###############################
#
# Defines
#
###############################
signs: 250925
preffix:
- e: exec
- e: system
- e: passthru
- e: shell_exec
- e: proc_open
- e: popen
- u: include
- u: include_once
- u: require
- u: require_once
- u: curl_init
- u: curl_exec
- u: curl_multi_exec
- f: file_get_contents
- f: file_put_contents
- f: fopen
- f: fwrite
- f: symlink
- f: move_uploaded_file
- f: copy
- n: header
- s: preg_replace
- s: trim
- s: str_replace
- s: rawurldecode
- o: base64_decode
- o: gzinflate
- o: gzdeflate
- o: str_rot13
- g: mail
- g: fsockopen
- g: socket_connect
- g: stream_socket_client
- g: pfsockopen
- d: pcntl_exec
- h: register_shutdown_function
- i: register_tick_function
- k: mysql_query
- l: assert
- m: parse_ini_file
- m: mysqli_query
- p: show_source
- q: eval
- r: create_function
- t: call_user_func
- y: set_exception_handler
- v: openssl_decrypt
- w: strrev
- x: gzuncompress
groups:
- obf_ops: o
- string_ops: s
- exec: e
- url: u
- file: f
- mail: g
- sql: m
danger:
- include
- include_once
- require
- require_once
- curl_init
- curl_exec
- curl_multi_exec
- file_get_contents
- file_put_contents
- move_uploaded_file
- header
- copy
- fopen
- fwrite
- symlink
- exec
- system
- passthru
- shell_exec
- proc_open
- popen
- assert
- eval
- mail
- fsockopen
- socket_connect
- stream_socket_client
- pfsockopen
- mysqli_query
writeloggers:
- exec
- passthru
- shell_exec
- proc_open
- system
fp_rules:
###############################
#
# False Positives for Blamer
#
###############################
#
# Ai-Bolit
#
- fp_rule:
# Blamer
filename: wp-admin/includes/class-wp-filesystem-direct.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 2
- fp_rule:
# Blamer
filename: wp-includes/functions.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 3
- fp_rule:
# Blamer
filename: backwpup/inc/class-create-archive.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 4
- fp_rule:
# Blamer
filename: wordfence/lib/wfUtils.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 5
- fp_rule:
# Blamer
filename: wordfence/lib/wordfenceHash.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 6
- fp_rule:
# Blamer
filename: wp-includes/class-wp-theme.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 7
- fp_rule:
# Blamer
filename: includes/class/template.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 8
- fp_rule:
# Blamer
filename: /usr/local/psa/admin/plib/modules/wp-toolkit/vendor/wp-cli/vendor/wp-cli/wp-cli/php/WP_CLI/Runner.php
detection: u
check_right: "u"
check_wrong: "v"
fp_id: 10
- fp_rule:
# Blamer
filename: /usr/local/psa/admin/plib/modules/wp-toolkit/vendor/wp-cli/vendor/wp-cli/wp-config-transformer/src/WPConfigTransformer.php
detection: u
check_right: "u"
check_wrong: "v"
fp_id: 11
- fp_rule:
# Blamer
filename: litespeed-cache/src/file.cls.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 12
#
# WP Plugins
#
- fp_rule:
filename: wp-content/plugins/WPSecurity/load.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 43
- fp_rule:
# Blamer
filename: wp-content/plugins/sucuri-scanner/src/settings-hardening.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 48
- fp_rule:
# Blamer
filename: wp-content/plugins/wp-fastest-cache/inc/cache.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 49
- fp_rule:
# Blamer
filename: wp-content/plugins/wp-fastest-cache/wpFastestCache.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 50
- fp_rule:
# Blamer
filename: wp-content/plugins/comet-cache/src/includes/traits/Shared/CacheLockUtils.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 51
- fp_rule:
# Blamer
filename: wp-content/plugins/w3-total-cache/Cache_File.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 52
