############################################################# # wIDSard example configuration file for httpd Apache 1.3.x # ############################################################# # ******** global declarations ******************************************************************************************** string $pathpwd = "/etc/passwd_example" string $stringapwd = "%2Fetc%2Fpasswd" string $pathcgi = "/home.orig/httpd/cgi-bin/" # **** what an execve can run # "**" is the separator string $execve_ok = "/bin:date**/usr/:sendmail**/bin/:mail**/sbin/:pwd**/usr/:pwd**/bin/:pwd**" # ":" is the separator string $metachar = ";:<:>:*:|:!:#:(:):[:]:{:}" string $hex_metachar = "%3B:%3C:%3E:%2A:%7C:%3F:%26:%24:%21:%23:%28:%29:%5B:%5D:%7B:%7D:%27" int $execve_max_arg = 100 int $execve_max_path = 100 string $shell_call = "/bin/sh" string $hex_shell_call = "%2Fbin%2Fsh" string $tab_cgi_insecure{} = {"order","siteUserMod","htaccess","htpasswd","wwwacl","www_acl","nsconfig","admin","code","adp","AT-admin","AT-generate","allmanage","allmanageup","k","adp","userfile","settings","users","AnyForm","AnyForm2","AnyBoard","Count","lwgate","LWGate","lwgate","MachineInfo","add_ftp","aglimpse","glimpse","archie","architext_query","ax-admin","ax","axs","bb-dnbd","bb-hist","bnbform","bizdb1-search","cachemgr","calendar","calender","calender_admin","campas","cgi-lib","cgiemail","classified","classifieds","clickresponder","count","date","dfire","displayTC","dumpenv","dig","donothing","download","c_download","echo","ews","edit","enter","excite","environ","faxsurvey","filemail","filemail","finger","finger","flexform","formmail","FormMail","form","fortune","gH","guestbook","getdoc","handler","htsearch","htgrep","htmlscript","icat","cat","imagemap","info2www","info2html","infosrch","infogate","jj","ls","pu3","lwgate","login","mail","maillist","meta","man","nlog-smb","nph-error","nph-publish","nph-test-cgi","ntitar","day5datacopier","plusmail","pagelog","passwd","password","adpassword","ads","perl","perlshop","ping?cst","pfdispaly","phf","rpm_query","fhp","cart","cart32","c32web","message","php","fi","loadpage","easysteps","mlog","mylog","netstat","post-query","postcard","query","redirect","responder","rwwwshell","adminlogin","settings","sojourn","spin_client","survey","search","stats","statsconfig","tablebuild","tidfinder","test-cgi","test-env","printenv","upload","ultraboard","Ultraboard","textcounter","counterfiglet","counter-ord","counterbanner","counterbanner-ord","counterfiglet-ord","unlg1","uptime","userfile","view-source","visadmin","w3-msql","w3-sql","wais","webbbs","webdist","webgais","webplus","webmap","webform","webutils","ws_ftp","WS_FTP","tigvote","tpgnrock","websendmail","webwho","whois_raw","sh","rsh","bash","ash","csh","ksh","rksh","zsh","tcsh","cgiwrap","wrap","www-sql","wwwadmin","wwwboard","wwwadmin","wwwshell","wwwthreads","w3tvars","3tvars","guestbook","db","auctionweaver"} int $post_ok = 0 int $rit = 0 string $ipaddr = "" %% # ******** Sequence of rules ************************************************************************************************ # ------------------------------------------------------------------------------------------------------------ # *** POST request with /etc/passwd read(_,bUFFERCGI,_) | (exit: find_begin(bUFFERCGI,"POST :/cgi-bin/",":") == 1 ) ; ! {write () || fork() = pid | (exit: pid == 0)} * ; write (_,bUFFERPWD,_) | (intro: (find(bUFFERPWD,$stringapwd,"") == 1) ) . # ------------------------------------------------------------------------------------------------------------ # *** GET request with /etc/passwd read(_,pWD,_) | (exit: find_begin(pWD,"GET :/cgi-bin/:/etc/passwd",":")==1 ) < exit: printconsole($ipaddr) , printconsole(" -- ATTACK 2 Request GET with /etc/passwd \n") > . # ------------------------------------------------------------------------------------------------------------ # *** traversal execve (cHIAMATA,_,_) | (intro: find_begin_nobar(cHIAMATA,$pathcgi,"")==1 ) ; @* ; open (bUFFER_pp,_) | (intro: ( find(bUFFER_pp,"..",":")==1 )) < intro: printconsole($ipaddr) , printconsole(" -- ATTACK 3 open with ..