phpida-cvs Mailing List for Ida - Intrusion Detection for Apache
Status: Alpha
Brought to you by:
xqus
You can subscribe to this list here.
2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(19) |
Sep
|
Oct
|
Nov
|
Dec
|
---|
Update of /cvsroot/phpida/ida In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv22197 Added Files: index.php .project CHANGELOG munin.php functions.php favicon.ico stil.css config.php login.php Log Message: Initail revsiosion of the "new" Ida --- NEW FILE: login.php --- <?php /* * Created by Audun Larsen (aud...@lk...) * * Copyright 2006 Larsen Konsult * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ if($_GET['logout'] == 'true') { session_start(); session_destroy(); $_GET['msg']=2; } ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>munin - Login</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css"> <!-- .loginform { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; background-color: #FFFFFF; width: 500px; border: 10px solid #CCCCCC; margin: 10px; padding: 10px; margin: 60px auto 20px auto; } body { background-color: #9DA5AB; } dt { float: left; width: 95px; font-size: 12px; line-height: 24px; } dd { margin: 0 0 5px 90px; font-size: 12px; line-height: 24px; color: #666; margin-left: 80px; } input { font-size: 12px; } .msgGood { background-color: #E2F9E3; border: 2px solid #99CC99; margin: 5px; padding: 5px; width: 400px; } .msgBad { background-color: #CC9999; border: 2px solid #993333; margin: 5px; padding: 5px; width: 400px; } --> </style> </head> <body> <div class="loginform"> <p> <?php switch($_GET['msg']) { default: $class="msgGood"; $msg = "Please tell me who you are, and I'll send you right on."; break; case 1: $class="msgBad"; $msg = "I'm sorry, that's the wrong username or password."; break; case 2: $class="msgGood"; $msg = "Good bye! Keep up the good work, boss!"; break; } echo '<div class="'.$class.'"><img src="gfx/error.gif" alt="Error!" align="absmiddle"> '.$msg.'</div>'; ?> </p> <form action="index.php" method="post" name="login" id="login"> <dl> <dt>Username:</dt> <dd><input name="username" type="text" id="username" /></dd> <dt>Password:</dt> <dd><input name="password" type="password" id="password" /></dd> <dd><input type="submit" value="Login" /></dd> </dl> </form> <div align="center"><br> This is Munin<br> Copyright � <a href="http://www.munio.no">Munio IT, Audun Larsen</a> 2006 - <?php echo date('Y')?><br> Icons are created by <a href="http://www.famfamfam.com/">Mark James</a> </div> </div> </body> </html> --- NEW FILE: functions.php --- <?php /* * Created by Audun Larsen (aud...@lk...) * * Copyright 2006 Larsen Konsult * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ function quotesplit( $splitter=' ', $s, $limit=0) { //First step is to split it up into the bits that are surrounded by quotes //and the bits that aren't. Adding the delimiter to the ends simplifies //the logic further down $result =array(); $getstrings = explode('"', $splitter.$s.$splitter); //$instring toggles so we know if we are in a quoted string or not $delimlen = strlen($splitter); $instring = 0; while (list($arg, $val) = each($getstrings)) { if ($instring==1) { //Add the whole string, untouched to the previous value in the array $result[count($result)-1] = $result[count($result)-1].$val; $instring = 0; } else { //Break up the string according to the delimiter character //Each string has extraneous delimiters around it (inc the ones we added //above), so they need to be stripped off $temparray = split($splitter, substr($val, $delimlen, strlen($val)-$delimlen-$delimlen+1 ) ); while(list($iarg, $ival) = each($temparray)) { $result[] = trim($ival); } $instring = 1; } } if($limit>0) { if(sizeof($result)>$limit) { $firstPart=array_slice ($result, 0 , $limit-1); $lastPart=implode(' ',array_slice ($result, $limit-1)); $firstPart[] = $lastPart; $result = $firstPart; } } return $result; } function parseRules() { unlink('./data/HTTP_HEADERS'); unlink('./data/HTTP_GET'); unlink('./data/HTTP_POST'); unlink('./data/HTTP_COOKIE'); if ($handle = opendir('./rules')) { while (false !== ($file = readdir($handle))) { if ($file != "." && $file != ".." && $file != ".htaccess") { parseRuleSet('./rules/'.$file); } } closedir($handle); } muninAddLog("Rebuilt rules", "system", "info"); } function parseRuleSet($ruleFile) { $dataSets=array('HTTP_HEADERS','HTTP_GET','HTTP_POST','HTTP_COOKIE'); $fp['HTTP_HEADERS']=fopen('./data/HTTP_HEADERS', 'a'); $fp['HTTP_GET']=fopen('./data/HTTP_GET', 'a'); $fp['HTTP_POST']=fopen('./data/HTTP_POST', 'a'); $fp['HTTP_COOKIE']=fopen('./data/HTTP_COOKIE', 'a'); if(file_exists($ruleFile)) { $bufferLines = file($ruleFile); foreach($bufferLines as $buffer) { $buffer = str_replace("\t"," ", $buffer); $buffer = preg_replace("/\s+/i", ' ', $buffer); if(substr($buffer,0,1) != ' ' && substr($buffer,0,1) != '#' && substr($buffer,0,1) != '$') { $ruleData = quotesplit(' ', $buffer, 5); //echo "<pre>"; //print_r($ruleData); //echo "</pre>"; $title = ''; $alert = 1; $where = $ruleData[0]; $what = str_replace('"','',$ruleData[1]); $string = str_replace('"','',$ruleData[2]); $action = $ruleData[3]; $msg = $ruleData[4]; $ruleArray=array( 'what' => $what, 'string' => $string, 'action' => $action, 'msg' => $msg ); fwrite($fp[$where], serialize($ruleArray)."\n"); } } } fclose($fp['HTTP_HEADERS']); fclose($fp['HTTP_GET']); fclose($fp['HTTP_POST']); fclose($fp['HTTP_COOKIE']); } function resize_bytes($size) { $count = 0; $format = array("B","KB","MB","GB","TB","PB","EB","ZB","YB"); while(($size/1024)>1 && $count<8) { $size=$size/1024; $count++; } $return = number_format($size,0,'','.')." ".$format[$count]; return $return; } /* * $risk = info, medium, high */ function muninAddEvent($msg) { global $CFG; $keyLength=20; $fileName = 'event_'.time(); $eventLog = "-------------------------------------------------------------\n"; $eventLog .= "Munin ".$CFG['version']." running on ".$CFG['hostname']."\n"; $eventLog .= "-------------------------------------------------------------\n"; $eventLog .= "\n"; $eventLog .= $msg."\n"; $eventLog .= "\n"; $eventLog .= "Server Data:\n"; while(list($key, $val)=each($_SERVER)) { $spaces = " "; for($i=strlen($key); $i< $keyLength; $i++) { $spaces .=" "; } $eventLog .= $key.$spaces.$val."\n"; } $fp = fopen(dirname(__FILE__)."/data/".$fileName, 'w'); fwrite($fp, $eventLog); fclose($fp); } function muninAddLog($msg = "", $type = "system", $risk = "info") { } function muninMatchRule($rule, $data) { if(preg_match('/'.$rule.'/i', rawurldecode($data))) { return true; } else { return false; } } function muninMatchField($what, $field) { if(trim($what)!='') { if(preg_match('/'.$what.'/i', rawurldecode($field))) { return true; } else { return false; } } else { return true; } } // TODO: Custom messeage? function muninShowError() { header("HTTP/1.1 400 Bad Request"); echo "<html>\n"; echo "<head>\n"; echo "<title>Error 400: Bad Request</title>\n"; echo "</head>\n"; echo "<body>\n"; echo "<h1>Error 400: Bad Request</h1>\n"; echo "We are sorry, but the server was unable to handle your request.\n"; echo "</body>\n"; echo "</html>\n"; die(); } function muninShowSelect($name, $values, $selected) { $html = "<select name='".$name."'>"; while(list($key, $val) = each($values)) { $html .= "<option value='".$key."'"; if($key == $selected) { $html .= " selected"; } $html .= ">".$val."</option>"; } $html .= "</select>"; return $html; } // TODO: Make this function return WHAT and WHERE that triggered the event function muninCheckArray($dataArr, $what, $rule) { while(list($key, $val)=each($dataArr)) { if(is_array($val)) { if(muninCheckArray($val, $what, $rule)) { return true; } } else { if(muninMatchField($what, $key)) { if(muninMatchRule($rule, $val)) { return true; } } } } } function goMunin($dataArr, $ruleSet, $path) { global $CFG; $fp = fopen($path.'/data/'.$ruleSet, 'r'); while (!feof($fp)) { $buffer = fgets($fp); $row = unserialize($buffer); if(sizeof($row) == 4) { if(muninCheckArray($dataArr, $row['what'], $row['string'])) { muninAddEvent($ruleSet.': '.$row['msg']); if($row['alert'] == 1 && isset($CFG['alert_email']) && !empty($CFG['alert_email'])) { $mailSubject = 'Munin alert: '.$row['msg']; $mailBody = 'Msg: '.$row['msg']."\n". 'IP: '.$_SERVER['REMOTE_ADDR']."\n". 'Date: '.date('d. M y H:i'); mail($CFG['alert_email'], $mailSubject, $mailBody, 'From: Munin <'.$CFG['alert_from'].'>'); } if($row['action'] == 'block' && $CFG['debug'] != 1) { muninShowError(); } } } } } ?