欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

snort规则之常见web漏洞扫描器

程序员文章站 2022-09-17 21:47:00
snort规则之常见web漏洞扫描器。之前工作中搭建开源IDS,架构是suricata+barnyard2+snort规则。跟同事测试写了一些常见web漏洞扫描器的规则,分享出来。很多都是根据...

snort规则之常见web漏洞扫描器。之前工作中搭建开源IDS,架构是suricata+barnyard2+snort规则。跟同事测试写了一些常见web漏洞扫描器的规则,分享出来。很多都是根据UA来识别的,因此比较简单,可能也会有误报。

#Web app scan tools rules

#

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Sqlmap found"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| sqlmap"; classtype:web-application-attack; sid:90000001; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-Scan-Memo"; classtype:web-application-attack; sid:90000003; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"CustomCookie"; classtype:web-application-attack; sid:90000004; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-WIPP"; classtype:web-application-attack; sid:90000005; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Netsparker found"; content:"netsparker"; classtype:web-application-attack; sid:90000006; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Appscan found"; content:"Appscan"; classtype:web-application-attack; sid:90000007; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bugscan found"; content:"XSS@HERE"; classtype:web-application-attack; sid:90000008; rev:11;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Nmap found"; content:"nmap"; classtype:web-application-attack; sid:90000009; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Awvscan found"; flow:to_server; content:"acunetix"; classtype:web-application-attack; sid:90000010; rev:11;)

#Web vul rules

#

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"%20and%201=1"; classtype:web-application-attack; sid:80000001; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found "; content:"%20and%201=2"; classtype:web-application-attack; sid:80000002; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union/**/"; classtype:web-application-attack; sid:80000003; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union select"; classtype:web-application-attack; sid:80000004; rev:11;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xss found"; flow:to_server,established; pcre:"/((\%3C)|)/iU"; classtype:Web-application-attack; sid:80000005; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xss found"; flow:to_server,established; uricontent:"; classtype:web-application-attack; sid:80000006; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; content:"..\boot.ini"; classtype:web-application-attack; sid:80000009; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; content:"../../etc/passwd"; classtype:web-application-attack; sid:80000010; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; content:"eval($_POST["; classtype:web-application-attack; sid:80000011; rev:11;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; content:"echo system"; classtype:web-application-attack; sid:80000012; rev:11;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; content:"exec("; classtype:web-application-attack; sid:80000013; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CRLF found"; flow:to_server,established; pcre:"/(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|odragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/iU"; classtype:web-application-attack; sid:80000069; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CRLF found"; flow:to_server,established; pcre:"/%00|%0b|%0d|%c0%ae|%0a/iU"; classtype:web-application-attack; sid:80000070; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bak File found"; flow:to_server,established; pcre:"/\.(bak|inc|old|mdb|sql|backup|java|class)/isU"; classtype:web-application-attack; sid:80000071; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; flow:to_server,established; pcre:"/((.*)/(attachments|js|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\\w+).(php|jsp))/iUs"; classtype:web-application-attack; sid:80000072; rev:11;)

{C}alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; pcre:"/\/proc\/(\d+|self)\/environ/iUs"; classtype:web-application-attack; sid:80000073; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; content:"GET"; http_method; uricontent:"javascript|3a|"; nocase; classtype:web-application-attack; sid:80000074; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; content:"GET"; http_method; uricontent:"lang|2e|Runtime"; nocase; classtype:web-application-attack; sid:80000075; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; flow:to_server,established; content:"GET"; http_method; uricontent:"getInputStream"; nocase; classtype:web-application-attack; sid:80000076; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; flow:to_server,established; content:"GET"; http_method; uricontent:"getRuntime"; nocase; classtype:web-application-attack; sid:80000077; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; content:"GET"; http_method; uricontent:"|29 2e|exec|28|"; nocase; classtype:web-application-attack; sid:80000078; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bak File found"; flow:to_server,established; content:"GET"; http_method; pcre:"/(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp)\.*\.rar/iUs"; classtype:web-application-attack; sid:80000079; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/order(.*)by(.*)\d/is"; classtype:web-application-attack; sid:80000080; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:alter\s*\w+.*character\s+set\s+\w+)|(";\s*waitfor\s+time\s+")/is"; classtype:web-application-attack; sid:80000081; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:\Wselect.+\W*from)/is"; classtype:web-application-attack; sid:80000082; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:(?:select|create|rename|truncate|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*\);)|("\s+regexp\W)|(?:[\s(]load_file\s*\()/is"; classtype:web-application-attack; sid:80000083; rev:11;)

#oracle inject

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:merge.*using\s*\()|(execute\s*immediate\s*")|(?:\W+\d*\s*having\s*[^\s\-])|(?:match\s*[\w(),+-]+\s*against\s*\()/is"; classtype:web-application-attack; sid:80000084; rev:11;)

#mssql inject

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:procedure\s+analyse\s*\()|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)/is"; classtype:web-application-attack; sid:80000085; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)/is"; classtype:web-application-attack; sid:80000086; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; flow:to_server,established; pcre:"/(?:\sexec\s+xp_cmdshell)|(?:from\W+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:exec\s+master\.)|(?:union\x20select\x20@)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*")/is"; classtype:web-application-attack; sid:80000087; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XML Injection found"; flow:to_server,established; pcre:"/\/is"; classtype:web-application-attack; sid:80000090; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; pcre:"/(?:\w\.exe\??\s)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})/is"; classtype:web-application-attack; sid:80000091; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; pcre:"/\is"; classtype:web-application-attack; sid:80000092; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; flow:to_server,established; pcre:"/\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[/is"; classtype:web-application-attack; sid:80000093; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; flow:to_server,established; pcre:"/(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)/iUs"; classtype:web-application-attack; sid:80000094; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; flow:to_server,established; content:"GET"; http_method; uricontent:"phpinfo"; nocase; classtype:web-application-attack; sid:80000095; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; pcre:"/(?:\wscript:|@import[^\w]|;base64|base64,)/is"; classtype:web-application-attack; sid:80000100; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; pcre:"/(fromcharcode|alert|eval)\s*\(/is"; classtype:web-application-attack; sid:80000101; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; content:"allowscriptaccess"; nocase; classtype:web-application-attack; sid:80000102; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; pcre:"/\is"; classtype:web-application-attack; sid:80000103; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XSS found"; flow:to_server,established; conten