[prelude-cvslog] r10320 - prelude-lml/trunk/plugins/pcre/ruleset

noreply at prelude-ids.org noreply at prelude-ids.org
Tue Mar 4 08:56:12 CET 2008 

Author: toady
Date: 2008-03-04 08:55:51 +0100 (Tue, 04 Mar 2008)
New Revision: 10320

Added:
   prelude-lml/trunk/plugins/pcre/ruleset/suhosin.rules
Modified:
   prelude-lml/trunk/plugins/pcre/ruleset/pcre.rules
Log:
add suhosin rulesets

Modified: prelude-lml/trunk/plugins/pcre/ruleset/pcre.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/pcre.rules	2008-03-03 17:57:04 UTC (rev 10319)
+++ prelude-lml/trunk/plugins/pcre/ruleset/pcre.rules	2008-03-04 07:55:51 UTC (rev 10320)
@@ -7,21 +7,21 @@
 # http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-16.txt
 #
 # CREATING AND CONTRIBUTING RULES:
-# Rulesets that you contribute to the Prelude-LML maintainer should follow 
+# Rulesets that you contribute to the Prelude-LML maintainer should follow
 # these guidelines:
 # - Avoid using .+ or .* in regex entries unless actually neccessary.  Doing so
 #   will make your rule CPU-costly to implement.
 # - Avoid capturing variables which you don't use.  This causes unneccessary
 #   memory consumption.
-# - At a minimum, include regex, classification().text, 
-#   assessment.impact.severity, assessment.impact.type, 
+# - At a minimum, include regex, classification().text,
+#   assessment.impact.severity, assessment.impact.type,
 #   assessment.impact.description.
 # - If it's correct for this application, include last.
 # - Put only a single field on each line of your rules.
 # - Include a sample log entry with each rule.
 # - Gather as many pieces of data, and fill as many IDMEF fields as possible
 #   from the log entry.
-# - If a similar rule exists in another ruleset (same function, different 
+# - If a similar rule exists in another ruleset (same function, different
 #   software), use the classification().text from the other rule.
 # - Use only the actual log message, none of the syslog headers (this generally
 #   includes timestamp, originating node, originating process, and pid).
@@ -43,7 +43,7 @@
 # - revision:
 #   The current revision of the rule.  Higher numbers indicate more recent
 #   versions.
-# 
+#
 # - last:
 #   Indicates to LML that if this rule is triggered, stop checking for further
 #   regex matches.
@@ -54,7 +54,7 @@
 regex=no appropriate format defined for log entry; \
   silent; \
   last
-  
+
 regex=EMU;				include = apc-emu.rules;
 regex=(anomaly|since|firstSeen);	include = arbor.rules;
 regex=arpwatch;				include = arpwatch.rules;
@@ -63,20 +63,20 @@
 regex=product:;				include = checkpoint.rules;
 regex=%\S+-\d+-\S+;			include = cisco-asa.rules; \
 					include = cisco-common.rules; \
-					include = cisco-router.rules; 
+					include = cisco-router.rules;
 regex=(IPV4|SSHD|NETMAN)-\d+;		include = cisco-css.rules;
 regex=snmptrapd;			include = cisco-ips.rules;
 regex=SEV=;				include = cisco-vpn.rules;
-# Using this regex rather than simpler clamd to handle events from clamav 
+# Using this regex rather than simpler clamd to handle events from clamav
 # logging format
 regex=(FOUND|virus);			include = clamav.rules;
 regex=server administrator;		include = dell-om.rules
-regex=(kernel|grsec);			include = grsecurity.rules; 
+regex=(kernel|grsec);			include = grsecurity.rules;
 regex=(bigconf|kernel);                 include = f5-bigip.rules;
 regex=(honeyd|icmp|tcp|udp);		include = honeyd.rules;
 regex=\[([0-9-]+) ([0-9:]+)\];		include = honeytrap.rules
 regex=\[(SSHChannel|SSHService);	include = kojoney.rules
-# Using this somewhat complex regex instead of the simpler httpd due to the 
+# Using this somewhat complex regex instead of the simpler httpd due to the
 # fact that we might be directly monitoring httpd logs instead of httpd syslog
 # entries (in which case we won't have the process name to match against)
 regex=(\[error\]|Pass|httpd);		include = httpd.rules; \
@@ -86,7 +86,7 @@
 					include = bonding.rules;
 regex=ipfw;				include = ipfw.rules;
 regex=[Ww]ireless;			include = linksys-wap11.rules;
-regex=clussvc;				include = ms-cluster.rules; 
+regex=clussvc;				include = ms-cluster.rules;
 regex=mssql;				include = ms-sql.rules;
 regex=nagios;				include = nagios.rules;
 regex=norton;				include = navce.rules;
@@ -109,6 +109,7 @@
 regex=(Acceptin|Squid|Disabled|DENIED);	include = squid.rules;
 regex=sshd;				include = ssh.rules;
 regex=sudo;				include = sudo.rules;
+regex=suhosin;				include = suhosin.rules;
 regex=tripwire;				include = tripwire.rules;
 regex=[wl]an @Group:;			include = vigor.rules;
 regex=vpopmail;				include = vpopmail.rules;

