatron httpd[10833]: [error] [client 127.0.0.1] mod_security: Access denied with code 403. Pattern match "/bb-replog\\.sh" at THE_REQUEST [hostname "localhost.localdomain"] [uri "/cgi-bin/bb-replog.sh"] [unique_id KxpIRgoBSmsAACpRNmAAAAAD] regex=\[client ([\d\.]+)\] mod_security: Access denied with code (\d+)\. Pattern match "(.+)" at (\S+) (\[severity "(\S+)"\] )?\[hostname "(\S+)"\] \[uri "(.+)"\] \[unique_id (\S+)\]; \ id=3105; \ revision=3; \ classification.ident = $9; \ classification.text=HTTP $4 "$3" Blocked; \ analyzer(0).name=mod_security; \ analyzer(0).manufacturer=www.modsecurity.org; \ analyzer(0).class=HIDS; \ assessment.impact.severity=high; \ assessment.impact.completion=failed; \ assessment.impact.description=mod_security found pattern match "$3" in HTTP object $4.; \ assessment.action(0).category = block-installed; \ assessment.action(0).description = Access was blocked with HTTP response code $2.; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).node.name=$7; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ target(0).service.web_service.url = $8; \ additional_data(0).type=integer; \ additional_data(0).meaning=HTTP code returned; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=HTTP object; \ additional_data(1).data=$4; \ last #No log sample; please submit regex=\[client ([\d\.]+)\] mod_security: Access denied with redirect to \[(\S+)\]\. Pattern match "(\S+)" at (\S+) \[hostname "(\S+)"\] \[uri "(.+)"\] \[unique_id (\S+)\]; \ id=3106; \ revision=3; \ classification.ident = $7; \ classification.text=HTTP $4 "$3" Redirected; \ analyzer(0).name=mod_security; \ analyzer(0).manufacturer=www.modsecurity.org; \ analyzer(0).class=HIDS; \ assessment.impact.severity=high; \ assessment.impact.completion=failed; \ assessment.impact.description=mod_security found pattern match "$3" in HTTP object $4.; \ assessment.action(0).category = block-installed; \ assessment.action(0).description = Access was redirected to $2.; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).node.name=$5; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ target(0).service.web_service.url = $6; \ additional_data(0).type=string; \ additional_data(0).meaning=Redirected to; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=HTTP object; \ additional_data(1).data=$4; \ last #LOG:Dec 6 22:06:26 mail httpd[10812]: [error] [client 202.58.85.8] mod_security: Access denied with code 403. Error parsing POST parameters: Error normalizing parameter value: Invalid URL encoding detected: invalid characters used [hostname "www.gomezbros.com"] [uri "/modules.php"] [unique_id 87ZxND-IXCYAACo8LCYAAAAP] regex=\[client ([\d\.]+)\] mod_security: Access denied with code (\d+)\. (Error .+) \[hostname "(\S+)"\] \[uri "(.+)"\] \[unique_id (\S+)\]; \ id=3107; \ revision=2; \ classification.ident = $6; \ classification.text=HTTP Blocked; \ analyzer(0).name=mod_security; \ analyzer(0).manufacturer=www.modsecurity.org; \ analyzer(0).class=HIDS; \ assessment.impact.severity=high; \ assessment.impact.completion=failed; \ assessment.impact.description=mod_security encountered an error: "$3".; \ assessment.action(0).category = block-installed; \ assessment.action(0).description = Access was blocked with HTTP response code $2; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).node.name=$4; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ target(0).service.web_service.url = $5; \ additional_data(0).type=integer; \ additional_data(0).meaning=HTTP code returned; \ additional_data(0).data=$2; \ last