Re: Rules for testing

Thu, 13 Nov 2014 10:03:06 -0800 

On Thu, 13 Nov 2014, Paul Stead wrote:


I've developed a few rules which seem to be hitting well, could I get
these into the sandbox?

TO_EQ_FROM_NAME will match headers that look like the following:

From: "t...@example.com" <u...@anotherdomain.com>
To: t...@example.com


I'll review that and add it to my sandbox with the other TO_EQ_FROM rules.


LOC_WP - detects potentially exploited WP sites, along with other
characteristics can score appropriately - not sure what the thoughts are
on multiple rules that match the same thing as below:
There's already hacked-wordpress rules in testing. I'll compare to existing and see if this is already covered, can be merged neatly, or would be a variant subrule. 


LOC_WP_POMO - only certain files should be in the pomo dir - this
detects ones that shouldn't be

----8<----
uri __PDS_LOC_WP_POMO m;/wp-includes/pomo/;i
uri __PDS_LOC_WP_POMO_1 m;/wp-includes/pomo/entry\.php;i
uri __PDS_LOC_WP_POMO_2 m;/wp-includes/pomo/(?:po|mo)\.php;i
uri __PDS_LOC_WP_POMO_3 m;/wp-includes/pomo/streams\.php;i
uri __PDS_LOC_WP_POMO_4 m;/wp-includes/pomo/translations\.php;i

meta PDS_LOC_WP_POMO ((__PDS_LOC_WP_POMO) && (!__PDS_LOC_WP_POMO_1 &&
!__PDS_LOC_WP_POMO_2 && !__PDS_LOC_WP_POMO_3 && !__PDS_LOC_WP_POMO_4))
----8<----
That could probably be compressed to one rule using (?!(?:blah|blah|blah)\.php) for exclusion of valid content. 

Can you provide a spample?


LOC_JOOMLA - can be used similar to the LOC_WP above, with combinations
for SHORT and VSHORT

----8<----
uri __PDS_LOC_JOOMLA
m;/(?:modules/mod_|option=com_|administrator/cache|templates/|components/com_).*(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.eot|\.pdf).{4}$;i
meta PDS_LOC_JOOMLA (__PDS_LOC_JOOMLA && (__KAM_BODY_LENGTH_LT_1024 ||
__HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 ||
__HTML_LENGTH_1536_2048))
----8<----


I'll add those.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Politicians never accuse you of "greed" for wanting other people's
  money, only for wanting to keep your own money.    -- Joseph Sobran
-----------------------------------------------------------------------
 896 days since the first successful private support mission to ISS (SpaceX)

Reply via email to