Mercurial > hg > maltfilter
comparison maltfilter @ 97:3dbd9d392986
Change XSS style attack DroneBL class to 6. Still not exactly what we want, though.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Mon, 31 Aug 2009 11:57:46 +0300 |
parents | b1f9df8bb084 |
children | 075b2b626d17 1cbefe9c26c1 |
comparison
equal
deleted
inserted
replaced
96:989347cbe1a4 | 97:3dbd9d392986 |
---|---|
11 use Net::IP; | 11 use Net::IP; |
12 use Net::DNS; | 12 use Net::DNS; |
13 use LWP::UserAgent; | 13 use LWP::UserAgent; |
14 use IO::Seekable; | 14 use IO::Seekable; |
15 | 15 |
16 my $progversion = "0.19.3"; | 16 my $progversion = "0.19.4"; |
17 my $progbanner = | 17 my $progbanner = |
18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". | 18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". |
19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". | 19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". |
20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; | 20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; |
21 | 21 |
114 my $mdate = $1; | 114 my $mdate = $1; |
115 my $mip = $2; | 115 my $mip = $2; |
116 my $merr = $3; | 116 my $merr = $3; |
117 if ($merr =~ /^File does not exist: (.+)$/) { | 117 if ($merr =~ /^File does not exist: (.+)$/) { |
118 my $tmp = $1; | 118 my $tmp = $1; |
119 if ($tmp =~ /\/mss2|\/pma|admin|sql|\/roundcube|\/webmail|\/bin|\/mail|xampp|zen|mailto:|appserv|cube|round|_vti_bin|wiki/i) { | 119 if ($tmp =~ /\/mss2|\/pma|cpanel|admin|\/sql|mysql|websql|\/SSI.php|\/horde|\/rc$|\/xmlrpc.php|sqladm|dbadm|\/roundcube|\/webmail|\/mail|\/email|xampp|\/zen|\/cart|\/shop|\/store|mailto:|appserv|roundcube|_vti_bin|wiki|bugtrack|mantis|mantisbt|phpmanager/i) { |
120 check_add_hit($mip, $mdate, "CGI vuln scan", $tmp, 2, $settings{"CHK_KNOWN_CGI"}); | 120 check_add_hit($mip, $mdate, "CGI vuln scan", $tmp, 6, $settings{"CHK_KNOWN_CGI"}); |
121 } | 121 } |
122 } | 122 } |
123 } | 123 } |
124 | 124 |
125 # (3) Apache common logging format checks | 125 # (3) Apache common logging format checks |
132 if ($merr =~ /\.php\?\S*?=http:\/\/([^\/]+)/) { | 132 if ($merr =~ /\.php\?\S*?=http:\/\/([^\/]+)/) { |
133 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { | 133 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { |
134 if ($merr =~ /\.php\?\S*?=(http:\/\/[^\&\?]+\??)/) { | 134 if ($merr =~ /\.php\?\S*?=(http:\/\/[^\&\?]+\??)/) { |
135 evidence_queue($mip, $1, $merr); | 135 evidence_queue($mip, $1, $merr); |
136 } | 136 } |
137 check_add_hit($mip, $mdate, "PHP XSS", $merr, 2, $settings{"CHK_PHP_XSS"}); | 137 check_add_hit($mip, $mdate, "PHP XSS", $merr, 6, $settings{"CHK_PHP_XSS"}); |
138 } | 138 } |
139 } | 139 } |
140 # (3.2) Try to match proxy scanning attempts | 140 # (3.2) Try to match proxy scanning attempts |
141 elsif ($merr =~ /^http:\/\/([^\/]+)/) { | 141 elsif ($merr =~ /^http:\/\/([^\/]+)/) { |
142 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { | 142 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { |
143 check_add_hit($mip, $mdate, "Proxy scan", $merr, 2, $settings{"CHK_PROXY_SCAN"}); | 143 check_add_hit($mip, $mdate, "Proxy scan", $merr, 6, $settings{"CHK_PROXY_SCAN"}); |
144 } | 144 } |
145 } | 145 } |
146 } | 146 } |
147 } | 147 } |
148 | 148 |