Groups
Sign in
Groups
naxsi-discuss
Conversations
About
Send feedback
Help
Ruleset-Update: Tomcat-Manager - Sigs & misc Scanner-Rules
17 views
Skip to first unread message
mex
unread,
May 8, 2014, 3:17:42 AM
5/8/14
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to naxsi-discuss
Rules-Repo:
https://bitbucket.org/lazy_dogtown/doxi-rules/src
Updates:
- Struts-0day-Sigs (already pushed 3 weeks ago)
- Tomcat-Manager-Sigs to detect access to certain
Manager-Command-Calls from the outside
- misc scanner -sigs
[+] new sigs:
42000361 :: scanner.rules :: JAVA-UA, possible Scanner
42000362 :: scanner.rules :: Bash-Profile et al Scan
42000363 :: scanner.rules :: ScanAlert Vulnerability Scaner
42000364 :: scanner.rules :: Sucuri Vulnerability Scaner
42000365 :: scanner.rules :: SiteLock Vulnerability Scanner
42000366 :: scanner.rules :: OpenVAS - Scanner
42000367 :: app_server.rules :: Java-Classloader-Call
42000368 :: web_server.rules :: Facebook External Hit
42000369 :: app_server.rules :: Tomcat-Manager/deploy-command
42000370 :: app_server.rules :: Tomcat-Manager/list-command
42000371 :: app_server.rules :: Tomcat-Manager/reload-command
42000372 :: app_server.rules :: Tomcat-Manager/serverinfo-command
42000373 :: app_server.rules :: Tomcat-Manager/resources-command
42000374 :: app_server.rules :: Tomcat-Manager/sessions-command
42000375 :: app_server.rules :: Tomcat-Manager/start-command
42000376 :: app_server.rules :: Tomcat-Manager/stop-command
42000377 :: app_server.rules :: Tomcat-Manager/undeploy-command
42000378 :: app_server.rules :: Tomcat-Manager/findleaks-command
42000379 :: app_server.rules :: Tomcat-Manager/serverstatus-command
42000380 :: app_server.rules :: Tomcat-Manager/jmxproxy-access
#
# sid: 42000380 | date: 2014-05-02 - 20:23
#
#
http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/jmxproxy/" "msg:Tomcat-Manager/jmxproxy-access"
"mz:URL" "s:$UWA:8" id:42000380 ;
#
# sid: 42000379 | date: 2014-05-02 - 17:48
#
#
http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/serverstatus"
"msg:Tomcat-Manager/serverstatus-command" "mz:URL" "s:$UWA:8"
id:42000379 ;
#
# sid: 42000378 | date: 2014-05-02 - 17:47
#
#
http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/findleaks"
"msg:Tomcat-Manager/findleaks-command" "mz:URL" "s:$UWA:8" id:42000378
;
#
# sid: 42000377 | date: 2014-05-02 - 17:46
#
#
http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/undeploy"
"msg:Tomcat-Manager/undeploy-command" "mz:URL" "s:$UWA:8" id:42000377
;
#
# sid: 42000376 | date: 2014-05-02 - 17:46
#
#
http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/stop" "msg:Tomcat-Manager/stop-command"
"mz:URL" "s:$UWA:8" id:42000376 ;
#
# sid: 42000375 | date: 2014-05-02 - 17:45
#
#
http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/start" "msg:Tomcat-Manager/start-command"
"mz:URL" "s:$UWA:8" id:42000375 ;
#
# sid: 42000374 | date: 2014-05-02 - 17:45
#
#
http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/sessions"
"msg:Tomcat-Manager/sessions-command" "mz:URL" "s:$UWA:8" id:42000374
;
#
# sid: 42000373 | date: 2014-05-02 - 17:44
#
#
http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/resources"
"msg:Tomcat-Manager/resources-command" "mz:URL" "s:$UWA:8" id:42000373
;
#
# sid: 42000372 | date: 2014-05-02 - 17:44
#
#
http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/serverinfo"
"msg:Tomcat-Manager/serverinfo-command" "mz:URL" "s:$UWA:8"
id:42000372 ;
#
# sid: 42000371 | date: 2014-05-02 - 17:43
#
#
http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/reload"
"msg:Tomcat-Manager/reload-command" "mz:URL" "s:$UWA:8" id:42000371 ;
#
# sid: 42000370 | date: 2014-05-02 - 17:43
#
#
http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/list" "msg:Tomcat-Manager/list-command"
"mz:URL" "s:$UWA:8" id:42000370 ;
#
# sid: 42000369 | date: 2014-05-02 - 17:42
#
#
http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/deploy"
"msg:Tomcat-Manager/deploy-command" "mz:URL" "s:$UWA:8" id:42000369 ;
#
# sid: 42000368 | date: 2014-04-27 - 08:03
#
#
http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/
#
https://www.mare-system.de/news/mare/1398410520/
#
MainRule "str:facebookexternalhit" "msg:Facebook External Hit"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:7" id:42000368 ;
#
# sid: 42000367 | date: 2014-04-24 - 21:15
#
#
http://struts.apache.org/release/2.3.x/docs/s2-020.html
#
http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/
#
MainRule "str:classloader" "msg:Java-Classloader-Call" "mz:BODY|ARGS"
"s:$UWA:8" id:42000367 ;
#
# sid: 42000366 | date: 2014-04-24 - 09:57
#
#
#
MainRule "str:openvas" "msg:OpenVAS - Scanner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000366 ;
#
# sid: 42000365 | date: 2014-04-24 - 09:54
#
#
#
MainRule "str:sitelock" "msg:SiteLock Vulnerability Scanner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000365 ;
#
# sid: 42000364 | date: 2014-04-24 - 09:54
#
#
#
MainRule "str:sucuri" "msg:Sucuri Vulnerability Scaner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000364 ;
#
# sid: 42000363 | date: 2014-04-24 - 09:52
#
#
http://www.botopedia.org/index.php?option=com_k2&view=item&id=350:scanalert-bot
#
MainRule "str:scanalert" "msg:ScanAlert Vulnerability Scaner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000363 ;
#
# sid: 42000362 | date: 2014-04-24 - 09:46
#
#
#
MainRule "str:.bash" "msg:Bash-Profile et al Scan" "mz:URL" "s:$UWA:8"
id:42000362 ;
#
# sid: 42000361 | date: 2014-04-19 - 17:19
#
#
#
MainRule "str:java/" "msg:JAVA-UA, possible Scanner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000361 ;
Reply all
Reply to author
Forward
0 new messages