github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 21:36:00 +03:00
Code Issues Packages Projects Releases Wiki Activity
ModSecurity/rules/modsecurity_crs_45_trojans.conf
brectanus efe52d4e77 Initialize rules tmp pool properly. 
Update to latest core rules.
2007-06-14 18:48:35 +00:00

37 lines
2.3 KiB
Plaintext
Raw Blame History

# ---------------------------------------------------------------
# Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# The trojan access detection rules detects access to known Trojans already
# installed on a server. Uploading of Trojans is part of the Anti-Virus rules
# and uses external Anti Virus program when uploading files.
#
# Detection of Trojans access is especially important in a hosting environment
# where the actual Trojan upload may be done through valid methods and not
# through hacking.
# --
#
# NOTE Trojans detection is based on checking elements controlled by the client.
# A determined attacked can bypass those checks. We are working on
# enchaining the checks so it would require a major change in the Trojan
# to overcome.
#
# NOTE We found out that Trojan horses are not detected easily by Anti-Virus
# software when uploading as the signature set of AV software is not tuned
# for this purpose. We are working on adding signature tuned to detect
# Trojans upload to file uploading inspection.
#
SecDefaultAction "log,pass,phase:2,t:lowercase,status:404"
SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',,id:'950110',severity:'2'"
SecRule REQUEST_FILENAME "root\.exe" \
"t:urlDecodeUni,t:htmlEntityDecode,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',,id:'950921',severity:'2'"
SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?(c) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
"phase:4,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',,id:'950922',severity:'2'"
Reference in New Issue View Git Blame Copy Permalink