Changeset 13117 for trunk/plugins
- Timestamp:
- 10/29/09 23:28:44 (3 years ago)
- Location:
- trunk/plugins/phpids/IDS
- Files:
-
- 2 edited
-
Config/Config.ini (modified) (1 diff)
-
default_filter.xml (modified) (5 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/plugins/phpids/IDS/Config/Config.ini
r13109 r13117 35 35 exceptions[] = REQUEST.__utmz 36 36 exceptions[] = REQUEST.__utmc 37 exceptions[] = REQUEST.__gads 37 38 exceptions[] = COOKIE.__utmz 38 exceptions[] = COOKIE.__utmc 39 exceptions[] = REQUEST.bx_map_key 40 exceptions[] = POST.bx_map_key 39 exceptions[] = COOKIE.__utmc 40 exceptions[] = COOKIE.__gads 41 41 42 42 ; PHPIDS should run with PHP 5.1.2 but this is untested - set -
trunk/plugins/phpids/IDS/default_filter.xml
r13007 r13117 61 61 </filter> 62 62 <filter> 63 <id>6</id>64 <rule><![CDATA[(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)]]></rule>65 <description>Detects self contained xss via with(), common loops and regex to string conversion</description>66 <tags>67 <tag>xss</tag>68 <tag>csrf</tag>69 </tags>70 <impact>5</impact>71 </filter>72 <filter>73 63 <id>7</id> 74 64 <rule><![CDATA[(?:\d\s*[|&]{2}\s*\w)|(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)|(?:\?[^:=]+:[^;]+(;|$))]]></rule> … … 424 414 </filter> 425 415 <filter> 426 <id>39</id>427 <rule><![CDATA[(?:\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])]]></rule>428 <description>Detects nullbytes and other dangerous characters</description>429 <tags>430 <tag>id</tag>431 <tag>rfe</tag>432 <tag>xss</tag>433 </tags>434 <impact>5</impact>435 </filter>436 <filter>437 416 <id>40</id> 438 417 <rule><![CDATA[(?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()]]></rule> … … 477 456 </tags> 478 457 <impact>6</impact> 479 </filter> 480 <filter> 481 <id>44</id> 482 <rule><![CDATA[(?:\d"\s+"\s+\d)|(?:^admin\s*"|(\/\*)+"+\s?(?:--|#|\/\*|{)?)|(?:"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d"])|(?:"\s*[^\w\s]?=\s*")|(?:"\W*[+=]+\W*")|(?:"\s*[!=|][\d\s!=+-]+.*["(].*$)|(?:"\s*[!=|][\d\s!=]+.*\d+$)|(?:"\s*like\W+[\w"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:"[<>~]+")]]></rule> 483 <description>Detects basic SQL authentication bypass attempts 1/3</description> 484 <tags> 485 <tag>sqli</tag> 486 <tag>id</tag> 487 <tag>lfi</tag> 488 </tags> 489 <impact>7</impact> 490 </filter> 491 <filter> 492 <id>45</id> 493 <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)]]></rule> 494 <description>Detects basic SQL authentication bypass attempts 2/3</description> 495 <tags> 496 <tag>sqli</tag> 497 <tag>id</tag> 498 <tag>lfi</tag> 499 </tags> 500 <impact>7</impact> 501 </filter> 502 <filter> 503 <id>46</id> 504 <rule><![CDATA[(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*"|[=\d]+x))|("\s*\d\s*(?:--|#))|(?:"[%&<>^=]+\d\s*(=|or))|(?:"\W+[\w+-]+\s*=\s*\d\W+")|(?:"\s*is\s*\d.+"?\w)|(?:"\|?[\w-]{3,}[^\w\s.,]+")|(?:"\s*is\s*[\d.]+\s*\W.*")]]></rule> 505 <description>Detects basic SQL authentication bypass attempts 3/3</description> 506 <tags> 507 <tag>sqli</tag> 508 <tag>id</tag> 509 <tag>lfi</tag> 510 </tags> 511 <impact>7</impact> 512 </filter> 458 </filter> 513 459 <filter> 514 460 <id>47</id> … … 690 636 <impact>5</impact> 691 637 </filter> 638 <!-- 692 639 <filter> 693 640 <id>67</id> … … 703 650 <impact>7</impact> 704 651 </filter> 652 --> 705 653 <filter> 706 654 <id>68</id>
Note: See TracChangeset
for help on using the changeset viewer.