> --- NEW FILE: munin.php --- <?php /* * Created by Audun Larsen (aud...@lk...) * * Copyright 2006 Larsen Konsult * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ function munin($path) { $times['MUNIN_TOTAL']['start'] = microtime(true); // just some benchmarking global $dbh, $CFG; if(file_exists($path."/config.php")) { // 'connection' successfull, continue require_once($path."/functions.php"); // include the common function, we need this require_once($path."/config.php"); /** * Remove data from the $_SERVER array that we don't need */ $serverArr['HTTP_ACCEPT'] = $_SERVER['HTTP_ACCEPT']; $serverArr['HTTP_ACCEPT_CHARSET'] = $_SERVER['HTTP_ACCEPT_CHARSET']; $serverArr['HTTP_ACCEPT_LANGUAGE'] = $_SERVER['HTTP_ACCEPT_LANGUAGE']; $serverArr['HTTP_ACCEPT_ENCODING'] = $_SERVER['HTTP_ACCEPT_ENCODING']; $serverArr['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT']; $serverArr['HTTP_REFERER'] = $_SERVER['HTTP_REFERER']; $serverArr['HTTP_VIA'] = $_SERVER['HTTP_VIA']; $serverArr['HTTP_X_FORWARDED_FOR'] = $_SERVER['HTTP_X_FORWARDED_FOR']; $serverArr['REQUEST_URI'] = $_SERVER['HTTP_USER_AGENT']; $serverArr['QUERY_STRING'] = $_SERVER['QUERY_STRING']; $serverArr['SCRIPT_FILENAME'] = $_SERVER['SCRIPT_FILENAME']; $serverArr['REQUEST_METHOD'] = $_SERVER['REQUEST_METHOD']; $serverArr['SERVER_PROTOCOL'] = $_SERVER['SERVER_PROTOCOL']; /** * Setup the array with data to check. and the ruleset to check it up against */ $mununChecks=array( 'HTTP_HEADERS' => $serverArr, 'HTTP_POST' => $_POST, 'HTTP_GET' => $_GET, 'HTTP_COOKIE' => $_COOKIE ); /** * Loop trough the array with checks, and check the data. */ while(list($ruleSet, $dataArr)=each($mununChecks)) { $times[$ruleSet]['start'] = microtime(true); // just some benchmarking goMunin($dataArr, $ruleSet, $path); // this is the important part ;) $times[$ruleSet]['stop'] = microtime(true); // just some benchmarking } } else { // failed to open the database echo '<!-- Munin NOT loaded, check path -->'; // print a hidden error message } $times['MUNIN_TOTAL']['stop'] = microtime(true); // again, this is just some benchmarking!! Dude! I told ya! /** * If debuging is enabled, save the benchmark to a file */ if(is_writeable($path.'/data')) { $timestamp = date('r'); $fileData = ''; foreach($times as $title => $time) { $time = $time['stop']-$time['start']; $fileData .= $title.":\t".$time."\n"; } $fp=fopen($path.'/data/benchmarks','a'); if (flock($fp, LOCK_EX)) { // do an exclusive lock, if not, just skip it.. it's not that important fwrite($fp, $timestamp."\n".$fileData."\n"); flock($fp, LOCK_UN); // release the lock } fclose($fp); } /** * Your mom don't work here! Cleanup after yourself! */ $dbh=NULL; unset($serverArr, $timestamp, $fileData, $times, $title, $time, $mununChecks, $CFG, $path, $ruleSet, $dataArr); return true; } ?> --- NEW FILE: index.php --- <?php /* * Created by Audun Larsen (aud...@lk...) * * Copyright 2006 Larsen Konsult * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ session_start(); // What? You don't know what this is? Then I suggest you stop messing with this file!! require_once('functions.php'); require_once('config.php'); set_magic_quotes_runtime(0); /** * Do the boring login dance! */ if(isset($_POST['username'])) { if($_POST['username'] == $CFG['username'] && sha1($_POST['password']) == $CFG['password']) { $_SESSION['auth']=1; muninAddLog("User logged in", 'system', 'info'); } else { /** * If the login fails, go to login! AGAIN??? */ muninAddLog("Login failed", 'system', 'medium'); header("Location: login.php?msg=1"); die(); } } if(!isset($_SESSION['auth'])) { /** * If the user isn't loged in, go to login! */ header("Location: login.php"); die(); } /** * Let's do what we came here to do! Show the incrediblae cool Munin CP!! w000t w000t! */ ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title> Munin </title> <link rel="stylesheet" href="stil.css" type="text/css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"> <script type="text/javascript"> function change(id, newClass) { document.getElementById(id).className=newClass; } </script> </head> <body> <div id="container"> <div id="sidebar"> <h1>Munin</h1> <dl id="munin-info"> <dt>Version:</dt> <dd><?php echo $CFG['version']; ?></dd> <dt>Date:</dt> <dd><?php echo date('d. M y H:i'); ?></dd> </dl> <ul id="menu"> <li><a href="index.php" id="m2_overview">Overview</a></li> <li><a href="index.php?p=logs" id="m2_manage-logs">Event log</a></li> <li><a href="index.php?p=rules" id="m2_manage-rules">Manage rules</a></li> <?php if($_GET['p'] == 'rules' || $_GET['p'] == 'edit') { echo '<li>'; echo '<ul id="submenu">'; if ($handle = opendir('./rules')) { while (false !== ($file = readdir($handle))) { if ($file != "." && $file != ".." && $file != ".htaccess") { echo '<li><a href="index.php?p=edit&file='.$file.'" id="m2_file">'.$file.'</a></li>'; } } closedir($handle); } echo '</ul>'; echo '</li>'; } ?> <li><a href="index.php?p=about" id="m2_about">About</a></li> </ul> <?php if($CFG['debug'] == 1) { ?> <p><strong>Note:</strong> Munin is running in debug mode. No requests will be blocked.</p> <?php } ?> </div> <div id="content"> <?php switch($_GET['p']) { default: include("pages/main.php"); break; case 'rules': include("pages/rules.php"); break; case 'logs': include("pages/logs.php"); break; case 'edit': include("pages/edit.php"); break; case 'about': include("pages/about.php"); break; } ?> </div> </div> </body> </html> <?php /** * "Disconnect" from database. It really isn't! */ $dbh = null; ?> --- NEW FILE: .project --- <?xml version="1.0" encoding="UTF-8"?> <projectDescription> <name>Ida - Application Intrusion Detection</name> <comment></comment> <projects> </projects> <buildSpec> <buildCommand> <name>net.sourceforge.phpeclipse.parserbuilder</name> <arguments> </arguments> </buildCommand> </buildSpec> <natures> <nature>net.sourceforge.phpeclipse.phpnature</nature> </natures> </projectDescription> --- NEW FILE: CHANGELOG --- ---------------------------------- Munin Changelog ---------------------------------- 2007-02-13, Audun Larsen <au...@mu...> ### 0.7b released 2007-02-11, Audun Larsen <au...@mu...> * Changed password hash method back to sha1, for PHP 4 compability * Filter out events maked as reviewed ok from the event list as default * Fixed bug in the rule file editor when bogus filename was supplied * Added option to delte events * Updated the copyright notice on the login screen * Added a notice below the menu when Munin is in debug mode 2007-02-10, Audun Larsen <au...@mu...> * Added a listing af new events to the Overview page * Reimplemented the listing, and viewing of events after changing the way events are stored (still needs some work) * Samll design changes on the Overview page 2007-02-08, Audun Larsen <au...@mu...> * Munin now uses only regular files for storage. PDO is no longer required * Remove the listing of rules in the database. Kinda redundant. * Events are now stored in plain files * Updated the about page, again 2007-02-06, Audun Larsen <au...@mu...> * Events page now remembers what filter you applied * Events is now filtered by severity, not type * You can now mark events as Reviewed OK or Needs attention * Only allow marking of events triggered by rules * Added a message on the welcome page that tells you how many events that needs attention * Removed the Delete link in the event details page * I have chaneged e-mail address, and URL to my company site: Updated in the license * Added some coments in the config.php file 2006-12-17, Audun Larsen <aud...@lk...> * Changed the hash function used for the admin password from sha1 to sha256 2006-11-8, Audun Larsen <aud...@lk...> * Removed the settings page and moved the configuration to the config.php file * Changed the text on the "Rebuild rules" link * Changed some of the text on the frontpage * Done some code cleanup in index.php * Added some instructions on the rules page * Fixed the e-mail alert to say something usefull * Added option to change from address in the alert email 2006-11-4, Audun Larsen <aud...@lk...> * Added some comments to the top of every file 2006-10-29, Audun Larsen <aud...@lk...> * Fixed typo in the license 2006-10-13, Audun Larsen <aud...@lk...> ### 0.6b released * Fixed typo in log message when someone logs in 2006-10-01, Audun Larsen <aud...@lk...