\n") > . # ------------------------------------------------------------------------------------------------------------ # *** dangerous metachar POST read(_,bUFFERCGI,_) | (exit: find_begin(bUFFERCGI,"POST :/cgi-bin/",":") == 1 ) ; ! {write () || fork() = pid | (exit: pid == 0)} * ; write (_,bUFFERMETACHAR,_) | (intro: ( find_or(bUFFERMETACHAR,$hex_metachar,":")==1 ) ) . # ------------------------------------------------------------------------------------------------------------ # *** dangerous metachar GET read(_,buff,_) | (exit: (find_begin(buff,"GET :/cgi-bin/",":")==1) , ( find_or(buff,$metachar,":") ) ) < exit: printconsole($ipaddr) , printconsole(" -- ATTACK 5 GET dangerous metachar\n") > . # ------------------------------------------------------------------------------------------------------------ # *** execve with param too large execve (path, argv, _) | (intro: checksize(path,argv,$execve_max_path,$execve_max_arg) == 0 ) . # ------------------------------------------------------------------------------------------------------------- # *** Possible shellcode POST read(_,bUFFERCGI,_) | (exit: ( find_begin(bUFFERCGI,"POST:/cgi-bin/",":") == 1) ) ; ! {write () || fork() = pid | (exit: pid == 0)} * ; write (_,buffershell,_) | (intro: (find(buffershell, $hex_shell_call,"") == 1) ) . # ------------------------------------------------------------------------------------------------------------- # *** Possible shellcode GET read(_,buff,_) | (exit: find_begin(buff, union_str("GET :/cgi-bin/:",$shell_call) ,":") == 1 ) < exit: printconsole($ipaddr), printconsole(" -- ATTACK 8 GET Possible shellcode\n") > . # ------------------------------------------------------------------------------------------------------------- # *** script not sure execve (buffcgi, _, _) | (intro: find_cgi($tab_cgi_insecure{},$pathcgi,buffcgi) ) . # ------------------------------------------------------------------------------------------------------------- # *** hex prohibited read(_,bUFFERCGI,_) | ( exit: find_begin(bUFFERCGI,"POST:%",":") == 1 ) < exit: printconsole($ipaddr), printconsole(" -- ATTACK 10 POST hex prohibited\n") > ###, freeze() , kill_actual() > I could wanna kill the process in some cases... . # ------------------------------------------------------------------------------------------------------------- # *** hex prohibited read(_,buff,_) | ( exit: (find_begin(buff,"GET:%",":")==1) ) < exit: printconsole($ipaddr), printconsole(" -- ATTACK 11 GET hex prohibited ****\n") > || read(_,buff,_) | ( exit: ( find_begin(buff,"HEAD:%",":")==1 ) ) < exit: printconsole($ipaddr), printconsole(" -- ATTACK 12 HEAD hex prohibited ****\n") > . # ------------------------------------------------------------------------------------------------------------- # *** metachar prohibited in execve execve (filename, argv, _) | (intro: find_or_array(filename,argv,"/bin/sh",$metachar,":",2)==1 ) . # ------------------------------------------------------------------------------------------------------------- # *** mod ssl 0.96d exploit.... execve ("/bin//sh", _, _) . # ------------------------------------------------------------------------------------------------------------- # storing IP address of the connected client accept(_, sockaddr, _) < exit: $ipaddr = get_ip_addr(sockaddr)> .