Skip to content

Commit

Permalink
Update rules.json
Browse files Browse the repository at this point in the history 
Some more safe rules
  • Loading branch information
@fabriziosalmi
fabriziosalmi authored Jan 9, 2025
1 parent d117f25 commit 8aa66f1
Showing 1 changed file with 265 additions and 15 deletions.
280 changes: 265 additions & 15 deletions rules.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,21 @@
"id": "malicious-referer-test",
"phase": 2,
"pattern": "(?i)malicious-referer",
"targets": ["HEADERS:Referer"],
"targets": ["HEADERS"],
"severity": "HIGH",
"action": "block",
"score": 5,
"description": "Block requests with malicious Referer headers"
"description": "Block requests with malicious Referer headers (Target: HEADERS)"
},
{
"id": "scanner-detection",
"phase": 1,
"pattern": "(?i)(?:sqlmap|acunetix|nikto|nessus|netsparker|nmap|dirbuster|w3af|openvas|burpsuite|webinspect|qualys|commix|zap|arachni|gobuster|hydra|metasploit|zgrab|masscan|wfuzz|crackmapexec|nuclei|shodan|censys|dirsearch|ffuf|vega|skipfish|wpscan|whatweb|dirmap)",
"targets": ["USER_AGENT"],
"targets": ["HEADERS"],
"severity": "CRITICAL",
"action": "block",
"score": 9,
"description": "Block requests from known security scanners based on User-Agent."
"description": "Block requests from known security scanners based on User-Agent (Target: HEADERS)"
},
{
"id": "sql-injection",
Expand All @@ -32,7 +32,7 @@
{
"id": "xss",
"phase": 2,
"pattern": "(?i)(?:<script[^>]*>|<img[^>]*\\s+onerror=|javascript:|data:|vbscript:|<svg[^>]*\\s+onload=|alert\\(|document\\.(?:cookie|location)|eval\\(|base64_(?:encode|decode)|expression\\(|\\b(?:on(?:mouse(?:over|out|down|up|move)|focus|blur|click|key(?:press|down|up)|load|error|submit|reset|change))\\s*=|\\bstyle\\s*=)",
"pattern": "(?i)(?:<script[^>]*>|<img[^>]*\\s+onerror=|javascript:|data:|vbscript:|<svg[^>]*\\s+onload=|alert\\(|document\\.(?:cookie|location)|eval\\(|base64_(?:encode|decode)|expression\\(|\\b(?:on(?:mouse(?:over|out|down|up|move)|focus|blur|click|key(?:press|down|up)|load|error|submit|reset|change))\\s*=|\\bstyle\\s*=)",
"targets": ["ARGS", "BODY", "HEADERS"],
"severity": "HIGH",
"action": "block",
Expand All @@ -43,11 +43,11 @@
"id": "path-traversal",
"phase": 2,
"pattern": "(?:\\.\\.[/\\\\]|\\.\\./|\\.\\.\\\\/|%2e%2e[/\\\\]|%2e%2e/|%2e%2e%5c|%252e%252e|\\b(?:etc(?:\\/|%2F)(?:passwd|shadow|hosts)|(?:proc|sys)(?:\\/|%2F)(?:self(?:\\/|%2F)environ|cmdline)|boot(?:\\/|%2F)grub(?:\\/|%2F)grub.cfg)\\b)",
"targets": ["PATH", "ARGS", "HEADERS"],
"targets": ["URI", "ARGS", "HEADERS"],
"severity": "HIGH",
"action": "block",
"score": 9,
"description": "Block path traversal attempts and direct access to sensitive files."
"description": "Block path traversal attempts and direct access to sensitive files (Target: URI, ARGS, HEADERS)."
},
{
"id": "rce-commands",
Expand All @@ -73,11 +73,11 @@
"id": "rce-separators",
"phase": 2,
"pattern": "(?i)(?:`[^`]+`|\\b(?:;|\\|\\||&&|\\n|%0a|%0d)\\s*(?:rm|cat|echo|curl|wget|python|php|jsp|cmd|exec|system|passthru|shell_exec|exec|system|popen|pcntl_exec))",
"targets": ["ARGS", "HEADERS:User-Agent", "HEADERS:Referer"],
"targets": ["ARGS", "HEADERS"],
"severity": "HIGH",
"action": "block",
"score": 7,
"description": "Block command separators followed by specific commands in ARGS and selected headers."