> * Added "About" page * Added log message when settings is saved * Added log message when the password is changed * Added log message when rebuilding rules * Added log message when saving ruleset * Added type filter to the event browser * Added e-mail alert * Added pointer cursor when hovering over a event in the event list * Added next / previous links to the event browser * Added back link when viewing event * Fixed some more letter-spacing on h3 and h2 * Major code cleanup in munin.php * Added where the event happend in the event log msg (HTTP_HEADERS, HTTP_POST, HTTP_GET...) * Moved the database to the data/ dir * Added a favicon * When in debug mode, save benchmarks to data/benchmarks * Unset all variables when Munin is done to reduce memory usage trough the real script execution * Changed the log events icons to something more logic * Changed the background colors on the log events * Changed the icon on the ruleset links 2006-09-30, Audun Larsen <aud...@lk...> ### 0.5a released * Initial version, 0.5a released. --- NEW FILE: favicon.ico --- (This appears to be a binary file; contents omitted.) --- NEW FILE: config.php --- <?php /* * Created on 8. nov. 2006 * Created by Audun Larsen (aud...@lk...) * * Copyright 2006 Larsen Konsult * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ $CFG['version'] = "0.7b"; $CFG['username'] = 'munin'; // Username to log in with $CFG['password'] = '4be30d9814c6d4e9800e0d2ea9ec9fb00efa887b'; // sha1 hash of password, see: http://munin.lkonsult.no/passgen $CFG['debug'] = 0; // Debug mode, 1=On, 0=Off $CFG['hostname'] = "anette.xqus.com"; $CFG['alert_email'] = 'no-...@mu...'; // E-mail address to send alerts to $CFG['alert_from'] = 'no-...@mu...'; // From address in the amail alerts ?> --- NEW FILE: stil.css --- /* GENERELT ------------------------------------------------------------------------------*/ * { margin: 0; padding: 0; } body { padding: 20px 20px 20px 20px; font-family: arial, sans-serif; font-size: 62.5%; color: #000; background: #fff; } pre { font-family: courier, "lucida console"; } /* LAYOUT ------------------------------------------------------------------------------*/ div#container { position: relative; margin: 0 -2px 0 0; border: 1px solid #292929; background: #f8f9f8; } div#sidebar { position: absolute; top: 15px; left: 15px; width: 153px; padding: 10px 10px 10px 10px; border: 1px solid #807f7f; background: #fff url("gfx/munin.gif") no-repeat; } div#content { margin: 15px 15px 15px 205px; padding: 15px; border: 1px solid #807f7f; background: #fff; } /* MENY ------------------------------------------------------------------------------*/ div#menu-top { width: 100%; overflow: auto; margin: 0 -2px 15px 0; border: 1px solid #292929; font-size: 1.1em; text-transform: lowercase; list-style: none; background: #f8f8f8 url("gfx/menu-top.gif") repeat-x 100% 100%; } div#menu-top p { margin: 0; display: block; padding: 0px 0px 0px 10px; text-decoration: none; color: #000; } ul#menu { margin: 15px 0; font-size: 1.2em; list-style: none; line-height: 1.5; } ul#submenu { margin: 15px 10px 0; font-size: 1em; list-style: none; line-height: 1.5; } ul#menu li { } ul#menu a { display: block; margin: 0 0 1em 0; padding: 0 0 0 20px; text-decoration: none; color: #000; background-repeat: no-repeat; } /* TEKSTFORMATERING ------------------------------------------------------------------------------*/ h1 { height: 20px; font-size: 0.5em; text-indent: -1000px; } h2 { margin: 0 0 0.5em 0; font-size: 2.4em; } h3 { margin: 0 0 0.5em 0; font-size: 1.8em; font-weight: normal; } p { margin: 0 0 1em 0; font-size: 1.2em; line-height: 1.7; } #content ul { margin: 0 0 1em 2em; font-size: 1.2em; list-style: square; } #content li { margin: 0 0 0.5em 0; padding: 0 0 0 0; line-height: 1.7; } dl#munin-info { margin: 2px 0 0 35px; font-size: 1.1em; } dl#munin-info dt { float: left; margin: 0 5px 2px 0; } dl#munin-info dd { margin: 0 0 3px 0; font-weight: bold; } /* Individuelle listeikoner ------------------------------------------------------------------------------*/ #m2_overview {background-image: url("gfx/m2_overview.gif");} #m2_manage-rules {background-image: url("gfx/m2_manage-rules.gif");} #m2_manage-logs {background-image: url("gfx/m2_manage-logs.gif");} #m2_settings {background-image: url("gfx/m2_settings.gif");} #m2_file {background-image: url("gfx/m2_file.png");} #m2_about {background-image: url("gfx/m2_about.png");} table { border: 1px solid #292929; background-color: #f8f9f8; } th { font-size: 12px; background-color: #f8f9f8; text-align: left; margin: 5px; padding: 3px; } td { font-size: 12px; text-align: left; background-color: #ffffff; margin: 5px; padding: 3px; } .tableBorders { border-top-width: 1px; border-top-style: solid; border-top-color: #292929; } .hideTable { display: none; } .showTable { display: table-row; } |
From: Audun L. <xq...@us...> - 2007-08-29 13:14:57
|
Update of /cvsroot/phpida/ida/pages In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv22197/pages Added Files: edit.php about.php logs.php main.php .htaccess rules.php Log Message: Initail revsiosion of the "new" Ida --- NEW FILE: main.php --- <?php /* * Created by Audun Larsen (aud...@lk...) * * Copyright 2006 Larsen Konsult * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ $eventsNeedsAtt = 0; $lastEvent = 0; $newEvents = array(); if ($handle = opendir('./data')) { while (false !== ($file = readdir($handle))) { if (substr($file,0,5) == 'event') { $timestamp = substr($file,strpos($file, '_')+1); $type = substr($file,0,strpos($file, '_')); if($timestamp > $lastEvent) { $lastEvent = $timestamp; } if($type == 'eventatt') { $eventsNeedsAtt++; } elseif($type == 'event') { $newEvents[$timestamp] = $file; } } } closedir($handle); } ?> <h2>Welcome to Munin</h2> <p> Welcome to Munin! </p> <p> <img src="gfx/log_high.png"> You have <strong><?php echo $eventsNeedsAtt; ?></strong> event(s) that needs your attention. <a href='index.php?p=logs'>[event log]</a> </p> <h3>New events</h3> <p> <?php while(list($eventTime, $eventFile)=each($newEvents)) { echo '<img src="gfx/event.png" align="absmiddle"> <a href="index.php?p=logs&file='.$eventFile.'">'.date('D. M dS Y H:i',$eventTime).'</a><br>'; } ?> </p> <h3>System overview</h3> <table border="0" cellspacing="0" cellpadding="2"> <tr> <th scope="row"> <img src="gfx/system.gif" alt="system"> System</th> <td><?php echo `uname`;?></td> </tr> <tr> <th scope="row"> <img src="gfx/uptime.gif" alt="system"> System uptime</th> <td><?php echo `uptime`;?></td> </tr> <tr> <th scope="row"> <img src="gfx/rules.gif" alt="system"> Active rules</th> <td></td> </tr> <tr> <th scope="row"> <img src="gfx/database.gif" alt="system"> Database size</th> <td></td> </tr> <tr> <th scope="row"> <img src="gfx/events.gif" alt="system"> Last event</th> <td><?php echo date('D. M dS Y H:i', $lastEvent); ?></td> </tr> </table> --- NEW FILE: rules.php --- <?php /* * Created by Audun Larsen (aud...@lk...) * * Copyright 2006 Larsen Konsult * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ if(isset($_GET['rebuild'])) { parseRules(); } ?> <h2>Browse rules</h2> <p>The rule database is built from the rule files in your rules folder. You can edit the rule files by clicking the filename in the menu to the left. Remember that you have to rebuild the rules in order for any changes to take effect.</p> <p><img src="gfx/database.gif"><a href="index.php?p=rules&rebuild=1">Rebuild rules</a></p> --- NEW FILE: .htaccess --- Deny From All --- NEW FILE: about.php --- <?php /* * Created on Sep 30, 2006 * Created by Audun Larsen (aud...@lk...) * * Copyright 2006 Larsen Konsult * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ ?> <h3>About Munin</h3> <p> Munin is a application level IDS/firewall for PHP based applications. It is written entirely in PHP.<br> Munin is written and copyrighted by <a href="http://munio.no">Munio IT, Audun Larsen</a>. All the icons used in this application are created by <a href="http://www.famfamfam.com/">Mark James</a>. </p> <h3>Munin License</h3> <p> Copyright 2006 - <?php echo date('Y'); ?> Munio IT, Audun Larsen (www.munio.no). All rights reserved. <br> <br>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: <br> <br> 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. <br> <br>THIS SOFTWARE IS PROVIDED BY THE MUNIN PROJECT ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE MUNIN PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. </p> --- NEW FILE: edit.php --- <?php /* * Created on Sep 28, 2006 * Created by Audun Larsen (aud...@lk...) * * Copyright 2006 Larsen Konsult * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ if(!get_magic_quotes_gpc()) { if(isset($_GET['save'])) { if(file_exists('./rules/'.