# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: web-php.rules,v 1.7 2003/05/14 18:07:59 cazz Exp $
#--------------
# WEB-PHP RULES
#--------------

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP bb_smilies.php access"; flow:to_server,established; uricontent:"/bb_smilies.php"; nocase; reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|"; reference:bugtraq,4183; classtype:web-application-attack; sid:1423; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition"; flow:to_server,established; content:"Content-Disposition\:"; content:"form-data\;"; classtype:web-application-attack; reference:bugtraq,4183; sid:1425; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail spell-check arbitrary command attempt"; flow:to_server,established; uricontent:"/squirrelspell/modules/check_me.mod.php"; nocase; content: "SQSPELL_APP["; nocase; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail theme arbitrary command attempt"; flow:to_server,established; uricontent:"/left_main.php"; nocase; content:"cmdd="; reference:bugtraq,4385; classtype:web-application-attack; sid:1737; rev:4;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools administrator authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; classtype:web-application-attack; sid:1739; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; classtype:web-application-attack; sid:1740; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools access"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; reference:bugtraq,4617; classtype:web-application-activity; sid:1741; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php modify user attempt"; flow:to_server,established; uricontent:"/dostuff.php?action=modify_user"; nocase; reference:bugtraq,4618; classtype:web-application-attack; sid:1742; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php access"; flow:to_server,established; uricontent:"/dostuff.php"; nocase; reference:bugtraq,4618; classtype:web-application-activity; sid:1743; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Messagerie supp_membre.php access"; flow:to_server,established; uricontent:"/supp_membre.php"; nocase; reference:bugtraq,4635; classtype:web-application-activity; sid:1745; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP php.exe access"; flow:to_server,established; uricontent:"/php.exe"; nocase; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:3;)


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php arbitrary command attempt"; flow:to_server,established; uricontent:"/directory.php"; content:"dir="; content:"\;"; reference:bugtraq,4278; reference:cve,CAN-2002-0434; classtype:misc-attack; sid:1815; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php access"; flow:to_server,established; uricontent:"/directory.php"; reference:bugtraq,4278; reference:cve,CAN-2002-0434; classtype:misc-attack; sid:1816; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Wiki cross site scripting attempt"; flow:established,to_server; uricontent:"/modules.php?"; uricontent:"name=Wiki"; nocase; uricontent:"<script"; nocase; reference:bugtraq,5254; classtype:web-application-attack; sid:1834; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php arbitrary command attempt"; flow:established,to_server; uricontent:"/quick-reply.php"; content:"phpbb_root_path="; distance:1; reference:bugtraq,6173; classtype:web-application-attack; sid:1967; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php access"; flow:established,to_server; uricontent:"/quick-reply.php"; reference:bugtraq,6173; classtype:web-application-activity; sid:1968; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP read_body.php access attempt"; flow:established,to_server; uricontent:"/read_body.php"; reference:bugtraq,6302; classtype:web-application-activity; sid:1997; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP calendar.php access"; flow:established,to_server; uricontent:"/calendar.php"; reference:nessus,11179; reference:bugtraq,5820; classtype:web-application-activity; sid:1998; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP edit_image.php access"; flow:established,to_server; uricontent:"/edit_image.php"; reference:nessus,11104; reference:cve,CVE-2001-1020; classtype:web-application-activity; sid:1999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP readmsg.php access"; flow:established,to_server; uricontent:"/readmsg.php"; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP external include path"; flow:established,to_server; uricontent:".php"; content:"path=http\://"; classtype:web-application-attack; sid:2002; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum admin access"; flow:to_server,established; uricontent:"/admin.php3"; nocase; reference:bugtraq,2271; reference:arachnids,205; classtype:attempted-recon; sid:1134; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP piranha passwd.php3 access"; flow:to_server,established; uricontent: "/passwd.php3"; reference:bugtraq,1149; reference:cve,CVE-2000-0322; reference:arachnids,272; classtype:attempted-recon; sid:1161; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum read access"; flow:to_server,established; uricontent:"/read.php3"; nocase;  reference:arachnids,208; classtype:attempted-recon; sid:1178; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum violation access"; flow:to_server,established; uricontent:"/violation.php3"; nocase; reference:bugtraq,2272; reference:arachnids,209; classtype:attempted-recon; sid:1179; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum code access"; flow:to_server,established; uricontent:"/code.php3"; nocase;  reference:arachnids,207; classtype:attempted-recon; sid:1197; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php file upload attempt"; flow:to_server,established; uricontent:"/admin.php"; nocase; content:"file_name="; reference:bugtraq,3361; classtype:attempted-admin; sid:1300; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,7532; reference:bugtraq,3361; classtype:attempted-recon; sid:1301; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP smssend.php access"; flow:to_server,established; uricontent:"/smssend.php"; classtype:web-application-activity; reference:bugtraq,3982; sid:1407; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include attempt"; flow:to_server,established; uricontent:"index.php"; nocase; content:"file=http\://"; nocase; reference:bugtraq,3889; classtype:web-application-attack; sid:1399; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php attempt"; flow:to_server,established; uricontent:"/support/common.php"; content:"ForumLang=../"; classtype:web-application-attack; sid:1490; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php access"; flow:to_server,established; uricontent:"/support/common.php"; classtype:web-application-attack; sid:1491; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; nocase;  reference:bugtraq,2274; reference:arachnids,206; classtype:attempted-recon; sid:1137; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; content: "|ba49feffff f7d2 b9bfffffff f7d1|"; reference:bugtraq,802; reference:arachnids,431; classtype:web-application-attack; sid:1085; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; uricontent:"?STRENGUR"; reference:arachnids,430; reference:bugtraq,1786; classtype:web-application-attack; sid:1086; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; reference:bugtraq,3079; classtype:attempted-user; sid:1254; rev:6;)
alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; uricontent:"/db_mysql.inc"; reference:bugtraq,3079; classtype:attempted-user; sid:1255;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; uricontent:"/uploadimage.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2074; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php upload php file attempt"; flow:to_server,established; uricontent:"/upload.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2075; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php access"; flow:to_server,established; uricontent:"/uploadimage.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2076; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php access"; flow:to_server,established; uricontent:"/upload.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2077; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpBB privmsg.php access"; flow:to_server,established; uricontent:"/privmsg.php"; reference:bugtraq,6634; classtype:web-application-activity; sid:2078; rev:2;)