/ Register

Discover Centmin Mod today
Register Now

Beta Branch update optional Nginx Modsecurity connector routine in 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Dec 15, 2021.

Tags:
Previous Thread Next Thread
Loading...
  1. Dec 15, 2021 #1
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    12:15 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    update optional Nginx Modsecurity connector routine in 123.09beta01

    - updated support for optional Centmin Mod Nginx Modsecurity install using GCC 11 compiler if detected when NGINX_MODSECURITY='y' is set in persistent config file /etc/centminmod/custom_config.inc prior to Nginx compiles via centmin.sh menu option 4
    - after centmin.sh menu option 4 nginx recompile with Modsecurity Nginx connector module support, only the main hostname's Nginx vhost is configured for Modsecurity at /usr/local/nginx/conf/conf.d/virtual.conf. You'll have to know how to properly configure Modsecurity for the rest of your Nginx vhost created sites yourself. No support is provided for Modsecurity other than it's initial install on Centmin Mod Nginx.
    - update OWASP Modsecurity v3 Core Ruleset v3.3.0 to v3.3.2 https://github.com/coreruleset/coreruleset

    Continue reading...

    123.09beta01 branch
     
  2. Dec 15, 2021 #2
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    12:15 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Set in persistent config file /etc/centminmod/custom_config.inc

    Code (Text):
    NGINX_MODSECURITY='y'


    After centmin.sh menu option 4 nginx recompile with Modsecurity Nginx connector module support, only the main hostname's Nginx vhost is configured for Modsecurity at /usr/local/nginx/conf/conf.d/virtual.conf. You'll have to know how to properly configure Modsecurity for the rest of your Nginx vhost created sites yourself. No support is provided for Modsecurity other than it's initial install on Centmin Mod Nginx.

    Main hostname's Nginx vhost is configured for Modsecurity at /usr/local/nginx/conf/conf.d/virtual.conf

    Code (Text):
       modsecurity on;
   modsecurity_rules_file /usr/local/nginx/modsec/main.conf;


    contents of /usr/local/nginx/conf/dynamic-modules.conf which load nginx dynamic modules

    Code (Text):
    # place custom load_module lines in this dynamic-modules-includes.conf
# file so that they persistent i.e. for manually dropped in dynamic modules
include /usr/local/nginx/conf/dynamic-modules-includes.conf;
load_module "modules/ngx_http_image_filter_module.so";
load_module "modules/ngx_http_headers_more_filter_module.so";
load_module "modules/ndk_http_module.so";
load_module "modules/ngx_http_set_misc_module.so";
load_module "modules/ngx_http_echo_module.so";
load_module "modules/ngx_http_fancyindex_module.so";
load_module "modules/ngx_http_modsecurity_module.so";


    contents of /usr/local/nginx/modsec/modsecurity.conf

    Code (Text):
    # -- Rule engine initialization ----------------------------------------------

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine DetectionOnly


# -- Request body handling ---------------------------------------------------

# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On


# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
    "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

# Enable JSON request body parser.
# Initiate JSON Processor in case of JSON content-type; change accordingly
# if your application does not use 'application/json'
#
SecRule REQUEST_HEADERS:Content-Type "application/json" \
    "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

# Sample rule to enable JSON request body parser for more subtypes.
# Uncomment or adapt this rule if you want to engage the JSON
# Processor for "+json" subtypes
#
#SecRule REQUEST_HEADERS:Content-Type "^application/.+[+]json$" \
#     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072