$_GET['file']) && is_writeable('./rules/'.$_GET['file'])) { if(substr($_POST['content'],0,1)=='$') { $firstLineFeed=strpos($_POST['content'],"\n"); $infoLine=substr($_POST['content'],0,$firstLineFeed); $_POST['content']=substr($_POST['content'],$firstLineFeed+1); $infoParams=explode(';',substr($infoLine,1)); foreach($infoParams as $infoParam) { list($key, $val) = explode(':', $infoParam); if($key != '') { $fileInfo[$key]=$val; } } } if(isset($fileInfo['rev'])) { $fileRev = $fileInfo['rev'] + 0.01; } else { $fileRev = 0.1; } //print_r($fileInfo); $fp=fopen('./rules/'.$_GET['file'],'w'); fwrite($fp, '$rev:'.$fileRev.";changed:".date('r')."\n"); fwrite($fp, $_POST['content']); fclose($fp); muninAddLog("Saved rules: ".$_GET['file'], $type = "system", $risk = "info"); } else { echo "Oh.. I can't save to this file.."; muninAddLog("Failed to save: ".$_GET['file'], $type = "system", $risk = "medium"); } } echo '<h2>Edit ruleset: '.htmlentities($_GET['file']).'</h2>'; echo '<form action="index.php?p=edit&file='.htmlentities($_GET['file']).'&save=1" method="post">'; echo '<textarea name="content" rows=40 cols=130 WRAP=OFF>'; if(file_exists('./rules/'.$_GET['file'])) { echo htmlentities(file_get_contents('./rules/'.$_GET['file'])); } echo '</textarea><br>'; echo '<input type="submit" value="Save">'; echo '</form>'; } else { echo "Please turn magic_quotes_gpc Off to use this editor."; } ?> --- NEW FILE: logs.php --- <?php /* * Created by Audun Larsen (aud...@lk...) * * Copyright 2006 Larsen Konsult * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ ?> <?php if(!isset($_GET['file'])) { /** * Delete events */ if(isset($_GET['rm'])) { if(file_exists('./data/'.$_GET['rm'])) { unlink('./data/'.$_GET['rm']); } } echo "<h2>Events</h2>"; echo "<p>The list below shows the unmarked and marked as <i>needs attention</i> events.<br>To show all events, press <a href='index.php?p=logs&showall=1'>here.</a></p>"; echo "<p>"; if ($handle = opendir('./data')) { while (false !== ($file = readdir($handle))) { if (substr($file,0,5) == 'event') { $timestamp = substr($file,strpos($file, '_')+1); $type = substr($file,0,strpos($file, '_')); if($type != 'eventok' || isset($_GET['showall'])) { echo '<img src="gfx/'.$type.'.png" align="absmiddle"> <a href="index.php?p=logs&file='.$file.'">'.date('D. M dS Y H:i',$timestamp).'</a><br>'; } } } closedir($handle); } echo "</p>"; } else { if(file_exists('./data/'.$_GET['file'])) { $timestamp = substr($_GET['file'],strpos($_GET['file'], '_')+1); $type = substr($_GET['file'],0,strpos($_GET['file'], '_')); /** * Mark the file */ if(isset($_GET['mark'])) { switch($_GET['mark']) { case 'ok': rename('./data/'.$_GET['file'], './data/eventok_'.$timestamp); $_GET['file'] = 'eventok_'.$timestamp; echo "<p>Event maked as: Reviewed OK</p>"; break; case 'att': rename('./data/'.$_GET['file'], './data/eventatt_'.$timestamp); $_GET['file'] = 'eventatt_'.$timestamp; echo "<p>Event maked as: Needs attention</p>"; break; } } echo "<h2>Event: ".date('D. M dS Y H:i',$timestamp)."</h2>"; echo "<p><a href='index.php?p=logs'>Back to event list</a> | Mark as: <img src='gfx/eventok.png' align='absmiddle'> <a href='index.php?p=logs&file=".$_GET['file']."&mark=ok'>Reviewed OK</a> <img src='gfx/eventatt.png' align='absmiddle'> <a href='index.php?p=logs&file=".$_GET['file']."&mark=att'>Needs attention</a> | <a href=\"index.php?p=logs&rm=".$_GET['file']."\" onclick=\"return confirm('Are you sure you want to delete this event?')\"><img src='gfx/delete.png' border=0></a></p>"; echo "<pre>"; echo htmlentities(file_get_contents('./data/'.$_GET['file'])); echo "</pre>"; } } ?> |
From: Audun L. <xq...@us...> - 2007-08-29 13:14:56
|
Update of /cvsroot/phpida/ida/rules In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv22197/rules Added Files: sqlinjection.txt badUa.txt xss.txt .htaccess munin.txt Log Message: Initail revsiosion of the "new" Ida --- NEW FILE: .htaccess --- Deny From All --- NEW FILE: sqlinjection.txt --- $rev:0.2;changed:Sun, 08 Oct 2006 16:13:21 +0200 #################################################################### # # Created by Audun Larsen (aud...@lk...) # # Copyright 2006 Larsen Konsult (www.lkonsult.no) # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #################################################################### # # Data set Where (regex) Search for (regex) Action Log msg # ############################################################################################################################### HTTP_POST "" "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" block SQL injection in POST data HTTP_GET "" "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" block SQL injection in GET data HTTP_COOKIE "" "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" block SQL injection in GET data HTTP_HEADERS "^HTTP_REFERER$ "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" block SQL injection in HTTP_REFERER --- NEW FILE: munin.txt --- $rev:2.79;changed:Mon, 09 Oct 2006 17:04:01 +0200 #################################################################### # # Created by Audun Larsen (aud...@lk...) # # Copyright 2006 Larsen Konsult (www.lkonsult.no) # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #################################################################### # # Data set Where (regex) Search for (regex) Action Log msg # ############################################################################################################################### #HTTP_POST "^(?!fil)" "all" pass Test rule (Drupal) HTTP_HEADERS "" ".htaccess" block .htaccess HTTP_HEADERS "" ".htpasswd" block .htpasswd HTTP_HEADERS "^REQUEST_METHOD$" "^(?!POST|GET)" pass Illegal HTTP request method HTTP_GET "" "^http:\/" block HTTP in GET param, possible allow_url_fopen attack HTTP_GET "" "\.\.\/" block Possible path traversal attempt in GET data HTTP_POST "" "\.\.\/" block Possible path traversal attempt in POST data HTTP_COOKIE "" "\.\.\/" block Possible path traversal attempt in COOKIE data ## Bad IPS HTTP_HEADERS "^REMOTE_ADDRESS$" "^205.134.172" block Spamhost --- NEW FILE: badUa.txt --- $rev:0.16;changed:Sun, 08 Oct 2006 16:13:09 +0200 #################################################################### # # Created by Audun Larsen (aud...@lk...) # # Copyright 2006 Larsen Konsult (www.lkonsult.no) # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #################################################################### # # Data set Where (regex) Search for (regex) Action Log msg # ############################################################################################################################### HTTP_HEADERS "^HTTP_USER_AGENT$" "^spybot" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Mosiac 1.*" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Brutus\/AET" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "cgichk" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "DataCha0s\/2.0" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Morzilla" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "xmlrpc exploit" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Wordpress Hash Grabber" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "lwp" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Web Downloader" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "WebZIP" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "WebCopier" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Webster" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "WebStripper" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "teleport pro" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "combine" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Black Hole" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "SiteSnagger" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "ProWebWalker" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "CheeseBot" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Mozilla\/(4|5).0$" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "FooBar\/42" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Microsoft Internet Explorer\/5.0$" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Nessus" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Nikto" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Faxobot" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Crescent Internet