Added: prelude-lml/trunk/plugins/pcre/ruleset/suhosin.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/suhosin.rules	                        (rev 0)
+++ prelude-lml/trunk/plugins/pcre/ruleset/suhosin.rules	2008-03-04 07:55:51 UTC (rev 10320)
@@ -0,0 +1,104 @@
+#####
+#
+# Copyright (C) 2007 Sebastien Tricaud <stricaud at inl dot fr>
+# All Rights Reserved
+#
+# This file is part of the Prelude-LML program.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; see the file COPYING.  If not, write to
+# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+#####
+
+#
+#LOG: Dec 30 05:18:11 zoubida suhosin[15086]: ALERT - configured request variable name length limit exceeded - dropped variable 'article2/include/engine/MakeXML4statusCounter_php?fileOreonConf' (attacker '192.168.3.4', file '/var/www/zorglub/www/htdocs/spip.php')
+regex=ALERT - configured request variable name length limit exceeded - dropped variable '(\S+)' \(attacker '(\S+)', file '(\S+)'\); \
+ classification.text=Variable length too long; \
+ id=; \
+ revision=1; \
+ analyzer(0).name=Suhosin; \
+ analyzer(0).manufacturer=; \
+ analyzer(0).class=HIDS; \
+ source(0).node.address(0).address=$2; \
+ target(0).file(0).path=$3; \
+ assessment.impact.completion=failed; \
+ assessment.impact.type=dos; \
+ assessment.impact.severity=low; \
+ assessment.impact.description=Configured request variable name length limit exceeded - dropped variable; \
+ additional_data(0).type=string; \
+ additional_data(0).meaning=Variable; \
+ additional_data(0).data=$1; \
+ last;
+
+#
+#LOG: Jan  2 12:36:27 zoubida suhosin[2258]: ALERT - tried to register forbidden variable '_REQUEST' through GET variables (attacker '62.193.236.107', file '/var/www/zorglub/www/htdocs/index.php')
+regex=ALERT - tried to register forbidden variable '(\S+)' through (.*) variables \(attacker '(\S+)', file '(\S+)'\); \
+ classification.text=Forbidden variable; \
+ id=; \
+ revision=1; \
+ analyzer(0).name=Suhosin; \
+ analyzer(0).manufacturer=; \
+ analyzer(0).class=HIDS; \
+ source(0).node.address(0).address=$3; \
+ target(0).file(0).path=$4; \
+ assessment.impact.completion=failed; \
+ assessment.impact.type=other; \
+ assessment.impact.severity=low; \
+ assessment.impact.description=Tried to register forbidden variable through '$2'; \
+ additional_data(0).type=string; \
+ additional_data(0).meaning=Variable; \
+ additional_data(0).data=$1; \
+ last;
+
+#
+#LOG: Jan 12 17:02:54 zoubida suhosin[27745]: ALERT - configured GET variable value length limit exceeded - dropped variable 'email' (attacker '131.158.223.4', file '/var/www/zorglub/www/htdocs/php/poll.php')
+regex=ALERT - configured (\S+) variable value length limit exceeded - dropped variable '(\S+)' \(attacker '(\S+)', file '(\S+)'\); \
+ classification.text=Variable length too long; \
+ id=; \
+ revision=1; \
+ analyzer(0).name=Suhosin; \
+ analyzer(0).manufacturer=; \
+ analyzer(0).class=HIDS; \
+ source(0).node.address(0).address=$3; \
+ target(0).file(0).path=$4; \
+ assessment.impact.completion=failed; \
+ assessment.impact.type=dos; \
+ assessment.impact.severity=low; \
+ assessment.impact.description=Configured '$1' variable length limit exceeded - dropped variable '$2'; \
+ additional_data(0).type=string; \
+ additional_data(0).meaning=Variable; \
+ additional_data(0).data=$2; \
+ last;
+
+#
+#LOG: Jan 22 19:54:16 zoubida suhosin[2580]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'page' (attacker '85.18.136.89', file '/var/www/zorglub/www/htdocs/index.php')
+regex=ALERT - ASCII-NUL chars not allowed within request variables - dropped variable '(\S+)' \(attacker '(\S+)', file '(\S+)'\); \
+ classification.text=Invalid characters; \
+ id=; \
+ revision=1; \
+ analyzer(0).name=Suhosin; \
+ analyzer(0).manufacturer=; \
+ analyzer(0).class=HIDS; \
+ source(0).node.address(0).address=$2; \
+ target(0).file(0).path=$3; \
+ assessment.impact.completion=failed; \
+ assessment.impact.type=other; \
+ assessment.impact.severity=low; \
+ assessment.impact.description=ASCII-NUL chars not allowed within request variables - dropped variable '$1'; \
+ additional_data(0).type=string; \
+ additional_data(0).meaning=Variable; \
+ additional_data(0).data=$1; \
+ last;
+
+

More information about the Prelude-cvslog mailing list