Hi, just added some sigs against known exploits for jenkins and wp,
the rules itself might be found here:
http://spike.nginx-goodies.com/rules/
for the latest joomla-vuln + exploit (see
https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html)
you might want to look at 42000343
http://spike.nginx-goodies.com/rules/edit/42000343
that detects generic PHP-Object-Attacks.
i modified this rule to check headers now as well,
updates are pushed to the repo already
MainRule "rx:O:\d+:.*:\d+:{(s|S):\d+:.*;.*}" "msg:possible PHP Object
Injection" "mz:BODY|ARGS|HEADERS" "s:$ATTACK:8" id:42000343 ;
rules are available here:
https://bitbucket.org/lazy_dogtown/doxi-rules
-----------------------------
[+] new sigs:
42000443 :: web_apps.rules :: WordPress XMLRPC Enumeration
system.listMethods
42000444 :: web_apps.rules :: WordPress XMLRPC Enumeration
system.getCapabilities
42000445 :: app_server.rules :: Possible Jenkins/Hudson RCE-Exploit
42000446 :: app_server.rules :: Jenkins User-Credentials-Access (POST)
42000447 :: app_server.rules :: Jenkins User-Credentials-Access (GET)
42000448 :: app_server.rules :: Possible Jenkins/Hudson RCE-Exploit
42000449 :: app_server.rules :: Possible Jenkins/Hudson
RCE-Exploit (/script)