# What to do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction Reject

# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

# Did we see anything that might be a boundary?
#
# Here is a short description about the ModSecurity Multipart parser: the
# parser returns with value 0, if all "boundary-like" line matches with
# the boundary string which given in MIME header. In any other cases it returns
# with different value, eg. 1 or 2.
#
# The RFC 1341 descript the multipart content-type and its syntax must contains
# only three mandatory lines (above the content):
# * Content-Type: multipart/mixed; boundary=BOUNDARY_STRING
# * --BOUNDARY_STRING
# * --BOUNDARY_STRING--
#
# First line indicates, that this is a multipart content, second shows that
# here starts a part of the multipart content, third shows the end of content.
#
# If there are any other lines, which starts with "--", then it should be
# another boundary id - or not.
#
# After 3.0.3, there are two kinds of types of boundary errors: strict and permissive.
#
# If multipart content contains the three necessary lines with correct order, but
# there are one or more lines with "--", then parser returns with value 2 (non-zero).
#
# If some of the necessary lines (usually the start or end) misses, or the order
# is wrong, then parser returns with value 1 (also a non-zero).
#
# You can choose, which one is what you need. The example below contains the
# 'strict' mode, which means if there are any lines with start of "--", then
# ModSecurity blocked the content. But the next, commented example contains
# the 'permissive' mode, then you check only if the necessary lines exists in
# correct order. Whit this, you can enable to upload PEM files (eg "----BEGIN.."),
# or other text files, which contains eg. HTTP headers.
#
# The difference is only the operator - in strict mode (first) the content blocked
# in case of any non-zero value. In permissive mode (second, commented) the
# content blocked only if the value is explicit 1. If it 0 or 2, the content will
# allowed.
#

#
# See #1747 and #1924 for further information on the possible values for
# MULTIPART_UNMATCHED_BOUNDARY.
#
SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
   "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"


# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000

# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_".  The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
       "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"


# -- Response body handling --------------------------------------------------

# Allow ModSecurity to access response bodies.
# You should have this directive enabled in order to identify errors
# and data leakage issues.
#
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
SecResponseBodyAccess On

# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
#
SecResponseBodyMimeType text/plain text/html text/xml

# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit 524288

# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
#
SecResponseBodyLimitAction ProcessPartial


# -- Filesystem configuration ------------------------------------------------

# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
#
# This default setting is chosen due to all systems have /tmp available however,
# this is less than ideal. It is recommended that you specify a location that's private.
#
SecTmpDir /tmp/

# The location where ModSecurity will keep its persistent data.  This default setting
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir /tmp/


# -- File uploads handling configuration -------------------------------------

# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
#SecUploadDir /opt/modsecurity/var/upload/

# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#
#SecUploadKeepFiles RelevantOnly

# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#
#SecUploadFileMode 0600


# -- Debug log configuration -------------------------------------------------

# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3


# -- Audit log configuration -------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log

# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/


# -- Miscellaneous -----------------------------------------------------------

# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
#
SecArgumentSeparator &

# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
#
SecCookieFormat 0

# Specify your Unicode Code Point.
# This mapping is used by the t:urlDecodeUni transformation function
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
SecUnicodeMapFile unicode.mapping 20127

# Improve the quality of ModSecurity by sharing information about your
# current ModSecurity version and dependencies versions.
# The following information will be shared: ModSecurity version,
# Web Server version, APR version, PCRE version, Lua version, Libxml2
# version, Anonymous unique id for host.
SecStatusEngine On


    test ModSecurity rule in SecRuleEngine DetectionOnly mode with custom rule in /usr/local/nginx/modsec/main.conf

    Code (Text):
    # Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"


    full contents of /usr/local/nginx/modsec/main.conf

    Code (Text):
    # Edit to set SecRuleEngine On
Include "/usr/local/nginx/modsec/modsecurity.conf"

# OWASP CRS v3 rules
Include "/usr/local/nginx/coreruleset-3.3.2/crs-setup.conf"
Include "/usr/local/nginx/coreruleset-3.3.2/rules/*.conf"

# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"


    Code (Text):
    curl -I localhost?testparam=test


    Code (Text):
    tail -100 /var/log/modsec_audit.log
---sFFvIAv3---A--
[13/Dec/2021:23:33:12 +0000] 1639438392 127.0.0.1 8484 127.0.0.1 80
---sFFvIAv3---B--
HEAD /?testparam=test HTTP/1.1
User-Agent: curl/7.29.0
Host: localhost
Accept: */*