ToolPak" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "WebBandit" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "WEBMOLE" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Telesoft" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "WebEMailExtractor" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "CherryPicker" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "NICErsPRO" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Advanced Email Extractor" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "EmailSiphon" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Extractorpro" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "webbandit" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "EmailCollector" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "WebEMailExtrac" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "EmailWolf" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "CopyRightCheck" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "CopyGuard" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Digimarc WebReader" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "DTS Agent" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "WISEbot" block Bad user-agent HTTP_HEADERS "^HTTP_USER_AGENT$" "Missigua" block Bad user-agent --- NEW FILE: xss.txt --- $rev:0.17;changed:Sun, 08 Oct 2006 16:13:31 +0200 #################################################################### # # Created by Audun Larsen (aud...@lk...) # # Copyright 2006 Larsen Konsult (www.lkonsult.no) # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #################################################################### # # Data set Where (regex) Search for (regex) Action Log msg # ############################################################################################################################### HTTP_POST "" "<script|<about|<applet|<activex|<chrome|<object" pass XSS in POST data HTTP_GET "" "<script|<about|<applet|<activex|<chrome|<object" block XSS in GET data HTTP_COOKIE "" "<script|<about|<applet|<activex|<chrome|<object" block XSS in cookie data HTTP_HEADERS "^HTTP_USER_AGENT$" "<script|<about|<applet|<activex|<chrome|<object" block XSS in user-agent HTTP_HEADERS "^HTTP_REFERER$" "<script|<about|<applet|<activex|<chrome|<object" block XSS in REFERER |
From: Audun L. <xq...@us...> - 2007-08-29 13:14:56
|
Update of /cvsroot/phpida/ida/data In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv22197/data Added Files: HTTP_HEADERS HTTP_GET .htaccess HTTP_POST HTTP_COOKIE Log Message: Initail revsiosion of the "new" Ida --- NEW FILE: .htaccess --- Deny From All --- NEW FILE: HTTP_POST --- --- NEW FILE: HTTP_GET --- --- NEW FILE: HTTP_COOKIE --- --- NEW FILE: HTTP_HEADERS --- |
Update of /cvsroot/phpida/ida/gfx In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv22197/gfx Added Files: system.gif Thumbs.db uptime.gif m2_file.png previous.gif delete.png log_medium.png event.png m2_overview.gif m2_manage-logs.gif m2_about.png error.gif rule_delete.gif log_ok.png point.gif log_info.png eventok.png menu-top.gif log_high.png next.gif rule_edit.gif events.gif m2_settings.gif munin.gif database.gif header.gif eventatt.png accept.gif menu-top-seperator.gif m2_manage-rules.gif rules.gif Log Message: Initail revsiosion of the "new" Ida --- NEW FILE: log_medium.png --- (This appears to be a binary file; contents omitted.) --- NEW FILE: log_high.png --- (This appears to be a binary file; contents omitted.) --- NEW FILE: menu-top-seperator.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: eventok.png --- (This appears to be a binary file; contents omitted.) --- NEW FILE: rule_edit.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: event.png --- (This appears to be a binary file; contents omitted.) --- NEW FILE: m2_settings.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: database.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: Thumbs.db --- (This appears to be a binary file; contents omitted.) --- NEW FILE: system.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: next.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: eventatt.png --- (This appears to be a binary file; contents omitted.) --- NEW FILE: uptime.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: point.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: rules.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: log_ok.png --- (This appears to be a binary file; contents omitted.) --- NEW FILE: m2_manage-rules.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: m2_about.png --- (This appears to be a binary file; contents omitted.) --- NEW FILE: rule_delete.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: menu-top.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: munin.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: log_info.png --- (This appears to be a binary file; contents omitted.) --- NEW FILE: accept.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: error.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: m2_manage-logs.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: m2_overview.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: m2_file.png --- (This appears to be a binary file; contents omitted.) --- NEW FILE: delete.png --- (This appears to be a binary file; contents omitted.) --- NEW FILE: events.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: previous.gif --- (This appears to be a binary file; contents omitted.) --- NEW FILE: header.gif --- (This appears to be a binary file; contents omitted.) |
From: Audun L. <xq...@us...> - 2007-08-29 13:14:46
|
Update of /cvsroot/phpida/ida/rules In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv22170/rules Log Message: Directory /cvsroot/phpida/ida/rules added to the repository |
From: Audun L. <xq...@us...> - 2007-08-29 13:14:46
|
Update of /cvsroot/phpida/ida/pages In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv22170/pages Log Message: Directory /cvsroot/phpida/ida/pages added to the repository |
From: Audun L. <xq...@us...> - 2007-08-29 13:14:46
|
Update of /cvsroot/phpida/ida/gfx In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv22170/gfx Log Message: Directory /cvsroot/phpida/ida/gfx added to the repository |
From: Audun L. <xq...@us...> - 2007-08-29 13:14:46
|
Update of /cvsroot/phpida/ida/data In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv22170/data Log Message: Directory /cvsroot/phpida/ida/data added to the repository |
From: Audun L. <xq...@us...> - 2007-08-21 19:12:24
|
Update of /cvsroot/phpida/ida In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv3513 Modified Files: ida.php Log Message: Small visual adjustments. Updated version to -dev Index: ida.php =================================================================== RCS file: /cvsroot/phpida/ida/ida.php,v retrieving revision 1.24 retrieving revision 1.25 diff -C2 -d -r1.24 -r1.25 *** ida.php 21 Aug 2007 18:56:55 -0000 1.24 --- ida.php 21 Aug 2007 19:12:23 -0000 1.25 *************** *** 8,12 **** * https://sourceforge.net/projects/phpida/ * ! */ define('_VERSION', '0.0.3'); class ida{ --- 8,13 ---- * https://sourceforge.net/projects/phpida/ * ! */ ! define('_VERSION', '0.0.3-dev'); class ida{ *************** *** 372,376 **** function genReport() { if($this->hasOutput==1 || $this->optShowSummary == true) { ! fwrite(STDOUT, "-- Ida (v " . _VERSION . ") summary -------------------------------------------\n"); fwrite(STDOUT, " Finish date: ".date("l F j H:i Y")."\n"); fwrite(STDOUT, " Lines analyzed: ".$this->statsProcLines."\n"); --- 373,377 ---- function genReport() { if($this->hasOutput==1 || $this->optShowSummary == true) { ! fwrite(STDOUT, "-- Ida (v " . _VERSION . ") summary --------------------------------------------------\n"); fwrite(STDOUT, " Finish date: ".date("l F j H:i Y")."\n"); fwrite(STDOUT, " Lines analyzed: ".$this->statsProcLines."\n"); |
From: Audun L. <xq...@us...> - 2007-08-21 18:56:54
|