- fp_rule:
# Blamer
filename: wp-content/plugins/wp-super-cache/wp-cache.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 53
- fp_rule:
# Blamer
filename: wp-content/plugins/cache-enabler/inc/cache_enabler_disk.class.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 54
- fp_rule:
# Blamer
filename: wp-content/plugins/w3-total-cache/Generic_Environment.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 55
- fp_rule:
# Blamer
filename: wp-content/plugins/sucuri-scanner/src/event.lib.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 56
- fp_rule:
# Blamer
filename: wp-content/plugins/cache-enabler/inc/cache_enabler.class.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 57
- fp_rule:
# Blamer
filename: wp-content/plugins/sucuri-scanner/src/hardening.lib.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 58
- fp_rule:
# Blamer
filename: wp-content/plugins/comet-cache/src/includes/traits/Plugin/InstallUtils.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 59
- fp_rule:
# Blamer
filename: wp-content/plugins/wp-super-cache/wp-cache-phase2.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 60
- fp_rule:
# Blamer
filename: wp-content/plugins/sucuri-scanner/src/cache.lib.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 61
- fp_rule:
# Blamer
filename: wp-content/plugins/w3-total-cache/Util_Rule.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 62
- fp_rule:
# Blamer
filename: wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 63
- fp_rule:
# Blamer
filename: wp-content/plugins/sucuri-scanner/src/command.lib.php
detection: e
check_right: "e"
check_wrong: "f"
fp_id: 64
- fp_rule:
# Blamer
filename: wp-content/plugins/w3-total-cache/Util_WpFile.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 65
- fp_rule:
# Blamer
filename: wp-content/plugins/hyper-cache/plugin.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 66
- fp_rule:
# Blamer
filename: wp-content/plugins/w3-total-cache/lib/Minify/Minify/Cache/File.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 68
- fp_rule:
# Blamer
filename: wp-content/plugins/sucuri-scanner/src/lastlogins.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 69
- fp_rule:
# Blamer
filename: wp-content/plugins/wp-fastest-cache/inc/admin.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 70
- fp_rule:
# Blamer
filename: wp-content/plugins/wordfence/lib/wfConfig.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 71
- fp_rule:
# Blamer
filename: wp-content/plugins/w3-total-cache/Util_File.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 72
- fp_rule:
# Blamer
filename: wp-content/plugins/w3-total-cache/Cache_File_Generic.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 73
- fp_rule:
# Blamer
filename: wp-content/plugins/sucuri-scanner/src/option.lib.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 74
- fp_rule:
# Blamer
filename: wp-content/plugins/sucuri-scanner/src/lastlogins-failed.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 75
- fp_rule:
filename: wp-content/plugins/backup/public/cron/cron.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 76
- fp_rule:
# Wordfence 3rd
filename: wp-content/plugins/wordfence/lib/wordfenceScanner.php
detection: f|F
check_right: "f|F"
check_wrong: "v"
fp_id: 84
- fp_rule:
# Blamer
#
# Save rules, logs and backups to files
#
filename: webanalyze/firewall/firewall.class.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 85
- fp_rule:
# Blamer
#
# Read and write cache data
#
filename: smarty/sysplugins/smarty_internal_write_file.php
detection: f
check_right: "f"
check_wrong: "v"
fp_id: 91
- fp_rule:
# Blamer
#
# Write cache to files
#
filename: lib/PEAR/Cache_Lite/Lite.php