---sFFvIAv3---D--

---sFFvIAv3---F--
HTTP/1.1 200
Server: nginx centminmod
Server: nginx centminmod
Date: Mon, 13 Dec 2021 23:33:12 GMT
Content-Length: 4515
Content-Type: text/html
Last-Modified: Tue, 07 Dec 2021 06:14:45 GMT
Connection: keep-alive
ETag: "61aefbd5-11a3"
X-Powered-By: centminmod

---sFFvIAv3---H--
ModSecurity: Warning. Matched "Operator `Contains' with parameter `test' against variable `ARGS:testparam' (Value: `test' ) [file "/usr/local/nginx/modsec/main.conf"] [line "9"] [id "1234"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "/"] [unique_id "1639438392"] [ref "o0,4v17,4"]

---sFFvIAv3---I--

---sFFvIAv3---J--

---sFFvIAv3---Z--


    testing OWASP Modsecurity v3 Core Ruleset (CRS). CRS recognizes requests from scanners, including Nikto via User‑Agent header. The CRS comes preconfigured to block requests that have the default User‑Agent header for Nikto (Nikto).

    Code (Text):
    curl -H "User-Agent: Nikto" http://localhost


    Code (Text):
    tail -100 /var/log/modsec_audit.log

[13/Dec/2021:23:34:14 +0000] 1639438454 127.0.0.1 8488 127.0.0.1 80
---i96FSzTK---B--
GET / HTTP/1.1
Host: localhost
Accept: */*
User-Agent: Nikto

---i96FSzTK---D--

---i96FSzTK---E--
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" snipped

---i96FSzTK---F--
HTTP/1.1 200
Server: nginx centminmod
Server: nginx centminmod
Date: Mon, 13 Dec 2021 23:34:14 GMT
Content-Length: 4515
Content-Type: text/html
Last-Modified: Tue, 07 Dec 2021 06:14:45 GMT
Connection: keep-alive
ETag: "61aefbd5-11a3"
X-Powered-By: centminmod

---i96FSzTK---H--
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `scanners-user-agents.data' against variable `REQUEST_HEADERS:User-Agent' (Value: `Nikto' ) [file "/usr/local/nginx/coreruleset-3.3.2/rules/REQUEST-913-SCANNER-DETECTION.conf"] [line "33"] [id "913100"] [rev ""] [msg "Found User-Agent associated with security scanner"] [data "Matched Data: nikto found within REQUEST_HEADERS:User-Agent: nikto"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-reputation-scanner"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/118/224/541/310"] [tag "PCI/6.5.10"] [hostname "127.0.0.1"] [uri "/"] [unique_id "1639438454"] [ref "o0,5v55,5t:lowercase"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/nginx/coreruleset-3.3.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "127.0.0.1"] [uri "/"] [unique_id "1639438454"] [ref ""]

---i96FSzTK---I--

---i96FSzTK---J--

---i96FSzTK---Z--


    OWASP ModSecurity v3 Core Rule Sets listed in /usr/local/nginx/coreruleset-3.3.2/rules