Update of /cvsroot/phpida/ida In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv29611 Modified Files: ida.php Log Message: removed the --analyze option Index: ida.php =================================================================== RCS file: /cvsroot/phpida/ida/ida.php,v retrieving revision 1.23 retrieving revision 1.24 diff -C2 -d -r1.23 -r1.24 *** ida.php 21 Aug 2007 18:42:32 -0000 1.23 --- ida.php 21 Aug 2007 18:56:55 -0000 1.24 *************** *** 173,177 **** */ die("Unknown option: ".$argument); ! break; /** * Prevent Ida from loading and saving the .idarc file --- 173,177 ---- */ die("Unknown option: ".$argument); ! break; /** * Prevent Ida from loading and saving the .idarc file *************** *** 324,348 **** //TODO: Don't do anything if we don't got any plugins. foreach($this->loadedPlugins as $loadedPlugin) { ! $this->userAgents[$requestInfo['agent']]=1; ! call_user_func(array('ida_'.$loadedPlugin, 'checkRequest'), $requestInfo); ! $pluginData = call_user_func(array('ida_'.$loadedPlugin, 'getResult')); ! if($pluginData[0]==1) { ! $this->report($pluginData); ! if(trim($pluginData['break'])==1) { ! break; ! } ! } ! } ! } ! ! ! /** ! * --analyze ! */ ! if(($pluginData[0]==0) && ($this->optAnalyze==true)) { ! $pluginData['info'] = "Nothing found.."; ! $pluginData['risk'] = "low"; ! $this->report($pluginData); ! } } --- 324,338 ---- //TODO: Don't do anything if we don't got any plugins. foreach($this->loadedPlugins as $loadedPlugin) { ! $this->userAgents[$requestInfo['agent']]=1; ! call_user_func(array('ida_'.$loadedPlugin, 'checkRequest'), $requestInfo); ! $pluginData = call_user_func(array('ida_'.$loadedPlugin, 'getResult')); ! if($pluginData[0] == 1) { ! $this->report($pluginData); ! if(trim($pluginData['break'])==1) { ! break; ! } ! } ! } ! } } |
From: Audun L. <xq...@us...> - 2007-08-21 18:42:31
|
Update of /cvsroot/phpida/ida In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv24097 Modified Files: ida.php Log Message: Removed some old useless code. Index: ida.php =================================================================== RCS file: /cvsroot/phpida/ida/ida.php,v retrieving revision 1.22 retrieving revision 1.23 diff -C2 -d -r1.22 -r1.23 *** ida.php 21 Aug 2007 18:39:36 -0000 1.22 --- ida.php 21 Aug 2007 18:42:32 -0000 1.23 *************** *** 416,449 **** - class plugins { - /** - * Return a integer telling somthing about the user-agent - */ - function getUaType($userAgent) { - global $ida; - /** - * The value returned says something about the type of the user-agent - * 0 - Unknown - * 1 - Search engine robot - * 2 - Bad robot, should be blocked - * 3 - Other, nice robot - */ - $robots = @file($ida->idaDir."/useragents.ida"); - if(sizeof($robots)>1) { - foreach($robots as $robot) { - $robotDetails = explode("|", $robot); - if(trim($robotDetails[2])==trim($userAgent)) { - return $robotDetails[1]; - } - } - } else { - return 0; - } - } - - } - $pluginLib = new plugins; - - /** * Do stuff to make the program work.. :P --- 416,419 ---- |
From: Audun L. <xq...@us...> - 2007-08-21 18:42:07
|
Update of /cvsroot/phpida/ida In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv24063 Removed Files: useragents.ida Log Message: No need for this. --- useragents.ida DELETED --- |
From: Audun L. <xq...@us...> - 2007-08-21 18:41:44
|
Update of /cvsroot/phpida/plugins In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv23691 Modified Files: 012.php Log Message: Empty. We need to make a new version of this. Index: 012.php =================================================================== RCS file: /cvsroot/phpida/plugins/012.php,v retrieving revision 1.5 retrieving revision 1.6 diff -C2 -d -r1.5 -r1.6 *** 012.php 21 Aug 2007 18:18:21 -0000 1.5 --- 012.php 21 Aug 2007 18:41:46 -0000 1.6 *************** *** 15,33 **** class ida_012 extends plugin { ! static public function checkRequest($requestInfo) { ! $pluginObj = new plugins(); ! ! $requestInfo['info'] = "The User-Agent is reported as bad"; ! $requestInfo['risk'] = "high"; ! $requestInfo['break'] = 0; ! $requestInfo['type'] = "Misc"; ! ! if($pluginObj->getUaType($requestInfo['agent'])==2) { ! $requestInfo[0] = 1; ! } else { ! $requestInfo[0] = 0; ! } ! self::$res = $requestInfo; ! } } ?> \ No newline at end of file --- 15,19 ---- class ida_012 extends plugin { ! } ?> \ No newline at end of file |
From: Audun L. <xq...@us...> - 2007-08-21 18:39:34
|
Update of /cvsroot/phpida/ida In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv22877 Modified Files: ida.php Log Message: Added versio number to the report summary. Index: ida.php =================================================================== RCS file: /cvsroot/phpida/ida/ida.php,v retrieving revision 1.21 retrieving revision 1.22 diff -C2 -d -r1.21 -r1.22 *** ida.php 21 Aug 2007 17:38:58 -0000 1.21 --- ida.php 21 Aug 2007 18:39:36 -0000 1.22 *************** *** 8,39 **** * https://sourceforge.net/projects/phpida/ * ! */ ! ! ! class plugin { ! ! static $res = array(); ! ! static public function getResult() { ! return self::$res; ! } ! ! static public function checkRequest($request) { ! $requestInfo['info'] = ''; ! $requestInfo['risk'] = ''; ! $requestInfo['break'] = 0; ! $requestInfo['type'] = ''; ! $requestInfo[0] = 0; ! ! self::$res = $requestInfo; ! } ! ! } - class ida{ - /** - * Do not edit :) - */ var $tmpDir = "/tmp"; var $idaDir = ""; --- 8,15 ---- * https://sourceforge.net/projects/phpida/ * ! */ define('_VERSION', '0.0.3'); + class ida{ var $tmpDir = "/tmp"; var $idaDir = ""; *************** *** 60,65 **** * Initiate ida */ ! function ida() { ! /** * Sets up CLI environment based on SAPI and PHP version */ --- 36,41 ---- * Initiate ida */ ! function ida() { ! /** * Sets up CLI environment based on SAPI and PHP version */ *************** *** 406,410 **** function genReport() { if($this->hasOutput==1 || $this->optShowSummary == true) { ! fwrite(STDOUT, "-- Ida summary -----------------------------------------------------\n"); fwrite(STDOUT, " Finish date: ".date("l F j H:i Y")."\n"); fwrite(STDOUT, " Lines analyzed: ".$this->statsProcLines."\n"); --- 382,386 ---- function genReport() { if($this->hasOutput==1 || $this->optShowSummary == true) { ! fwrite(STDOUT, "-- Ida (v " . _VERSION . ") summary -------------------------------------------\n"); fwrite(STDOUT, " Finish date: ".date("l F j H:i Y")."\n"); fwrite(STDOUT, " Lines analyzed: ".$this->statsProcLines."\n"); *************** *** 418,421 **** --- 394,419 ---- } + + class plugin { + + static $res = array(); + + static public function getResult() { + return self::$res; + } + + static public function checkRequest($request) { + $requestInfo['info'] = ''; + $requestInfo['risk'] = ''; + $requestInfo['break'] = 0; + $requestInfo['type'] = ''; + $requestInfo[0] = 0; + + self::$res = $requestInfo; + } + + } + + class plugins { /** |
From: Audun L. <xq...@us...> - 2007-08-21 18:33:56
|
Update of /cvsroot/phpida/ida In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv20531 Modified Files: ida.config.default Log Message: Changed default configuration to something that makes some sense. Index: ida.config.default =================================================================== RCS file: /cvsroot/phpida/ida/ida.config.default,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** ida.config.default 29 Sep 2004 15:37:12 -0000 1.2 --- ida.config.default 21 Aug 2007 18:33:58 -0000 1.3 *************** *** 8,17 **** # Full path to where your Ida plugins are, remember the trailing slash # ! pluginDir=d:\ida\plugins\ # # Full path to temporary dir, must be writeable # ! tmpDir=c:\winnt\tmp # --- 8,17 ---- # Full path to where your Ida plugins are, remember the trailing slash # ! pluginDir=/usr/local/share/ida/ # # Full path to temporary dir, must be writeable # ! tmpDir=/tmp # |
From: Audun L. <xq...@us...> - 2007-08-21 18:28:35
|
Update of /cvsroot/phpida/plugins In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv18525 Removed Files: 001.php Log Message: Replaced by #002 --- 001.php DELETED --- |
From: Audun L. <xq...@us...> - 2007-08-21 18:27:39
|
Update of /cvsroot/phpida/plugins In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv18146 Modified Files: 002.php Log Message: Fixed class name. Index: 002.php =================================================================== RCS file: /cvsroot/phpida/plugins/002.php,v retrieving revision 1.6 retrieving revision 1.7 diff -C2 -d -r1.6 -r1.7 *** 002.php 21 Aug 2007 18:18:21 -0000 1.6 --- 002.php 21 Aug 2007 18:27:41 -0000 1.7 *************** *** 13,17 **** * E-Mail: aud...@lk... */ ! class ida_001 extends plugin { static public function checkRequest($requestInfo) { $requestInfo['info'] = "formmail.pl is a web2e-mail gateway.\n It has a vulnerability that allows unauthorized users to send spam anonymously.\n Someone was searching for a copy on your site and FOUND IT! Yuor should NOT use FormMail."; --- 13,18 ---- * E-Mail: aud...@lk... */ ! ! class ida_002 extends plugin { static public function checkRequest($requestInfo) { $requestInfo['info'] = "formmail.pl is a web2e-mail gateway.\n It has a vulnerability that allows unauthorized users to send spam anonymously.\n Someone was searching for a copy on your site and FOUND IT! Yuor should NOT use FormMail."; |
