# Copyright (C) 2015-2020, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation
#
# OSSEC Linux Audit - (C) 2007 Daniel B. Cid - dcid@ossec.net
#
# Released under the same license as OSSEC.
# More details at the LICENSE file included with OSSEC or online
# at: https://www.gnu.org/licenses/gpl.html
#
# [Application name] [any or all] [reference]
# type:<entry name>;
#
# Type can be:
#             - f (for file or directory)
#             - p (process running)
#             - d (any file inside the directory)
#
# Additional values:
# For the registry and for directories, use "->" to look for a specific entry and another
# "->" to look for the value.
# Also, use " -> r:^\. -> ..." to search all files in a directory
# For files, use "->" to look for a specific value in the file.
#
# Values can be preceded by: =: (for equal) - default
#                             r: (for ossec regexes)
#                             >: (for strcmp greater)
#                             <: (for strcmp  lower)
# Multiple patterns can be specified by using " && " between them.
# (All of them must match for it to return true).

$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini;
$web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www;

# PHP checks
[PHP - Register globals are enabled] [any] []
f:$php.ini -> r:^register_globals = On;

# PHP checks
[PHP - Expose PHP is enabled] [any] []
f:$php.ini -> r:^expose_php = On;

# PHP checks
[PHP - Allow URL fopen is enabled] [any] []
f:$php.ini -> r:^allow_url_fopen = On;

# PHP checks
[PHP - Displaying of errors is enabled] [any] []
f:$php.ini -> r:^display_errors = On;

# PHP checks - consider open_basedir && disable_functions


## Looking for common web exploits (might indicate that you are owned).
## Using http://dcid.me/blog/logsamples/webattacks_links as a reference.
#[Web exploits - Possible compromise] [any] []
#d:$web_dirs -> .txt$ -> r:^<?php|^#!;

## Looking for common web exploits files (might indicate that you are owned).
## There are not specific, like the above.
## Using http://dcid.me/blog/logsamples/webattacks_links as a reference.
[Web exploits (uncommon file name inside htdocs) - Possible compromise  {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
d:$web_dirs -> ^.yop$;

[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
d:$web_dirs -> ^id$;

[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
d:$web_dirs -> ^.ssh$;

[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
d:$web_dirs -> ^...$;

[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
d:$web_dirs -> ^.shell$;

## Looking for outdated Web applications
## Taken from http://sucuri.net/latest-versions
[Web vulnerability - Outdated WordPress installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions]
d:$web_dirs -> ^version.php$ -> r:^\.wp_version && >:$wp_version = '4.4.2';

[Web vulnerability - Outdated Joomla installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions]
d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:'3.4.8';

[Web vulnerability - Outdated osCommerce (v2.2) installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions]
d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-;

## Looking for known backdoors
[Web vulnerability - Backdoors / Web based malware found - eval(base64_decode) {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo;

[Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST)) {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST;

[Web vulnerability - .htaccess file compromised {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html]
d:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google;

[Web vulnerability - .htaccess file compromised - auto append {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html]
d:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file;
