Sneed-Reactivity/yara-mikesxrs/1aN0rmus/web_log_review.yara

57 lines
1.5 KiB
Text
Raw Permalink Normal View History

rule web_log_review
{
meta:
author = "@patrickrolsen"
version = "0.1"
reference = "Key words in weblogs - Very likely FPs in here."
date = "2013-12-14"
strings:
$s = "GET /.htaccess" nocase
$s0 = "GET /db/main.php" nocase
$s3 = "GET /dbadmin/main.php" nocase
$s4 = "GET /phpinfo.php" nocase
$s5 = "GET /password" nocase
$s6 = "GET /passwd" nocase
$s7 = "GET /phpmyadmin2" nocase
$s8 = "GET /c99shell.php" nocase
$s9 = "GET /c99.php" nocase
$s10 = "GET /response.write" nocase
$s11 = "GET /&dir" nocase
$s12 = "backdoor.php" nocase
$s13 = "GET /.htpasswd" nocase
$s14 = "GET /htaccess.bak" nocase
$s15 = "GET /htaccess.txt" nocase
$s16 = "GET /.bash_history" nocase
$s17 = "GET /_sqladm" nocase
$s18 = "'$IFS/etc/privpasswd;'" nocase
$s19 = ";cat /tmp/config/usr.ini" nocase
$s20 = "v0pCr3w" nocase
$s21 = "eval(base64_decode" nocase
$s22 = "nob0dyCr3w" nocase
$s23 = "eval(gzinflate" nocase
$s24 = "Hacked by" fullword
$s25 = "%5Bcmd%5D" nocase
$s26 = "[cmd]" nocase
$s27 = "union+select" nocase
$s28 = "UNION%20SELECT" nocase
$s29 = "(str_rot13" nocase
condition:
any of ($s*)
}
rule acunetix_web_scanner
{
meta:
author = "@patrickrolsen"
version = "0.1"
reference = "Acunetix Web Scanner"
date = "2013-12-14"
strings:
$s = "acunetix_wvs_security_test"
$s0 = "testasp.vulnweb.com"
$s1 = "GET /www.acunetix.tst"
condition:
any of ($s*)
}