Update of /cvsroot/phpida/plugins In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv11033 Modified Files: 006.php 008.php 004.php 011.php 010.php 005.php 002.php 009.php 012.php 007.php 003.php Log Message: - Updated plugins to work with the new module structure thingie. - Code cleanups Index: 012.php =================================================================== RCS file: /cvsroot/phpida/plugins/012.php,v retrieving revision 1.3 retrieving revision 1.4 diff -C2 -d -r1.3 -r1.4 *** 012.php 19 Aug 2007 20:09:47 -0000 1.3 --- 012.php 21 Aug 2007 18:09:28 -0000 1.4 *************** *** 1,4 **** <?php ! /** * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen --- 1,4 ---- <?php ! /** $Id$ * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen *************** *** 14,31 **** */ ! function ida_012($requestInfo) { $pluginObj = new plugins(); ! $requestInfo['info'] = "The User-Agent is reported as bad"; $requestInfo['risk'] = "high"; $requestInfo['break'] = 0; $requestInfo['type'] = "Misc"; ! if($pluginObj->getUaType($requestInfo['agent'])==2) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! return $requestInfo; } ?> \ No newline at end of file --- 14,33 ---- */ ! class ida_012 extends plugin { ! static public function checkRequest($requestInfo) { $pluginObj = new plugins(); ! $requestInfo['info'] = "The User-Agent is reported as bad"; $requestInfo['risk'] = "high"; $requestInfo['break'] = 0; $requestInfo['type'] = "Misc"; ! if($pluginObj->getUaType($requestInfo['agent'])==2) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! self::$res = $requestInfo; ! } } ?> \ No newline at end of file Index: 007.php =================================================================== RCS file: /cvsroot/phpida/plugins/007.php,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** 007.php 19 Aug 2007 20:09:47 -0000 1.4 --- 007.php 21 Aug 2007 18:09:28 -0000 1.5 *************** *** 1,4 **** <?php ! /** * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen --- 1,4 ---- <?php ! /** $Id$ * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen *************** *** 14,19 **** */ ! function ida_007($requestInfo) { ! $requestInfo['info'] = "The request contains a backtick (`), this may be an attempt to retrive private information trough a poorly written web application."; $requestInfo['risk'] = "medium"; --- 14,20 ---- */ ! class ida_007 extends plugin { ! static public function checkRequest($requestInfo) { ! $requestInfo['info'] = "The request contains a backtick (`), this may be an attempt to retrive private information trough a poorly written web application."; $requestInfo['risk'] = "medium"; *************** *** 23,32 **** $inString = strpos(rawurldecode($requestInfo['request']), "`"); if ($inString !== false) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! return $requestInfo; } ?> \ No newline at end of file --- 24,34 ---- $inString = strpos(rawurldecode($requestInfo['request']), "`"); if ($inString !== false) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! self::$res = $requestInfo; ! } } ?> \ No newline at end of file Index: 009.php =================================================================== RCS file: /cvsroot/phpida/plugins/009.php,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** 009.php 19 Aug 2007 20:09:47 -0000 1.4 --- 009.php 21 Aug 2007 18:09:28 -0000 1.5 *************** *** 1,4 **** <?php ! /** * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen --- 1,4 ---- <?php ! /** $Id$ * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen *************** *** 14,32 **** */ ! function ida_009($requestInfo) { ! $requestInfo['info'] = "This looks like a W32.Nimda.A@mm attack.\n This worm can only infetct unpatched IIS servers."; $requestInfo['risk'] = "low"; $requestInfo['break'] = 1; $requestInfo['type'] = "Misc"; ! $inString = strpos(rawurldecode($requestInfo['request']), "/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0"); if ($inString !== false) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! return $requestInfo; } ?> \ No newline at end of file --- 14,34 ---- */ ! class ida_009 extends plugin { ! static public function checkRequest($requestInfo) { ! $requestInfo['info'] = "This looks like a W32.Nimda.A@mm attack.\n This worm can only infetct unpatched IIS servers."; $requestInfo['risk'] = "low"; $requestInfo['break'] = 1; $requestInfo['type'] = "Misc"; ! $inString = strpos(rawurldecode($requestInfo['request']), "/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0"); if ($inString !== false) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! self::$res = $requestInfo; ! } } ?> \ No newline at end of file Index: 006.php =================================================================== RCS file: /cvsroot/phpida/plugins/006.php,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** 006.php 19 Aug 2007 20:09:47 -0000 1.4 --- 006.php 21 Aug 2007 18:09:28 -0000 1.5 *************** *** 1,4 **** <?php ! /** * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen --- 1,4 ---- <?php ! /** $Id$ * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen *************** *** 14,19 **** */ ! function ida_006($requestInfo) { ! $requestInfo['info'] = "The request contains \"../\", this may be an attempt to retrive private information trough a poorly written web application."; $requestInfo['risk'] = "low"; --- 14,20 ---- */ ! class ida_006 extends plugin { ! static public function checkRequest($requestInfo) { ! $requestInfo['info'] = "The request contains \"../\", this may be an attempt to retrive private information trough a poorly written web application."; $requestInfo['risk'] = "low"; *************** *** 23,32 **** $inString = strpos(rawurldecode($requestInfo['request']), "../"); if ($inString !== false) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! return $requestInfo; } ?> \ No newline at end of file --- 24,34 ---- $inString = strpos(rawurldecode($requestInfo['request']), "../"); if ($inString !== false) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! self::$res = $requestInfo; ! } } ?> \ No newline at end of file Index: 003.php =================================================================== RCS file: /cvsroot/phpida/plugins/003.php,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** 003.php 19 Aug 2007 20:09:47 -0000 1.4 --- 003.php 21 Aug 2007 18:09:28 -0000 1.5 *************** *** 1,4 **** <?php ! /** * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen --- 1,4 ---- <?php ! /** $Id$ * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen *************** *** 14,19 **** */ ! function ida_003($requestInfo) { ! $requestInfo['info'] = "The request contains a null byte (%00). It can be used to fool a web application into thinking a different file type has been requested. "; $requestInfo['risk'] = "medium"; --- 14,20 ---- */ ! class ida_003 extends plugin { ! static public function checkRequest($requestInfo) { ! $requestInfo['info'] = "The request contains a null byte (%00). It can be used to fool a web application into thinking a different file type has been requested. "; $requestInfo['risk'] = "medium"; *************** *** 23,32 **** $inString = strpos($requestInfo['request'], "%00"); if ($inString !== false) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! return $requestInfo; } ?> \ No newline at end of file --- 24,34 ---- $inString = strpos($requestInfo['request'], "%00"); if ($inString !== false) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! self::$res = $requestInfo; ! } } ?> \ No newline at end of file Index: 010.php =================================================================== RCS file: /cvsroot/phpida/plugins/010.php,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** 010.php 19 Aug 2007 20:09:47 -0000 1.2 --- 010.php 21 Aug 2007 18:09:28 -0000 1.3 *************** *** 1,4 **** <?php ! /** * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen --- 1,4 ---- <?php ! /** $Id$ * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen *************** *** 14,38 **** */ ! function ida_010($requestInfo) { ! $requestInfo['info'] = "The request type is not GET, POST or HEAD. This may be a DOS attack."; $requestInfo['risk'] = "low"; $requestInfo['break'] = 1; $requestInfo['type'] = "Denial of Service"; ! $isOk=1; $requestParts = explode(" ", trim($requestInfo['request'])); $requestType = $requestParts[0]; if(($requestType != "GET") && ($requestType != "POST") && ($requestType != "HEAD")) { ! $isOk=0; } ! if ($isOk==0) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! return $requestInfo; } ?