"description": "Block command separators followed by specific commands in ARGS and headers."
},
{
"id": "log4j-exploit",
Expand All @@ -103,30 +103,280 @@
"id": "sensitive-files",
"phase": 1,
"pattern": "(?i)(?:/\\.git/(?:HEAD|index|config|refs|objects)|/\\.env(?:\\.local|\\.dev|\\.prod)?$|/\\.htaccess$|/\\.htpasswd$|/\\.svn/|/\\.DS_Store$|\\/WEB-INF\\/|\\/WEB-INF\\/web.xml|\\/META-INF\\/)",
"targets": ["PATH", "URI"],
"targets": ["URI"],
"severity": "HIGH",
"action": "block",
"score": 9,
"description": "Block access to sensitive files and directories."
"description": "Block access to sensitive files and directories (Target: URI)."
},
{
"id": "unusual-paths",
"phase": 1,
"pattern": "(?i)(?:/wp-admin|/phpmyadmin|/admin|/login|/cgi-bin|/shell|/backdoor|/cmd|/exec|/bin/(?:sh|bash|zsh)|/console|/setup|/test)",
"targets": ["PATH"],
"targets": ["URI"],
"severity": "MEDIUM",
"action": "block",
"score": 7,
"description": "Block requests to unusual or suspicious paths."
"description": "Block requests to unusual or suspicious paths (Target: URI)."
},
{
"id": "block-bad-bots",
"phase": 1,
"pattern": "(?i)(?:sqlmap|acunetix|nikto|nessus|netsparker|dirbuster|burpsuite|wpscan|nuclei|qualys|arachni|openvas|zap|vega|skipfish|w3af|gobuster|owasp zap|webinspect|appscan|detectify|nessuscloud|retire\\.js|fortify|checkmarx|veracode|snyk|rapid7|nexpose|insightvm|hydra|medusa|ncrack|john the ripper|hashcat|patator|masscan|shodan|censys|whatweb|dirmap|nmap|amap|zmap|theharvester|recon-ng|fierce|metasploit|commix|crackmapexec|cobalt strike|empire|powersploit|httrack|wget|curl|scrapy|beautifulsoup|phantomjs|headlesschrome|puppeteer|grabber|node-fetch|axios|bugcrowd|hackerone|intruder|selenium|openscap|ffuf|webscarab|sublist3r|dirsearch|sql ninja|eyewitness|gau|waybackurls|assetfinder|ahrefsbot|mj12bot|semrushbot|dotbot|rogerbot|exabot|yandexbot|baiduspider|googlebot-image|bingbot|go-http-client|python-requests|okhttp|lwp-request|libwww-perl|kube-hunter|cloudmapper|pacu|dirb|uniscan|vega|arachni|xsser|davtest|jexboss|joomscan|droopescan|cmsmap|xsstrike|thesprawl|cloudgoat|sqlmapapi|wpscanapi|impacket|responder|bloodhound|mimikatz|pupy|veil-framework|evilginx|mitmproxy|bettercap|playwright|nightmare|zombie\\.js|splash)",
"targets": ["USER_AGENT"],
"targets": ["HEADERS"],
"severity": "CRITICAL",
"action": "block",
"score": 9,
"description": "Block requests from known security scanners and bad bots (Target: HEADERS)."
},
{
"id": "mass-assignment-indicators",
"phase": 2,
"pattern": "(?i)(?:.*?\\[.*?\\]=.*?){3,}",
"targets": ["ARGS"],
"severity": "MEDIUM",
"action": "log",
"score": 5,
"description": "Log requests with numerous array-like parameter assignments."
},
{
"id": "suspicious-file-uploads",
"phase": 2,
"pattern": "(?is)Content-Disposition:.*?filename=\".*?\\.(bat|cmd|exe|sh|ps1|dll|so|jar|war|jsp|php[0-9]?|aspx|cgi|pl|py)\"",
"targets": ["BODY"],
"severity": "HIGH",
"action": "block",
"score": 8,
"description": "Block file uploads with suspicious extensions."
