Ruleset-Update: Tomcat-Manager - Sigs & misc Scanner-Rules
17 views
Skip to first unread message
mex
May 8, 2014, 3:17:42 AM5/8/14
to naxsi-discuss
Rules-Repo: https://bitbucket.org/lazy_dogtown/doxi-rules/src
Updates:
- Struts-0day-Sigs (already pushed 3 weeks ago)
- Tomcat-Manager-Sigs to detect access to certain
Manager-Command-Calls from the outside
- misc scanner -sigs
[+] new sigs:
42000361 :: scanner.rules :: JAVA-UA, possible Scanner
42000362 :: scanner.rules :: Bash-Profile et al Scan
42000363 :: scanner.rules :: ScanAlert Vulnerability Scaner
42000364 :: scanner.rules :: Sucuri Vulnerability Scaner
42000365 :: scanner.rules :: SiteLock Vulnerability Scanner
42000366 :: scanner.rules :: OpenVAS - Scanner
42000367 :: app_server.rules :: Java-Classloader-Call
42000368 :: web_server.rules :: Facebook External Hit
42000369 :: app_server.rules :: Tomcat-Manager/deploy-command
42000370 :: app_server.rules :: Tomcat-Manager/list-command
42000371 :: app_server.rules :: Tomcat-Manager/reload-command
42000372 :: app_server.rules :: Tomcat-Manager/serverinfo-command
42000373 :: app_server.rules :: Tomcat-Manager/resources-command
42000374 :: app_server.rules :: Tomcat-Manager/sessions-command
42000375 :: app_server.rules :: Tomcat-Manager/start-command
42000376 :: app_server.rules :: Tomcat-Manager/stop-command
42000377 :: app_server.rules :: Tomcat-Manager/undeploy-command
42000378 :: app_server.rules :: Tomcat-Manager/findleaks-command
42000379 :: app_server.rules :: Tomcat-Manager/serverstatus-command
42000380 :: app_server.rules :: Tomcat-Manager/jmxproxy-access
#
# sid: 42000380 | date: 2014-05-02 - 20:23
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/jmxproxy/" "msg:Tomcat-Manager/jmxproxy-access"
"mz:URL" "s:$UWA:8" id:42000380 ;
#
# sid: 42000379 | date: 2014-05-02 - 17:48
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/serverstatus"
"msg:Tomcat-Manager/serverstatus-command" "mz:URL" "s:$UWA:8"
id:42000379 ;
#
# sid: 42000378 | date: 2014-05-02 - 17:47
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/findleaks"
"msg:Tomcat-Manager/findleaks-command" "mz:URL" "s:$UWA:8" id:42000378
;
#
# sid: 42000377 | date: 2014-05-02 - 17:46
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/undeploy"
"msg:Tomcat-Manager/undeploy-command" "mz:URL" "s:$UWA:8" id:42000377
;
#
# sid: 42000376 | date: 2014-05-02 - 17:46
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/stop" "msg:Tomcat-Manager/stop-command"
"mz:URL" "s:$UWA:8" id:42000376 ;
#
# sid: 42000375 | date: 2014-05-02 - 17:45
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/start" "msg:Tomcat-Manager/start-command"
"mz:URL" "s:$UWA:8" id:42000375 ;
#
# sid: 42000374 | date: 2014-05-02 - 17:45
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/sessions"
"msg:Tomcat-Manager/sessions-command" "mz:URL" "s:$UWA:8" id:42000374
;
#
# sid: 42000373 | date: 2014-05-02 - 17:44
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/resources"
"msg:Tomcat-Manager/resources-command" "mz:URL" "s:$UWA:8" id:42000373
;
#
# sid: 42000372 | date: 2014-05-02 - 17:44
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/serverinfo"
"msg:Tomcat-Manager/serverinfo-command" "mz:URL" "s:$UWA:8"
id:42000372 ;
#
# sid: 42000371 | date: 2014-05-02 - 17:43
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/reload"
"msg:Tomcat-Manager/reload-command" "mz:URL" "s:$UWA:8" id:42000371 ;
#
# sid: 42000370 | date: 2014-05-02 - 17:43
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/list" "msg:Tomcat-Manager/list-command"
