changeset 97:3dbd9d392986

Change XSS style attack DroneBL class to 6. Still not exactly what we want, though.
author Matti Hamalainen <ccr@tnsp.org>
date Mon, 31 Aug 2009 11:57:46 +0300
parents 989347cbe1a4
children 53a076bc75db
files maltfilter
diffstat 1 files changed, 5 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/maltfilter	Mon Aug 31 04:08:12 2009 +0300
+++ b/maltfilter	Mon Aug 31 11:57:46 2009 +0300
@@ -13,7 +13,7 @@
 use LWP::UserAgent;
 use IO::Seekable;
 
-my $progversion = "0.19.3";
+my $progversion = "0.19.4";
 my $progbanner =
 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n".
 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n".
@@ -116,8 +116,8 @@
     my $merr = $3;
     if ($merr =~ /^File does not exist: (.+)$/) {
       my $tmp = $1;
-      if ($tmp =~ /\/mss2|\/pma|admin|sql|\/roundcube|\/webmail|\/bin|\/mail|xampp|zen|mailto:|appserv|cube|round|_vti_bin|wiki/i) {
-        check_add_hit($mip, $mdate, "CGI vuln scan", $tmp, 2, $settings{"CHK_KNOWN_CGI"});
+      if ($tmp =~ /\/mss2|\/pma|cpanel|admin|\/sql|mysql|websql|\/SSI.php|\/horde|\/rc$|\/xmlrpc.php|sqladm|dbadm|\/roundcube|\/webmail|\/mail|\/email|xampp|\/zen|\/cart|\/shop|\/store|mailto:|appserv|roundcube|_vti_bin|wiki|bugtrack|mantis|mantisbt|phpmanager/i) {
+        check_add_hit($mip, $mdate, "CGI vuln scan", $tmp, 6, $settings{"CHK_KNOWN_CGI"});
       }
     }
   }
@@ -134,13 +134,13 @@
         if ($merr =~ /\.php\?\S*?=(http:\/\/[^\&\?]+\??)/) {
           evidence_queue($mip, $1, $merr);
         }
-        check_add_hit($mip, $mdate, "PHP XSS", $merr, 2, $settings{"CHK_PHP_XSS"});
+        check_add_hit($mip, $mdate, "PHP XSS", $merr, 6, $settings{"CHK_PHP_XSS"});
       }
     }
     # (3.2) Try to match proxy scanning attempts
     elsif ($merr =~ /^http:\/\/([^\/]+)/) {
       if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) {
-        check_add_hit($mip, $mdate, "Proxy scan", $merr, 2, $settings{"CHK_PROXY_SCAN"});
+        check_add_hit($mip, $mdate, "Proxy scan", $merr, 6, $settings{"CHK_PROXY_SCAN"});
       }
     }
   }