116 lines
4.0 KiB
Plaintext
116 lines
4.0 KiB
Plaintext
|
|
####################################
|
|
# INTERESTING PAGES / FILES
|
|
|
|
# Detect private keys
|
|
id:31001; sev:2; memo:"DSA private key"; \
|
|
mime:"text/plain"; \
|
|
content:"-----BEGIN DSA PRIVATE KEY-----"; depth:100;
|
|
id:31002; sev:2; memo:"RSA private key"; \
|
|
mime:"text/plain"; \
|
|
content:"-----BEGIN RSA PRIVATE KEY-----"; depth:100;
|
|
|
|
# SQL credentials
|
|
id:31003; sev:3; memo:"SQL configuration or logs"; \
|
|
content:'ADDRESS=(PROTOCOL=';
|
|
id:31004; sev:3; memo:"ODBC connect string"; \
|
|
content:";pwd="; \
|
|
content:";database="; depth:512;
|
|
id:31005; sev:3; memo:"ODBC connect string"; \
|
|
content:"Data Source="; \
|
|
content:";Password="; depth:512;
|
|
id:31006; sev:3; memo:"ODBC connect string"; \
|
|
content:"Provider="; \
|
|
content:";Password="; depth:512;
|
|
id:31007; sev:3; memo:"ODBC connect string"; \
|
|
content:"Driver="; \
|
|
content:";Pwd="; depth:512;
|
|
|
|
# Crossdomain & access policy files
|
|
id:31008; sev:2; memo:"Flash cross-domain policy with wildcard"; \
|
|
content:"<cross-domain-policy>"; depth:512; \
|
|
content:'<allow-access-from domain="*"'; depth:50;
|
|
id:31009; sev:4; memo:"Silverlight cross-domain policy with wildcard"; \
|
|
content:"<access-policy>"; depth:512; \
|
|
content:'<domain uri="*"/>'; depth:512;
|
|
|
|
# Web.xml config file
|
|
id:31010; sev:3; memo:"web.xml config file"; \
|
|
content:"<web-app"; depth:512;
|
|
|
|
# SVN RCS data
|
|
id:31011; sev:3; memo:"SVN RCS data"; \
|
|
mime:"text/plain"; \
|
|
content:"svn:special svn"; depth:256;
|
|
id:31012; sev:3; memo:"SVN RCS data"; \
|
|
mime:"text/plain"; \
|
|
content:"SVN RCS data"; depth:256;
|
|
id:31018; sev:3; memo:"SVN entries file"; \
|
|
mime:"text/plain"; \
|
|
content:"10"; depth:1; \
|
|
content:"dir"; depth:4;
|
|
|
|
|
|
# Log files
|
|
id:31013; sev:3; memo:"Apache access log"; \
|
|
content:"0] \"GET /"; depth:1024;
|
|
id:31014; sev:3; memo:"Apache error log"; \
|
|
content:"[error] [client "; depth:1024;
|
|
id:31015; sev:3; memo:"Microsoft IIS access log"; \
|
|
content:"0, GET, /"; depth:1024;
|
|
|
|
# Generic robots.txt file
|
|
id:31016; sev:4; memo:"robots.txt file"; \
|
|
content:"User-agent:"; depth:100; \
|
|
content:"Disallow: /";
|
|
|
|
# Libcurl cookie files are created by some PHP apps (e.g. wordpress plugins)
|
|
id:31017; sev:3; memo:"libcurl cookie jar"; \
|
|
mime:"text/plain"; \
|
|
content:"# Netscape HTTP Cookie File"; depth:10; \
|
|
content:"# This file was generated by libcurl"; depth:200;
|
|
|
|
# Signatures to detect SQL dumps
|
|
id:31101; sev:2; memo:"MySQL dump database file"; \
|
|
mime:"text/plain"; \
|
|
content:"-- MySQL dump"; depth:1; \
|
|
content:"-- Host"; depth:256; \
|
|
content:"-- Server version";
|
|
id:31103; sev:2; memo:"phpMyAdmin database dump file"; \
|
|
mime:"text/plain"; \
|
|
content:" phpMyAdmin SQL Dump"; depth:3; \
|
|
content:" version"; \
|
|
content:"CREATE TABLE";
|
|
id:31104; sev:2; memo:"SQL script detected"; \
|
|
mime:"text/plain"; \
|
|
content:"DECLARE @"; \
|
|
content:"SET @"; \
|
|
content:"(SELECT|INSERT|DELETE|BACKUP|CREATE)"; type:"regex"; depth:1024;
|
|
|
|
# Source code and scripts
|
|
id:32001; sev:3; memo:"Java source"; \
|
|
content:"\nimport java."; depth:512;
|
|
id:32002; sev:3; memo:"C/C++ source"; \
|
|
content:"\n#include"; depth:512;
|
|
id:32003; sev:3; memo:"Shell script"; \
|
|
content:"#!/"; depth:1;
|
|
id:32004; sev:3; memo:"PHP source"; \
|
|
content:!"# ?>"; \
|
|
content:!"<?import"; \
|
|
content:"<?"; \
|
|
content:!"xml"; depth:1; \
|
|
content:"?>";
|
|
id:32005; sev:3; memo:"JSP source"; \
|
|
content:"<%@"; \
|
|
content:"%>";
|
|
id:32006; sev:3; memo:"ASP source"; \
|
|
content:"<%"; \
|
|
content:"%>";
|
|
|
|
# These two need to be improved!
|
|
id:32007; sev:3; memo:"DOS batch script"; \
|
|
content:"@echo "; depth:256;
|
|
id:32008; sev:3; memo:"Windows shell script"; \
|
|
content:"(\"Wscript."; depth:256;
|
|
|