Donnerstag, 8. Mai 2014

Ruleset-Update: Tomcat-Manager - Sigs & misc Scanner-Rules






Rules-Repo:
  • https://bitbucket.org/lazy_dogtown/doxi-rules/src 

Updates:

  • Struts-0day-Sigs (already pushed 3 weeks ago)
  • Tomcat-Manager-Sigs to detect access to certain Manager-Command-Calls from the outside
  • misc scanner -sigs


[+] new sigs:
  42000361 :: scanner.rules        :: JAVA-UA, possible Scanner
  42000362 :: scanner.rules        :: Bash-Profile et al Scan
  42000363 :: scanner.rules        :: ScanAlert Vulnerability Scaner
  42000364 :: scanner.rules        :: Sucuri Vulnerability Scaner
  42000365 :: scanner.rules        :: SiteLock Vulnerability Scanner
  42000366 :: scanner.rules        :: OpenVAS - Scanner
  42000367 :: app_server.rules     :: Java-Classloader-Call
  42000368 :: web_server.rules     :: Facebook External Hit
  42000369 :: app_server.rules     :: Tomcat-Manager/deploy-command
  42000370 :: app_server.rules     :: Tomcat-Manager/list-command
  42000371 :: app_server.rules     :: Tomcat-Manager/reload-command
  42000372 :: app_server.rules     :: Tomcat-Manager/serverinfo-command
  42000373 :: app_server.rules     :: Tomcat-Manager/resources-command
  42000374 :: app_server.rules     :: Tomcat-Manager/sessions-command
  42000375 :: app_server.rules     :: Tomcat-Manager/start-command
  42000376 :: app_server.rules     :: Tomcat-Manager/stop-command
  42000377 :: app_server.rules     :: Tomcat-Manager/undeploy-command
  42000378 :: app_server.rules     :: Tomcat-Manager/findleaks-command
  42000379 :: app_server.rules     :: Tomcat-Manager/serverstatus-command
  42000380 :: app_server.rules     :: Tomcat-Manager/jmxproxy-access



#
# sid: 42000380 | date: 2014-05-02 - 20:23 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/jmxproxy/" "msg:Tomcat-Manager/jmxproxy-access" "mz:URL" "s:$UWA:8" id:42000380  ;
      
       
#
# sid: 42000379 | date: 2014-05-02 - 17:48 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/serverstatus" "msg:Tomcat-Manager/serverstatus-command" "mz:URL" "s:$UWA:8" id:42000379  ;
      
       
#
# sid: 42000378 | date: 2014-05-02 - 17:47 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/findleaks" "msg:Tomcat-Manager/findleaks-command" "mz:URL" "s:$UWA:8" id:42000378  ;
      
       
#
# sid: 42000377 | date: 2014-05-02 - 17:46 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/undeploy" "msg:Tomcat-Manager/undeploy-command" "mz:URL" "s:$UWA:8" id:42000377  ;
      
       
#
# sid: 42000376 | date: 2014-05-02 - 17:46 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/stop" "msg:Tomcat-Manager/stop-command" "mz:URL" "s:$UWA:8" id:42000376  ;
      
       
#
# sid: 42000375 | date: 2014-05-02 - 17:45 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/start" "msg:Tomcat-Manager/start-command" "mz:URL" "s:$UWA:8" id:42000375  ;
      
       
#
# sid: 42000374 | date: 2014-05-02 - 17:45 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/sessions" "msg:Tomcat-Manager/sessions-command" "mz:URL" "s:$UWA:8" id:42000374  ;
      
       
#
# sid: 42000373 | date: 2014-05-02 - 17:44 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/resources" "msg:Tomcat-Manager/resources-command" "mz:URL" "s:$UWA:8" id:42000373  ;
      
       
#
# sid: 42000372 | date: 2014-05-02 - 17:44 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/serverinfo" "msg:Tomcat-Manager/serverinfo-command" "mz:URL" "s:$UWA:8" id:42000372  ;
      
       
#
# sid: 42000371 | date: 2014-05-02 - 17:43 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/reload" "msg:Tomcat-Manager/reload-command" "mz:URL" "s:$UWA:8" id:42000371  ;
      
       
#
# sid: 42000370 | date: 2014-05-02 - 17:43 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/list" "msg:Tomcat-Manager/list-command" "mz:URL" "s:$UWA:8" id:42000370  ;
      
       
#
# sid: 42000369 | date: 2014-05-02 - 17:42 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/deploy" "msg:Tomcat-Manager/deploy-command" "mz:URL" "s:$UWA:8" id:42000369  ;

#
# sid: 42000368 | date: 2014-04-27 - 08:03 
#
# http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/
# https://www.mare-system.de/news/mare/1398410520/
#
MainRule "str:facebookexternalhit" "msg:Facebook External Hit" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:7" id:42000368  ;

       
#
# sid: 42000367 | date: 2014-04-24 - 21:15 
#
# http://struts.apache.org/release/2.3.x/docs/s2-020.html
# http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/
#
MainRule "str:classloader" "msg:Java-Classloader-Call" "mz:BODY|ARGS" "s:$UWA:8" id:42000367  ;


#
# sid: 42000366 | date: 2014-04-24 - 09:57 
#
# 
#
MainRule "str:openvas" "msg:OpenVAS - Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000366  ;
      
       
#
# sid: 42000365 | date: 2014-04-24 - 09:54 
#
# 
#
MainRule "str:sitelock" "msg:SiteLock Vulnerability Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000365  ;
      
       
#
# sid: 42000364 | date: 2014-04-24 - 09:54 
#
# 
#
MainRule "str:sucuri" "msg:Sucuri Vulnerability Scaner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000364  ;
      
       
#
# sid: 42000363 | date: 2014-04-24 - 09:52 
#
# http://www.botopedia.org/index.php?option=com_k2&view=item&id=350:scanalert-bot
#
MainRule "str:scanalert" "msg:ScanAlert Vulnerability Scaner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000363  ;
      
       
#
# sid: 42000362 | date: 2014-04-24 - 09:46 
#
# 
#
MainRule "str:.bash" "msg:Bash-Profile et al Scan" "mz:URL" "s:$UWA:8" id:42000362  ;
      
       
#
# sid: 42000361 | date: 2014-04-19 - 17:19 
#
# 
#
MainRule "str:java/" "msg:JAVA-UA, possible Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000361  ;
      



Keine Kommentare:

Kommentar veröffentlichen