# HG changeset patch # User Matti Hamalainen # Date 1251709066 -10800 # Node ID 3dbd9d3929862b47278fe85e280867f12ac4b4df # Parent 989347cbe1a42512963d13b96612f7971a9ec89e Change XSS style attack DroneBL class to 6. Still not exactly what we want, though. diff -r 989347cbe1a4 -r 3dbd9d392986 maltfilter --- a/maltfilter Mon Aug 31 04:08:12 2009 +0300 +++ b/maltfilter Mon Aug 31 11:57:46 2009 +0300 @@ -13,7 +13,7 @@ use LWP::UserAgent; use IO::Seekable; -my $progversion = "0.19.3"; +my $progversion = "0.19.4"; my $progbanner = "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". "Programmed by Matti 'ccr' Hamalainen \n". @@ -116,8 +116,8 @@ my $merr = $3; if ($merr =~ /^File does not exist: (.+)$/) { my $tmp = $1; - if ($tmp =~ /\/mss2|\/pma|admin|sql|\/roundcube|\/webmail|\/bin|\/mail|xampp|zen|mailto:|appserv|cube|round|_vti_bin|wiki/i) { - check_add_hit($mip, $mdate, "CGI vuln scan", $tmp, 2, $settings{"CHK_KNOWN_CGI"}); + if ($tmp =~ /\/mss2|\/pma|cpanel|admin|\/sql|mysql|websql|\/SSI.php|\/horde|\/rc$|\/xmlrpc.php|sqladm|dbadm|\/roundcube|\/webmail|\/mail|\/email|xampp|\/zen|\/cart|\/shop|\/store|mailto:|appserv|roundcube|_vti_bin|wiki|bugtrack|mantis|mantisbt|phpmanager/i) { + check_add_hit($mip, $mdate, "CGI vuln scan", $tmp, 6, $settings{"CHK_KNOWN_CGI"}); } } } @@ -134,13 +134,13 @@ if ($merr =~ /\.php\?\S*?=(http:\/\/[^\&\?]+\??)/) { evidence_queue($mip, $1, $merr); } - check_add_hit($mip, $mdate, "PHP XSS", $merr, 2, $settings{"CHK_PHP_XSS"}); + check_add_hit($mip, $mdate, "PHP XSS", $merr, 6, $settings{"CHK_PHP_XSS"}); } } # (3.2) Try to match proxy scanning attempts elsif ($merr =~ /^http:\/\/([^\/]+)/) { if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { - check_add_hit($mip, $mdate, "Proxy scan", $merr, 2, $settings{"CHK_PROXY_SCAN"}); + check_add_hit($mip, $mdate, "Proxy scan", $merr, 6, $settings{"CHK_PROXY_SCAN"}); } } }