"mz:URL" "s:$UWA:8" id:42000370 ;
#
# sid: 42000369 | date: 2014-05-02 - 17:42
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/deploy"
"msg:Tomcat-Manager/deploy-command" "mz:URL" "s:$UWA:8" id:42000369 ;
#
# sid: 42000368 | date: 2014-04-27 - 08:03
#
# http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/
# https://www.mare-system.de/news/mare/1398410520/
#
MainRule "str:facebookexternalhit" "msg:Facebook External Hit"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:7" id:42000368 ;
#
# sid: 42000367 | date: 2014-04-24 - 21:15
#
# http://struts.apache.org/release/2.3.x/docs/s2-020.html
# http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/
#
MainRule "str:classloader" "msg:Java-Classloader-Call" "mz:BODY|ARGS"
"s:$UWA:8" id:42000367 ;
#
# sid: 42000366 | date: 2014-04-24 - 09:57
#
#
#
MainRule "str:openvas" "msg:OpenVAS - Scanner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000366 ;
#
# sid: 42000365 | date: 2014-04-24 - 09:54
#
#
#
MainRule "str:sitelock" "msg:SiteLock Vulnerability Scanner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000365 ;
#
# sid: 42000364 | date: 2014-04-24 - 09:54
#
#
#
MainRule "str:sucuri" "msg:Sucuri Vulnerability Scaner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000364 ;
#
# sid: 42000363 | date: 2014-04-24 - 09:52
#
# http://www.botopedia.org/index.php?option=com_k2&view=item&id=350:scanalert-bot
#
MainRule "str:scanalert" "msg:ScanAlert Vulnerability Scaner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000363 ;
#
# sid: 42000362 | date: 2014-04-24 - 09:46
#
#
#
MainRule "str:.bash" "msg:Bash-Profile et al Scan" "mz:URL" "s:$UWA:8"
id:42000362 ;
#
# sid: 42000361 | date: 2014-04-19 - 17:19
#
#
#
MainRule "str:java/" "msg:JAVA-UA, possible Scanner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000361 ;
Updates:
- Struts-0day-Sigs (already pushed 3 weeks ago)
- Tomcat-Manager-Sigs to detect access to certain
Manager-Command-Calls from the outside
- misc scanner -sigs
[+] new sigs:
42000361 :: scanner.rules :: JAVA-UA, possible Scanner
42000362 :: scanner.rules :: Bash-Profile et al Scan
42000363 :: scanner.rules :: ScanAlert Vulnerability Scaner
42000364 :: scanner.rules :: Sucuri Vulnerability Scaner
42000365 :: scanner.rules :: SiteLock Vulnerability Scanner
42000366 :: scanner.rules :: OpenVAS - Scanner
42000367 :: app_server.rules :: Java-Classloader-Call
42000368 :: web_server.rules :: Facebook External Hit
42000369 :: app_server.rules :: Tomcat-Manager/deploy-command
42000370 :: app_server.rules :: Tomcat-Manager/list-command
42000371 :: app_server.rules :: Tomcat-Manager/reload-command
42000372 :: app_server.rules :: Tomcat-Manager/serverinfo-command
42000373 :: app_server.rules :: Tomcat-Manager/resources-command
42000374 :: app_server.rules :: Tomcat-Manager/sessions-command
42000375 :: app_server.rules :: Tomcat-Manager/start-command
42000376 :: app_server.rules :: Tomcat-Manager/stop-command
42000377 :: app_server.rules :: Tomcat-Manager/undeploy-command
42000378 :: app_server.rules :: Tomcat-Manager/findleaks-command
42000379 :: app_server.rules :: Tomcat-Manager/serverstatus-command
42000380 :: app_server.rules :: Tomcat-Manager/jmxproxy-access
#
# sid: 42000380 | date: 2014-05-02 - 20:23
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/jmxproxy/" "msg:Tomcat-Manager/jmxproxy-access"
"mz:URL" "s:$UWA:8" id:42000380 ;
#
# sid: 42000379 | date: 2014-05-02 - 17:48
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/serverstatus"