detection: f.*?k
check_right: "fk"
check_wrong: "gk"
fp_id: 93
- fp_rule:
# WPCP
filename: cloner.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 110
- fp_rule:
# WPCP
filename: lib/snaplib/class.snaplib.u.io.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 111
- fp_rule:
# WPCP
filename: lib/private/Files/Storage/Local.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 112
- fp_rule:
# WPCP
filename: kickstart.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 114
- fp_rule:
# WPCP
filename: wp-file-manager/lib/php/elFinderVolumeDriver.class.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 115
- fp_rule:
# WPCP
filename: file-manager-advanced/application/library/php/elFinderVolumeDriver.class.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 116
- fp_rule:
# WPCP
filename: file-manager-advanced/application/library/php/elFinderVolumeLocalFileSystem.class.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 117
- fp_rule:
# WPCP
filename: wordfence/lib/wordfenceClass.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 118
- fp_rule:
# WPCP
filename: pclzip.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 119
- fp_rule:
# WPCP
filename: bitrix/modules/main/lib/io/file.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 121
- fp_rule:
# WPCP
filename: codeigniter/system/helpers/file_helper.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 122
- fp_rule:
# WPCP
filename: clone_controller/class-pclzip.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 124
- fp_rule:
# WPCP
filename: akeebabackupwp/app/restore.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 125
- fp_rule:
# WPCP
filename: admin/includes/class-wp-filesystem-direct.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 128
- fp_rule:
# WPCP
filename: classes/softaculous.tar.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 131
- fp_rule:
# WPCP
filename: Utility/GeneralUtility.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 133
- fp_rule:
# WPCP
filename: lib/Parser.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 135
- fp_rule:
# WPCP
filename: archiveLib/pclzip.class.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 136
- fp_rule:
# WPCP
filename: Jobs/Files.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 140
- fp_rule:
# WPCP
filename: typo3/sysext/core/Classes/Utility/GeneralUtility.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 145
- fp_rule:
# WPCP
filename: plugins/faf/filters/image_filters.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 146
- fp_rule:
# WPCP
filename: sucuri-cleanup.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 147
- fp_rule:
# WPCP
filename: modules/boost/boost.module
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 148
- fp_rule:
# WPCP
filename: libs/Snap/SnapIO.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 153
- fp_rule:
# WPCP
filename: /duplicator/classes/package/class.pack.database.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 158
- fp_rule:
# WPCP
filename: /duplicator-pro/src/Libs/Snap/SnapIO.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 159
- fp_rule:
# WPCP
filename: ctrls/classes/class.ctrl.extraction.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 162
- fp_rule:
# WPCP
filename: wp-cli/php/WP_CLI/Runner.php
detection: u
check_right: "u"
check_wrong: "g"
fp_id: 163
- fp_rule:
# WPCP
filename: bulletproof-security/includes/functions.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 166
- fp_rule:
# WPCP
filename: wp-includes/SimplePie/Cache/File.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 167
- fp_rule:
# https://cloudlinux.atlassian.net/browse/DEFA-4606
filename: plugins/all-in-one-wp-security-and-firewall/classes/wp-security-backup.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 168
- fp_rule:
# https://cloudlinux.atlassian.net/browse/DEFA-4612
filename: plugins/ewww-image-optimizer/common.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 169
- fp_rule:
filename: all-in-one-wp-security-and-firewall/classes/wp-security-backup.php
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 170
- fp_rule:
filename: tmp_aps_scripts/configure
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 172
- fp_rule:
filename: app/sdks/archiveLib/bin/data.bin
detection: f
check_right: "f"
check_wrong: "g"
fp_id: 173
rules_group:
- group:
group_id: 1
group_name: Test rules. Should be disabled for production server
app_name_id: 0
enabled: no
- group:
group_id: 2
group_name: Common rules for all applications
app_name_id: 0
enabled: yes
rules:
###############################
#
# Test rules
#
###############################
- rule:
id: 1
description:
Test detector 1
detection: e\|((a[0-9],[0-9]\|?)+)?(o\|?)+
check_right: "e|ooo|oo|o|o|ooo|o|oo|oo|ooo|oo|o|oo|o|o|o|o|ooo|o|oo|oooooo|oo|ooo|o|o|oo|oo|o|o|o|o|o|oo|o|"
check_wrong: "e|koo|oo|o|o|koo|o|oo|oo|ooo|oo|o|oo|o|o|o|o|ooo|o|oo|oooooo|oo|ooo|o|o|oo|oo|o|o|o|o|o|oo|o|"
level: 1
group_id: 1
- rule:
id: 2
description:
Test detector 2
detection: E\|((a[0-9],[0-9]\|?)+)?(s\|?)+
check_right: "E|ss|s|ss|ssss|s|s|s|ss|ss|ss|s|s|"
check_wrong: "|vs|s|ss|ssss|s|s|s|ss|ss|ss|s|s|"
level: 1
group_id: 1
- rule:
id: 3
description:
Test detector 3
detection: u\|((a[0-9],[0-9]|s)\|?)+(o\|)+
check_right: "u|a1,8|o|o|o|o|o|"
check_wrong: "u|a10,8|o|o|o|o|o|"
level: 1
group_id: 1
# file obf_ops string_ops obf_ops file ANYOP(1,1)
- rule:
id: 4
description:
Test detector 4
detection: f\|o\|s\|o\|f\|a1,1
check_right: "f|o|s|o|f|a1,1"
check_wrong: "f|o|s|o|f|a2,1"
level: 1
group_id: 1
- rule:
id: 5
description:
Test detector 5
detection: s:f|s|o|s|o|f
check_right: "f|s|o|s|o|f"
check_wrong: "f|s|o|s|o|d"
check_buf: s:<?php
level: 1
group_id: 1
- rule:
id: 6
description:
Test detector 6
detection: s:f|o|s|o|s|o|f
check_right: "f|o|s|o|s|o|f"
check_wrong: "f|o|s|o|s|o|f"
check_fp: 0
level: 1
group_id: 1
- rule:
id: 7
description:
Test detector 7
detection: s:f|s|o|s|o|s|o|f
check_right: "f|s|o|s|o|s|o|f"
check_wrong: "f|s|o|s|o|s|o|f"
check_buf: s:<?php
check_ext: php
level: 1
group_id: 1
- rule:
id: 8
description:
Test detector 8
detection: s:u|q|l|s|q
check_right: "u|q|l|s|q"
check_wrong: "f|s|o|s|o|s|o|f|a2,1"
script_ext: s:.ico
level: 1
group_id: 1
- rule:
id: 9
description:
Test detector 9
detection: c:u
check_right: "u"
check_wrong: "f"
script_ext: r:\.ico([0-9])test$
level: 1
group_id: 1
- rule:
id: 10
description:
Test detector 10
detection: ^f
check_right: "f|q|l|s|a2,2"
check_wrong: "u|s|o|s|o|s|o|f|a2,1"
danger_files: 0,1
level: 1
group_id: 1
- rule:
id: 11
description:
Test detector 11
detection: f\|s\|o\|s\|o\|s\|o\|s\|o\|f\|a1,1
check_right: "f|s|o|s|o|s|o|s|o|f|a1,1"
check_wrong: "f|s|o|s|o|s|o|f|a2,1"
check_buf: s:<?php
check_ext: php
level: 1
group_id: 1
check_fp_list: 2,3,4,5
###############################
#
# Blocking Rules
#
###############################
- rule:
id: 10000
description:
Block including ico files
detection: c:u
check_right: "u"
check_wrong: "e"
file_op_name: r:\/\.[a-z0-9A-Z]{1,20}\.ico$
check_fp: no
funcname: include
action: BLOCK
level: 10
group_id: 2
- rule:
id: 10006
description:
Access to shadow file
detection: c:f
check_right: "f"
check_wrong: "g"
file_op_name: r:etc\/([^\/]+\/)?(shadow|passwd)$
funcname: file_put_contents,fopen,fwrite,file_get_contents
action: BLOCK
level: 10
group_id: 2
# DEFA-2409 rule contactemail/info
- rule:
id: 10011
description:
cpanel hack via contactxxx
detection: c:f
check_right: "f"
check_wrong: "v"
file_op_name: r:\.?contact(info|email)$
funcname: file_put_contents,fopen,copy,fwrite
action: BLOCK
level: 10
group_id: 2
- rule:
id: 10047
description:
malware drop attempt from pic files
detection: c:u
check_right: "f"
check_wrong: "g"
script_ext: r:\.(ico|png|jpg|gif)$
funcname: file_get_contents,file_put_contents,fopen,fwrite,curl_init,curl_exec
action: BLOCK
check_fp: no
level: 10
group_id: 2
- rule:
id: 10047
description:
malware drop attempt from pic files
detection: c:f
check_right: "f"
check_wrong: "g"
script_ext: r:\.(ico|png|jpg|gif)$
funcname: file_get_contents,file_put_contents,fopen,fwrite,curl_init,curl_exec
action: BLOCK
check_fp: no
level: 10
group_id: 2
- rule:
id: 10048
description:
Malware drop/interaction blocked
detection: c:U
check_right: "U"
check_wrong: "e"
check_fp: no
action: BLOCK
funcname: curl_exec
level: 10
group_id: 2
- rule:
id: 10048
description:
Malware drop/interaction blocked
detection: c:F
check_right: "F"
check_wrong: "e"
check_fp: no
action: BLOCK
funcname: file_get_contents
level: 10
group_id: 2
- rule:
id: 10049
description:
Malware drop/interaction blocked
detection: c:E
check_right: "E"
check_wrong: "s"
check_fp: no
action: BLOCK
level: 10
group_id: 2
- rule:
id: 10056
description:
Malicious theme/plugin installation attempt
detection: c:f
check_right: "f"
check_wrong: "g"
script_ext: s:class-wp-filesystem-direct.php
danger_files: 10056
check_fp: no
funcname: fopen,fwrite
action: BLOCK
level: 10
group_id: 2
- rule:
id: 10066
description:
Block malware drop
detection: c:f
check_right: "f"
check_wrong: "g"
funcname: fopen,fwrite,file_put_contents,file_get_contents
file_op_name: r:alfacgiapi\/(perl|bash|py)\.alfa
action: BLOCK
level: 10
group_id: 2
- rule:
id: 10099
description:
header BLOCK
detection: c:N
check_right: "N"
check_wrong: "g"
file_op_name: r:Location\:\shttp
check_fp: no
funcname: header
action: BLOCK
level: 10
group_id: 2
###############################
# https://cloudlinux.atlassian.net/browse/DEFA-2899?focusedCommentId=190227
# Test BLOCK Rule for customers
#
###############################
- rule:
id: 77777
description:
Proactive Defence test BLOCK rule
detection: c:f
check_right: "f"
check_wrong: "g"
file_op_name: s:https://secure.eicar.org/eicar.com.txt
funcname: file_get_contents
action: BLOCK
level: -10
group_id: 2
###############################
#
# KILL Rules
#
###############################
###############################
#
# Logging Rules
#
###############################
- rule:
id: 123591
description:
DEF-23591 - non-php drops php
detection: c:f
check_right: "f"
check_wrong: "g"
script_ext: r:[\s\S]*\.(?!(php\d?|pht(ml)?|inc|html?)$)([^.]+$)
file_op_name: r:[\s\S]*\.(?:php\d?|pht(ml)?)$
funcname: file_put_contents,fopen,fwrite
level: 10
group_id: 2
- rule:
id: 131315
description:
external malware sources lookup
detection: c:f
check_right: "f"
check_wrong: "g"
file_op_name: r:^(https?|ftp)
funcname: file_get_contents
level: 5
group_id: 2
- rule:
id: 131398
description:
themes/plugins upload
detection: c:f
check_right: "f"
check_wrong: "g"
script_ext: s:/wp-admin/includes/file.php
check_buf: r:\.zip$
check_fp: no
funcname: move_uploaded_file
level: 10
group_id: 2
- rule:
id: 141499
description:
themes/plugins upload
detection: c:f
check_right: "f"
check_wrong: "g"
script_ext: s:/wp-admin/includes/class-wp-filesystem-direct.php
file_op_name: r:\/wp-content\/upgrade\/
check_fp: no
funcname: copy
level: 10
group_id: 2
- rule:
id: 141501
description:
Log all events of mail function
detection: c:g
check_right: "g"
check_wrong: "f"
check_fp: no
level: 10
group_id: 2
|