Mercurial > hg > maltfilter

comparison maltfilter @ 97:3dbd9d392986

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Change XSS style attack DroneBL class to 6. Still not exactly what we want, though.
author Matti Hamalainen <ccr@tnsp.org>
date Mon, 31 Aug 2009 11:57:46 +0300
parents b1f9df8bb084
children 075b2b626d17 1cbefe9c26c1
comparison
equal deleted inserted replaced
96:989347cbe1a4 97:3dbd9d392986
11 use Net::IP; 11 use Net::IP;
12 use Net::DNS; 12 use Net::DNS;
13 use LWP::UserAgent; 13 use LWP::UserAgent;
14 use IO::Seekable; 14 use IO::Seekable;
15 15
16 my $progversion = "0.19.3"; 16 my $progversion = "0.19.4";
17 my $progbanner = 17 my $progbanner =
18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". 18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n".
19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". 19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n".
20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; 20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n";
21 21
114 my $mdate = $1; 114 my $mdate = $1;
115 my $mip = $2; 115 my $mip = $2;
116 my $merr = $3; 116 my $merr = $3;
117 if ($merr =~ /^File does not exist: (.+)$/) { 117 if ($merr =~ /^File does not exist: (.+)$/) {
118 my $tmp = $1; 118 my $tmp = $1;
119 if ($tmp =~ /\/mss2|\/pma|admin|sql|\/roundcube|\/webmail|\/bin|\/mail|xampp|zen|mailto:|appserv|cube|round|_vti_bin|wiki/i) { 119 if ($tmp =~ /\/mss2|\/pma|cpanel|admin|\/sql|mysql|websql|\/SSI.php|\/horde|\/rc$|\/xmlrpc.php|sqladm|dbadm|\/roundcube|\/webmail|\/mail|\/email|xampp|\/zen|\/cart|\/shop|\/store|mailto:|appserv|roundcube|_vti_bin|wiki|bugtrack|mantis|mantisbt|phpmanager/i) {
120 check_add_hit($mip, $mdate, "CGI vuln scan", $tmp, 2, $settings{"CHK_KNOWN_CGI"}); 120 check_add_hit($mip, $mdate, "CGI vuln scan", $tmp, 6, $settings{"CHK_KNOWN_CGI"});
121 } 121 }
122 } 122 }
123 } 123 }
124 124
125 # (3) Apache common logging format checks 125 # (3) Apache common logging format checks
132 if ($merr =~ /\.php\?\S*?=http:\/\/([^\/]+)/) { 132 if ($merr =~ /\.php\?\S*?=http:\/\/([^\/]+)/) {
133 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { 133 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) {
134 if ($merr =~ /\.php\?\S*?=(http:\/\/[^\&\?]+\??)/) { 134 if ($merr =~ /\.php\?\S*?=(http:\/\/[^\&\?]+\??)/) {
135 evidence_queue($mip, $1, $merr); 135 evidence_queue($mip, $1, $merr);
136 } 136 }
137 check_add_hit($mip, $mdate, "PHP XSS", $merr, 2, $settings{"CHK_PHP_XSS"}); 137 check_add_hit($mip, $mdate, "PHP XSS", $merr, 6, $settings{"CHK_PHP_XSS"});
138 } 138 }
139 } 139 }
140 # (3.2) Try to match proxy scanning attempts 140 # (3.2) Try to match proxy scanning attempts
141 elsif ($merr =~ /^http:\/\/([^\/]+)/) { 141 elsif ($merr =~ /^http:\/\/([^\/]+)/) {
142 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { 142 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) {
143 check_add_hit($mip, $mdate, "Proxy scan", $merr, 2, $settings{"CHK_PROXY_SCAN"}); 143 check_add_hit($mip, $mdate, "Proxy scan", $merr, 6, $settings{"CHK_PROXY_SCAN"});
144 } 144 }
145 } 145 }
146 } 146 }
147 } 147 }
148 148