"msg:Tomcat-Manager/serverstatus-command" "mz:URL" "s:$UWA:8"
id:42000379 ;
#
# sid: 42000378 | date: 2014-05-02 - 17:47
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/findleaks"
"msg:Tomcat-Manager/findleaks-command" "mz:URL" "s:$UWA:8" id:42000378
;
#
# sid: 42000377 | date: 2014-05-02 - 17:46
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/undeploy"
"msg:Tomcat-Manager/undeploy-command" "mz:URL" "s:$UWA:8" id:42000377
;
#
# sid: 42000376 | date: 2014-05-02 - 17:46
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/stop" "msg:Tomcat-Manager/stop-command"
"mz:URL" "s:$UWA:8" id:42000376 ;
#
# sid: 42000375 | date: 2014-05-02 - 17:45
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/start" "msg:Tomcat-Manager/start-command"
"mz:URL" "s:$UWA:8" id:42000375 ;
#
# sid: 42000374 | date: 2014-05-02 - 17:45
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/sessions"
"msg:Tomcat-Manager/sessions-command" "mz:URL" "s:$UWA:8" id:42000374
;
#
# sid: 42000373 | date: 2014-05-02 - 17:44
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/resources"
"msg:Tomcat-Manager/resources-command" "mz:URL" "s:$UWA:8" id:42000373
;
#
# sid: 42000372 | date: 2014-05-02 - 17:44
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/serverinfo"
"msg:Tomcat-Manager/serverinfo-command" "mz:URL" "s:$UWA:8"
id:42000372 ;
#
# sid: 42000371 | date: 2014-05-02 - 17:43
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/reload"
"msg:Tomcat-Manager/reload-command" "mz:URL" "s:$UWA:8" id:42000371 ;
#
# sid: 42000370 | date: 2014-05-02 - 17:43
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/list" "msg:Tomcat-Manager/list-command"
"mz:URL" "s:$UWA:8" id:42000370 ;
#
# sid: 42000369 | date: 2014-05-02 - 17:42
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/deploy"
"msg:Tomcat-Manager/deploy-command" "mz:URL" "s:$UWA:8" id:42000369 ;
#
# sid: 42000368 | date: 2014-04-27 - 08:03
#
# http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/
# https://www.mare-system.de/news/mare/1398410520/
#
MainRule "str:facebookexternalhit" "msg:Facebook External Hit"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:7" id:42000368 ;
#
# sid: 42000367 | date: 2014-04-24 - 21:15
#
# http://struts.apache.org/release/2.3.x/docs/s2-020.html
# http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/
#
MainRule "str:classloader" "msg:Java-Classloader-Call" "mz:BODY|ARGS"
"s:$UWA:8" id:42000367 ;
#
# sid: 42000366 | date: 2014-04-24 - 09:57
#
#
#
MainRule "str:openvas" "msg:OpenVAS - Scanner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000366 ;
#
# sid: 42000365 | date: 2014-04-24 - 09:54
#
#
#
MainRule "str:sitelock" "msg:SiteLock Vulnerability Scanner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000365 ;
#
# sid: 42000364 | date: 2014-04-24 - 09:54
#
#
#
MainRule "str:sucuri" "msg:Sucuri Vulnerability Scaner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000364 ;
#
# sid: 42000363 | date: 2014-04-24 - 09:52
#
# http://www.botopedia.org/index.php?option=com_k2&view=item&id=350:scanalert-bot
#
MainRule "str:scanalert" "msg:ScanAlert Vulnerability Scaner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000363 ;
#
# sid: 42000362 | date: 2014-04-24 - 09:46
#
#
#
MainRule "str:.bash" "msg:Bash-Profile et al Scan" "mz:URL" "s:$UWA:8"
id:42000362 ;
#
# sid: 42000361 | date: 2014-04-19 - 17:19
#
#
#
MainRule "str:java/" "msg:JAVA-UA, possible Scanner"
"mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000361 ;
Reply all
Reply to author
Forward
0 new messages