Sneed-Reactivity/yara-mikesxrs/patrickrolsen/web_log_review.yar

52 lines
1.3 KiB
Text
Raw Normal View History

rule web_log_review
{
meta:
author = "@patrickrolsen"
version = "0.1"
reference = "http://blog.shadowserver.org/2013/05/06/breaking-the-kill-chain-with-log-analysis/"
date = "2013-12-14"
strings:
$s = "GET /.htaccess"
$s0 = "GET /db/main.php"
$s3 = "GET /dbadmin/main.php"
$s4 = "GET /phpinfo.php"
$s5 = "GET /password"
$s6 = "GET /passwd"
$s7 = "GET /phpmyadmin2"
$s10 = "GET /response.write"
$s11 = "GET /&dir"
$s13 = "GET /.htpasswd"
$s14 = "GET /htaccess.bak"
$s15 = "GET /htaccess.txt"
$s16 = "GET /.bash_history"
$s17 = "GET /_sqladm"
$s18 = "'$IFS/etc/privpasswd;'"
$s19 = ";cat /tmp/config/usr.ini"
$s21 = "eval(base64_decode"
$s23 = "eval(gzinflate"
$s25 = "%5Bcmd%5D"
$s26 = "[cmd]"
$s27 = "union+select" nocase
$s28 = "UNION%20SELECT" nocase
$s29 = "(str_rot13"
$s30 = "GET /private.key"
$s31 = "GET /database.inc"
$s32 = "GET /webstats.html"
$s33 = "GET /schema.sql"
$s34 = "GET /customers"
$s35 = "GET /images/passwords.mdb"
$s36 = "GET /web-console"
$s37 = "GET /phpmyadmin/main.php"
$s38 = "GET /mysql/main.php"
$s39 = "GET /memberlist"
$s40 = "GET /logs"
$s41 = "GET /%26cat%20%2fetc%2fpasswd"
$s42 = "GET /New%20folder%20(2)"
$s43 = "GET /response.write(9674459*9948960)"
$s44 = "GET /index.php?"
$s45 = "concat(user_login"
$s46 = "),user_pass)"
$s47 = "sqlmap"
condition:
any of ($s*)
}