首页 > Web安全 > snort规则之常见web漏洞扫描器
2016
11-14

snort规则之常见web漏洞扫描器

之前工作中搭建开源IDS,架构是suricata+barnyard2+snort规则。跟同事测试写了一些常见web漏洞扫描器的规则,分享出来。很多都是根据UA来识别的,因此比较简单,可能也会有误报。

#Web app scan tools rules
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Sqlmap found"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| sqlmap"; classtype:web-application-attack; sid:90000001; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-Scan-Memo"; classtype:web-application-attack; sid:90000003; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"CustomCookie"; classtype:web-application-attack; sid:90000004; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-WIPP"; classtype:web-application-attack; sid:90000005; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Netsparker found"; content:"netsparker"; classtype:web-application-attack; sid:90000006; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Appscan found"; content:"Appscan"; classtype:web-application-attack; sid:90000007; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bugscan found"; content:"<H1>XSS@HERE</H1>"; classtype:web-application-attack; sid:90000008; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Nmap found"; content:"nmap"; classtype:web-application-attack; sid:90000009; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Awvscan found"; flow:to_server; content:"acunetix"; classtype:web-application-attack; sid:90000010; rev:11;)


#Web vul rules
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"%20and%201=1"; classtype:web-application-attack; sid:80000001; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found "; content:"%20and%201=2"; classtype:web-application-attack; sid:80000002; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union/**/"; classtype:web-application-attack; sid:80000003; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union select"; classtype:web-application-attack; sid:80000004; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xss found"; flow:to_server,established; pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/iU"; classtype:Web-application-attack; sid:80000005; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xss found"; flow:to_server,established; uricontent:"<script"; classtype:web-application-attack; sid:80000006; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; content:"..\boot.ini"; classtype:web-application-attack; sid:80000009; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; content:"../../etc/passwd"; classtype:web-application-attack; sid:80000010; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; content:"eval($_POST["; classtype:web-application-attack; sid:80000011; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; content:"echo system"; classtype:web-application-attack; sid:80000012; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; content:"exec("; classtype:web-application-attack; sid:80000013; rev:11;)


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CRLF found"; flow:to_server,established; pcre:"/(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|odragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/iU"; classtype:web-application-attack; sid:80000069; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CRLF found"; flow:to_server,established; pcre:"/%00|%0b|%0d|%c0%ae|%0a/iU"; classtype:web-application-attack; sid:80000070; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bak File found"; flow:to_server,established; pcre:"/\.(bak|inc|old|mdb|sql|backup|java|class)/isU"; classtype:web-application-attack; sid:80000071; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; flow:to_server,established; pcre:"/((.*)/(attachments|js|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\\w+).(php|jsp))/iUs"; classtype:web-application-attack; sid:80000072; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; pcre:"/\/proc\/(\d+|self)\/environ/iUs"; classtype:web-application-attack; sid:80000073; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; content:"GET"; http_method; uricontent:"javascript|3a|"; nocase; classtype:web-application-attack; sid:80000074; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; content:"GET"; http_method; uricontent:"lang|2e|Runtime"; nocase; classtype:web-application-attack; sid:80000075; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; flow:to_server,established; content:"GET"; http_method; uricontent:"getInputStream"; nocase; classtype:web-application-attack; sid:80000076; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; flow:to_server,established; content:"GET"; http_method; uricontent:"getRuntime"; nocase; classtype:web-application-attack; sid:80000077; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; content:"GET"; http_method; uricontent:"|29 2e|exec|28|"; nocase; classtype:web-application-attack; sid:80000078; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bak File found"; flow:to_server,established; content:"GET"; http_method; pcre:"/(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp)\.*\.rar/iUs"; classtype:web-application-attack; sid:80000079; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/order(.*)by(.*)\d/is"; classtype:web-application-attack; sid:80000080; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:alter\s*\w+.*character\s+set\s+\w+)|(";\s*waitfor\s+time\s+")/is"; classtype:web-application-attack; sid:80000081; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:\Wselect.+\W*from)/is"; classtype:web-application-attack; sid:80000082; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:(?:select|create|rename|truncate|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()/is"; classtype:web-application-attack; sid:80000083; rev:11;)
#oracle inject
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s\-])|(?:match\s*[\w(),+-]+\s*against\s*\()/is"; classtype:web-application-attack; sid:80000084; rev:11;)
#mssql inject
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:procedure\s+analyse\s*\()|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)/is"; classtype:web-application-attack; sid:80000085; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)/is"; classtype:web-application-attack; sid:80000086; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:\sexec\s+xp_cmdshell)|(?:from\W+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:exec\s+master\.)|(?:union\x20select\x20@)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")/is"; classtype:web-application-attack; sid:80000087; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XML Injection found"; flow:to_server,established; pcre:"/\<\!ENTITY(.*)SYSTEM(.*)\>/is"; classtype:web-application-attack; sid:80000090; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; pcre:"/(?:\w\.exe\??\s)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})/is"; classtype:web-application-attack; sid:80000091; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; pcre:"/\<\!\-\-\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)/is"; classtype:web-application-attack; sid:80000092; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; pcre:"/\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[/is"; classtype:web-application-attack; sid:80000093; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; flow:to_server,established; pcre:"/(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)/iUs"; classtype:web-application-attack; sid:80000094; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; flow:to_server,established; content:"GET"; http_method; uricontent:"phpinfo"; nocase; classtype:web-application-attack; sid:80000095; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; pcre:"/(?:\wscript:|@import[^\w]|;base64|base64,)/is"; classtype:web-application-attack; sid:80000100; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; pcre:"/(fromcharcode|alert|eval)\s*\(/is"; classtype:web-application-attack; sid:80000101; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; content:"allowscriptaccess"; nocase; classtype:web-application-attack; sid:80000102; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; pcre:"/\<(iframe|script|body|img|layer)/is"; classtype:web-application-attack; sid:80000103; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; content:"GET"; http_method; uricontent:"|3d|http|3a 2f 2f|"; nocase; classtype:web-application-attack; sid:80000104; rev:11;)
最后编辑:
作者:admin
这个作者貌似有点懒,什么都没有留下。

留下一个回复

你的email不会被公开。