Custom graudit signatures

|
Writing your own graudit signatures is relatively easy. Mastering regular expressions can be helpful, but in their simplest form a list of words will do. I have tried to document some of the common pitfalls that might creep up on you in my Ruxmon presentation, but I know how "useful" a single slide can be. I am catching up on graudit documentation and signatures is just around the corner. Until then, I thought I would share with you some of the databases I use when looking for low hanging fruit and want to reduce the information overload (noise) that you normally get from the php ruleset. Signatures after the break to avoid spamming rss readers.

fruit.db:
# PHP-fruit signatures
exec\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
system\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
popen\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
shell_exec\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
passthru\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
header\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
`.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*`
eval\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
header\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
include\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
include_once\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
require\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
require_once\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
fopen\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
unserialize\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
mysql_query\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\)
(WHERE|where)\s+.*=.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP)[^; ]+
(LIKE|like)\s+.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP)
(ORDER BY|order by)\s+.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP)
(LIMIT|limit)\s+.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP)
# Perl-fruit signatures
exec\s*\(?.*\$ARGV.*\)?
exec\s*\(?.*\$.*->param\s*\(.*\).*\)?
system\s*\(?.*\$ARGV.*\)?
system\s*\(?.*\$.*->param\s*\(.*\).*\)?
`.*\$ARGV.*`
`.*\$.*->param\s*\(.*\).*`
eval\s*\(?.*\$ARGV.*\)?
eval\s*\(?.*\$.*->param\s*\(.*\).*\)?
use\s+.*\$ARGV.*
use\s+.*\$.*->param\s*\(.*\).*
(WHERE|where)\s+.*=.*\$.*->param\s*\(.*\)
(LIKE|like)\s+.*\$.*->param\s*\(.*\)
(ORDER BY|order by)\s+.*\$.*->param\s*\(.*\)
(LIMIT|limit)\s+.*\$.*->param\s*\(.*\)

exec.db:
exec *\(.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*\)
system *\(.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*\)
popen *\(.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*\)
shell_exec *\(.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*\)
passthru *\(.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*\)
header *\(.*$_(GET|POST|REQUEST|COOKIE).*\)
`.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*`
eval *\(.*$_(GET|POST|REQUEST|COOKIE).*\)
(include|require)(_once)? *\(.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*\)
move_uploaded_file *\(.*\)

includes.db
(include|require)(_once)? *\(.*\$.*\)
And for those who didn't download the graudit-1.7_src release I am including sql.db
# DotNet SQL
exec\s*sp_executesql
execute\s*sp_executesql
exec\s*sp_
execute\s*sp_
exec\s*xp_
execute\s*sp_
exec\s*@
execute\s*@
executestatement
executeSQL
setfilter
executeQuery
GetQueryResultInXML
adodb
sqloledb
sql\s*server
driver
Server\.CreateObject
\.Provider
\.Open
ADODB.recordset
New\s*OleDbConnection
ExecuteReader
DataSource
SqlCommand
Microsoft.Jet
SqlDataReader
ExecuteReader
GetString
SqlDataAdapter
CommandType
StoredProcedure
System\.Data\.sql
# PHP - Database
mysql_connect\s*\(.*\$.*\)
mysql_pconnect\s*\(.*\$.*\)
mysql_change_user\s*\(.*\$.*\)
mysql_query\s*\(.*\$.*\)
mysql_error\s*\(.*\$.*\)
mysql_set_charset\s*\(.*\$.*\)
mysql_unbuffered_query\s*\(.*\$.*\)
pg_connect\s*\(.*\$.*\)
pg_pconnect\s*\(.*\$.*\)
pg_execute\s*\(.*\$.*\)
pg_insert\s*\(.*\$.*\)
pg_put_line\s*\(.*\$.*\)
pg_query\s*\(.*\$.*\)
pg_select\s*\(.*\$.*\)
pg_send_query\s*\(.*\$.*\)
pg_set_client_encoding\s*\(.*\$.*\)
pg_update\s*\(.*\$.*\)
I do realize that there is some overlap in the signatures, but the same overlap exists in the sense that the signatures are looking for certain categories of vulnerabilities, so don't bother flaming me for that. I hope you enjoy the databases and please let me know if you have any additions or find any bugs.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.