> \ No newline at end of file --- 14,40 ---- */ ! class ida_010 extends plugin { ! static public function checkRequest($requestInfo) { ! $requestInfo['info'] = "The request type is not GET, POST or HEAD. This may be a DOS attack."; $requestInfo['risk'] = "low"; $requestInfo['break'] = 1; $requestInfo['type'] = "Denial of Service"; ! $isOk=1; $requestParts = explode(" ", trim($requestInfo['request'])); $requestType = $requestParts[0]; if(($requestType != "GET") && ($requestType != "POST") && ($requestType != "HEAD")) { ! $isOk=0; } ! if ($isOk==0) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! self::$res = $requestInfo; ! } } ?> \ No newline at end of file Index: 005.php =================================================================== RCS file: /cvsroot/phpida/plugins/005.php,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** 005.php 19 Aug 2007 20:09:47 -0000 1.4 --- 005.php 21 Aug 2007 18:09:28 -0000 1.5 *************** *** 1,4 **** <?php ! /** * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen --- 1,4 ---- <?php ! /** $Id$ * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen *************** *** 14,19 **** */ ! function ida_005($requestInfo) { ! $requestInfo['info'] = "The request contains a !, this may be an XSS attack attempt."; $requestInfo['risk'] = "low"; --- 14,20 ---- */ ! class ida_005 extends plugin { ! static public function checkRequest($requestInfo) { ! $requestInfo['info'] = "The request contains a !, this may be an XSS attack attempt."; $requestInfo['risk'] = "low"; *************** *** 23,32 **** $inString = strpos(rawurldecode($requestInfo['request']), "!"); if ($inString !== false) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! return $requestInfo; } ?> \ No newline at end of file --- 24,34 ---- $inString = strpos(rawurldecode($requestInfo['request']), "!"); if ($inString !== false) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! self::$res = $requestInfo; ! } } ?> \ No newline at end of file Index: 011.php =================================================================== RCS file: /cvsroot/phpida/plugins/011.php,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** 011.php 19 Aug 2007 20:09:47 -0000 1.4 --- 011.php 21 Aug 2007 18:09:28 -0000 1.5 *************** *** 1,4 **** <?php ! /** * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen --- 1,4 ---- <?php ! /** $Id$ * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen *************** *** 14,32 **** */ ! function ida_011($requestInfo) { ! $requestInfo['info'] = "The user-agent contains HTML code.\n This may be an XSS attempt."; $requestInfo['risk'] = "low"; $requestInfo['break'] = 0; $requestInfo['type'] = "Cross-site Scripting"; ! $inString = strpos(rawurldecode($requestInfo['agent']), "<"); $inString2 = strpos(rawurldecode($requestInfo['agent']), ">"); if ($inString !== false || $inString2 !== false) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! return $requestInfo; } ?> \ No newline at end of file --- 14,34 ---- */ ! class ida_011 extends plugin { ! static public function checkRequest($requestInfo) { ! $requestInfo['info'] = "The user-agent contains HTML code.\n This may be an XSS attempt."; $requestInfo['risk'] = "low"; $requestInfo['break'] = 0; $requestInfo['type'] = "Cross-site Scripting"; ! $inString = strpos(rawurldecode($requestInfo['agent']), "<"); $inString2 = strpos(rawurldecode($requestInfo['agent']), ">"); if ($inString !== false || $inString2 !== false) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! self::$res = $requestInfo; ! } } ?> \ No newline at end of file Index: 004.php =================================================================== RCS file: /cvsroot/phpida/plugins/004.php,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** 004.php 19 Aug 2007 20:09:47 -0000 1.4 --- 004.php 21 Aug 2007 18:09:28 -0000 1.5 *************** *** 1,4 **** <?php ! /** * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen --- 1,4 ---- <?php ! /** $Id$ * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen *************** *** 14,19 **** */ ! function ida_004($requestInfo) { ! $requestInfo['info'] = "The request contains a < or a > character, this may be an XSS attack attempt."; $requestInfo['risk'] = "medium"; --- 14,20 ---- */ ! class ida_004 extends plugin { ! static public function checkRequest($requestInfo) { ! $requestInfo['info'] = "The request contains a < or a > character, this may be an XSS attack attempt."; $requestInfo['risk'] = "medium"; *************** *** 24,33 **** $inString2 = strpos(rawurldecode($requestInfo['request']), ">"); if ($inString !== false || $inString2 !== false) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! return $requestInfo; } ?> \ No newline at end of file --- 25,35 ---- $inString2 = strpos(rawurldecode($requestInfo['request']), ">"); if ($inString !== false || $inString2 !== false) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! self::$res = $requestInfo; ! } } ?> \ No newline at end of file Index: 008.php =================================================================== RCS file: /cvsroot/phpida/plugins/008.php,v retrieving revision 1.5 retrieving revision 1.6 diff -C2 -d -r1.5 -r1.6 *** 008.php 19 Aug 2007 20:09:47 -0000 1.5 --- 008.php 21 Aug 2007 18:09:28 -0000 1.6 *************** *** 1,4 **** <?php ! /** * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen --- 1,4 ---- <?php ! /** $Id$ * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen *************** *** 14,31 **** */ ! function ida_008($requestInfo) { ! $requestInfo['info'] = "A 400 (Bad request) code was returned from the server.\n This may be an attemt to crash your server."; $requestInfo['risk'] = "medium"; $requestInfo['break'] = 0; $requestInfo['type'] = "Unknown"; ! if ($requestInfo['status'] == 400) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! return $requestInfo; } ?> \ No newline at end of file --- 14,33 ---- */ ! class ida_008 extends plugin { ! static public function checkRequest($requestInfo) { ! $requestInfo['info'] = "A 400 (Bad request) code was returned from the server.\n This may be an attemt to crash your server."; $requestInfo['risk'] = "medium"; $requestInfo['break'] = 0; $requestInfo['type'] = "Unknown"; ! if ($requestInfo['status'] == 400) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! self::$res = $requestInfo; ! } } ?> \ No newline at end of file Index: 002.php =================================================================== RCS file: /cvsroot/phpida/plugins/002.php,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** 002.php 19 Aug 2007 20:09:47 -0000 1.4 --- 002.php 21 Aug 2007 18:09:28 -0000 1.5 *************** *** 1,4 **** <?php ! /** * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen --- 1,4 ---- <?php ! /** $Id$ * This is Ida, Intrusion Detection for Apache * Copyright 2004 - 2006 by Audun Larsen *************** *** 13,18 **** * E-Mail: aud...@lk... */ ! ! function ida_002($requestInfo) { $requestInfo['info'] = "formmail.pl is a web2e-mail gateway.\n It has a vulnerability that allows unauthorized users to send spam anonymously.\n Someone was searching for a copy on your site and FOUND IT! Yuor should NOT use FormMail."; $requestInfo['risk'] = "medium"; --- 13,18 ---- * E-Mail: aud...@lk... */ ! class ida_001 extends plugin { ! static public function checkRequest($requestInfo) { $requestInfo['info'] = "formmail.pl is a web2e-mail gateway.\n It has a vulnerability that allows unauthorized users to send spam anonymously.\n Someone was searching for a copy on your site and FOUND IT! Yuor should NOT use FormMail."; $requestInfo['risk'] = "medium"; *************** *** 24,33 **** $inString2 = strpos($requestInfo['request'], "formmail"); if (($inString !== false || $inString1 !== false || $inString2 !== false) && $requestInfo['status']==200) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! return $requestInfo; } ?> \ No newline at end of file --- 24,34 ---- $inString2 = strpos($requestInfo['request'], "formmail"); if (($inString !== false || $inString1 !== false || $inString2 !== false) && $requestInfo['status']==200) { ! $requestInfo[0] = 1; } else { ! $requestInfo[0] = 0; } ! ! self::$res = $requestInfo; ! } } ?> \ No newline at end of file |