},
{
"id": "exposed-admin-panels-no-referer",
"phase": 1,
"pattern": "(?i)^(?:/wp-admin|/phpmyadmin|/admin|/login|/cpanel|/administrator|/webmin|/siteadmin|/config)",
"targets": ["URI"],
"severity": "LOW",
"action": "log",
"score": 3,
"description": "Log requests to common admin panel paths."
},
{
"id": "exposed-admin-panels-no-referer-condition",
"phase": 1,
"pattern": "^$",
"targets": ["HEADERS"],
"severity": "LOW",
"action": "log",
"score": 3,
"description": "Log requests to common admin panel paths without a Referer header (needs to be used in conjunction with 'exposed-admin-panels-no-referer' with a conditional)."
},
{
"id": "directory-listing-attempt",
"phase": 2,
"pattern": "(?i)(?:index\\.of\\s*/|directory\\s+listing\\s+for)",
"targets": ["BODY"],
"severity": "LOW",
"action": "log",
"score": 3,
"description": "Log responses indicating potential directory listing vulnerability."
},
{
"id": "username-enumeration-login-page",
"phase": 2,
"pattern": "(?i)(?:\\buser(?:name)?\\b.*?(?:invalid|incorrect|not\\s+found))",
"targets": ["BODY"],
"severity": "LOW",
"action": "log",
"score": 2,
"description": "Log login responses that might indicate username enumeration vulnerabilities."
},
{
"id": "common-credentials-in-body",
"phase": 2,
"pattern": "(?i)(?:password|pwd|pass)\\s*[:=]\\s*(?:password123|admin|123456|test)",
"targets": ["BODY"],
"severity": "LOW",
"action": "log",
"score": 4,
"description": "Log requests with common credentials in the request body (potential credential stuffing)."
},
{
"id": "high-scoring-cookies",
"phase": 2,
"pattern": "your_session_cookie_name=.*?(vulnerable_pattern|suspicious_value)",
"targets": ["COOKIES"],
"severity": "MEDIUM",
"action": "log",
"score": 5,
"description": "Log requests with specific patterns or values in important cookies (customize cookie name and pattern)."
},
{
"id": "suspicious-auth-headers",
"phase": 2,
"pattern": "(?i)Authorization: Basic\\s+[a-zA-Z0-9+/=]{0,}",
"targets": ["HEADERS"],
"severity": "LOW",
"action": "log",
"score": 2,
"description": "Log requests with potentially incomplete or suspicious Basic Authentication headers."
},
{
"id": "reflected-xss-on-error-pages",
"phase": 2,
"pattern": "(?i)(<script|<iframe|onload|onerror|javascript:)",
"targets": ["BODY"],
"severity": "LOW",
"action": "log",
"score": 3,
"description": "Log responses containing potential reflected XSS payloads, often found on error pages."
},
{
"id": "crlf-injection-headers",
"phase": 2,
"pattern": "(?i)(%0d|\\r)%0a|%0a(%0d|$)|\\n",
"targets": ["HEADERS"],
"severity": "MEDIUM",
"action": "log",
"score": 5,
"description": "Log requests with potential CRLF injection characters in headers."
},
{
"id": "rce-command-injection-args",
"phase": 2,
"pattern": "(?i)(?:\\b(?:system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\\s*\\([^\\)]*\\)|`[^`]+`|;|\\|\\||&&|\\n|%0a|%0d)",
"targets": ["ARGS"],
"severity": "HIGH",
"action": "block",
"score": 8,
"description": "Block potential RCE attempts via command injection in request arguments."
},
{
"id": "rce-file-access-args",
"phase": 2,
"pattern": "(?i)(?:(?:cat|more|less|head|tail)\\s+[^\\s]+(?:/etc/(?:passwd|shadow)|/proc/self/environ))",
"targets": ["ARGS"],
"severity": "HIGH",
"action": "block",
"score": 7,
"description": "Block attempts to access sensitive files via command-like patterns in arguments."
},
{
"id": "rce-file-access-headers",
"phase": 2,
"pattern": "(?i)(?:(?:cat|more|less|head|tail)\\s+[^\\s]+(?:/etc/(?:passwd|shadow)|/proc/self/environ))",
"targets": ["HEADERS"],
"severity": "HIGH",
"action": "block",
"score": 6,
"description": "Block attempts to access sensitive files via command-like patterns in headers."
},
{
"id": "sql-injection-common-keywords-args",
"phase": 2,
"pattern": "(?i)\\b(?:select\\s+.+\\s+from|insert\\s+into|update\\s+.+\\s+set|delete\\s+from|drop\\s+table|alter\\s+table|union\\s+select)\\b",
"targets": ["ARGS"],
"severity": "HIGH",
"action": "block",
"score": 8,
"description": "Block common SQL injection keywords in request arguments."
},
{
"id": "sql-injection-common-keywords-body",
"phase": 2,
"pattern": "(?i)\\b(?:select\\s+.+\\s+from|insert\\s+into|update\\s+.+\\s+set|delete\\s+from|drop\\s+table|alter\\s+table|union\\s+select)\\b",
"targets": ["BODY"],
"severity": "HIGH",
"action": "block",
"score": 7,
"description": "Block common SQL injection keywords in request body."
},
{
"id": "sql-injection-common-keywords-headers",
"phase": 2,
"pattern": "(?i)\\b(?:select\\s+.+\\s+from|insert\\s+into|update\\s+.+\\s+set|delete\\s+from|drop\\s+table|alter\\s+table|union\\s+select)\\b",
"targets": ["HEADERS"],
"severity": "HIGH",
"action": "block",
"score": 6,
"description": "Block common SQL injection keywords in request headers."
},
{
"id": "sql-injection-comment-bypass-args",
"phase": 2,
"pattern": "(?i)/\\*.*?\\*/|--\\s*\\r?\\n?$",
"targets": ["ARGS"],
"severity": "MEDIUM",
"action": "log",
"score": 4,
"description": "Log potential SQL injection comment bypass attempts in arguments."
},
{
"id": "sql-injection-comment-bypass-body",
"phase": 2,
"pattern": "(?i)/\\*.*?\\*/|--\\s*\\r?\\n?$",
"targets": ["BODY"],
"severity": "MEDIUM",
"action": "log",
"score": 3,
"description": "Log potential SQL injection comment bypass attempts in body."
},
{
"id": "log4j-jndi-args",
"phase": 2,
"pattern": "(?i)\\$\\{jndi:(ldap|rmi|dns|iiop|corba|nds|nis|http|ldaps|rmi|nis)://[^}]*\\}",
"targets": ["ARGS"],
"severity": "CRITICAL",
"action": "block",
"score": 9,
"description": "Block Log4j JNDI injection attempts in request arguments."
},
{
"id": "log4j-jndi-body",
"phase": 2,
"pattern": "(?i)\\$\\{jndi:(ldap|rmi|dns|iiop|corba|nds|nis|http|ldaps|rmi|nis)://[^}]*\\}",
"targets": ["BODY"],
"severity": "CRITICAL",
"action": "block",
"score": 9,
"description": "Block requests from known security scanners and bad bots."
"description": "Block Log4j JNDI injection attempts in request body."
},
{
"id": "log4j-jndi-headers",
"phase": 2,
"pattern": "(?i)\\$\\{jndi:(ldap|rmi|dns|iiop|corba|nds|nis|http|ldaps|rmi|nis)://[^}]*\\}",
"targets": ["HEADERS"],
"severity": "CRITICAL",
"action": "block",
"score": 9,
"description": "Block Log4j JNDI injection attempts in request headers."
},
{
"id": "log4j-nested-lookup-args",
"phase": 2,
"pattern": "(?i)\\$\\{.*?\\:\\-\\s*\\$\\{.*?\\}\\}",
"targets": ["ARGS"],
"severity": "HIGH",
"action": "block",
"score": 8,
"description": "Block potential nested Log4j lookups in arguments."
},
{
"id": "log4j-nested-lookup-body",
"phase": 2,
"pattern": "(?i)\\$\\{.*?\\:\\-\\s*\\$\\{.*?\\}\\}",
"targets": ["BODY"],
"severity": "HIGH",
"action": "block",
"score": 7,
"description": "Block potential nested Log4j lookups in body."
},
{
"id": "log4j-nested-lookup-headers",
"phase": 2,
"pattern": "(?i)\\$\\{.*?\\:\\-\\s*\\$\\{.*?\\}\\}",
"targets": ["HEADERS"],
"severity": "HIGH",
"action": "block",
"score": 6,
"description": "Block potential nested Log4j lookups in headers."
}
]

0 comments on commit 8aa66f1

Please sign in to comment.