    Code (Text):
    ls -Alh /usr/local/nginx/coreruleset-3.3.2/rules
total 680K
-rw-rw-r-- 1 root root  786 Jun 30 12:52 crawlers-user-agents.data
-rw-rw-r-- 1 root root  551 Jun 30 12:52 iis-errors.data
-rw-rw-r-- 1 root root  933 Jun 30 12:52 java-classes.data
-rw-rw-r-- 1 root root  264 Jun 30 12:52 java-code-leakages.data
-rw-rw-r-- 1 root root  240 Jun 30 12:52 java-errors.data
-rw-rw-r-- 1 root root  31K Jun 30 12:52 lfi-os-files.data
-rw-rw-r-- 1 root root 5.3K Jun 30 12:52 php-config-directives.data
-rw-rw-r-- 1 root root 9.0K Jun 30 12:52 php-errors.data
-rw-rw-r-- 1 root root  683 Jun 30 12:52 php-function-names-933150.data
-rw-rw-r-- 1 root root  21K Jun 30 12:52 php-function-names-933151.data
-rw-rw-r-- 1 root root  224 Jun 30 12:52 php-variables.data
-rw-rw-r-- 1 root root 7.5K Jun 30 12:52 REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
-rw-rw-r-- 1 root root  14K Jun 30 12:52 REQUEST-901-INITIALIZATION.conf
-rw-rw-r-- 1 root root  14K Jun 30 12:52 REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
-rw-rw-r-- 1 root root  26K Jun 30 12:52 REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
-rw-rw-r-- 1 root root  11K Jun 30 12:52 REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
-rw-rw-r-- 1 root root 7.7K Jun 30 12:52 REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
-rw-rw-r-- 1 root root 1.9K Jun 30 12:52 REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
-rw-rw-r-- 1 root root  18K Jun 30 12:52 REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
-rw-rw-r-- 1 root root 1.6K Jun 30 12:52 REQUEST-905-COMMON-EXCEPTIONS.conf
-rw-rw-r-- 1 root root  11K Jun 30 12:52 REQUEST-910-IP-REPUTATION.conf
-rw-rw-r-- 1 root root 2.6K Jun 30 12:52 REQUEST-911-METHOD-ENFORCEMENT.conf
-rw-rw-r-- 1 root root  11K Jun 30 12:52 REQUEST-912-DOS-PROTECTION.conf
-rw-rw-r-- 1 root root 7.0K Jun 30 12:52 REQUEST-913-SCANNER-DETECTION.conf
-rw-rw-r-- 1 root root  50K Jun 30 12:52 REQUEST-920-PROTOCOL-ENFORCEMENT.conf
-rw-rw-r-- 1 root root  13K Jun 30 12:52 REQUEST-921-PROTOCOL-ATTACK.conf
-rw-rw-r-- 1 root root 5.9K Jun 30 12:52 REQUEST-930-APPLICATION-ATTACK-LFI.conf
-rw-rw-r-- 1 root root 5.6K Jun 30 12:52 REQUEST-931-APPLICATION-ATTACK-RFI.conf
-rw-rw-r-- 1 root root  54K Jun 30 12:52 REQUEST-932-APPLICATION-ATTACK-RCE.conf
-rw-rw-r-- 1 root root  32K Jun 30 12:52 REQUEST-933-APPLICATION-ATTACK-PHP.conf
-rw-rw-r-- 1 root root 3.9K Jun 30 12:52 REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
-rw-rw-r-- 1 root root  40K Jun 30 12:52 REQUEST-941-APPLICATION-ATTACK-XSS.conf
-rw-rw-r-- 1 root root  69K Jun 30 12:52 REQUEST-942-APPLICATION-ATTACK-SQLI.conf
-rw-rw-r-- 1 root root 5.1K Jun 30 12:52 REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
-rw-rw-r-- 1 root root  15K Jun 30 12:52 REQUEST-944-APPLICATION-ATTACK-JAVA.conf
-rw-rw-r-- 1 root root 4.0K Jun 30 12:52 REQUEST-949-BLOCKING-EVALUATION.conf
-rw-rw-r-- 1 root root 4.7K Jun 30 12:52 RESPONSE-950-DATA-LEAKAGES.conf
-rw-rw-r-- 1 root root  18K Jun 30 12:52 RESPONSE-951-DATA-LEAKAGES-SQL.conf
-rw-rw-r-- 1 root root 3.5K Jun 30 12:52 RESPONSE-952-DATA-LEAKAGES-JAVA.conf
-rw-rw-r-- 1 root root 4.9K Jun 30 12:52 RESPONSE-953-DATA-LEAKAGES-PHP.conf
-rw-rw-r-- 1 root root 5.7K Jun 30 12:52 RESPONSE-954-DATA-LEAKAGES-IIS.conf
-rw-rw-r-- 1 root root 4.2K Jun 30 12:52 RESPONSE-959-BLOCKING-EVALUATION.conf
-rw-rw-r-- 1 root root 6.7K Jun 30 12:52 RESPONSE-980-CORRELATION.conf
-rw-rw-r-- 1 root root 3.0K Jun 30 12:52 RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
-rw-rw-r-- 1 root root 2.0K Jun 30 12:52 restricted-files.data
-rw-rw-r-- 1 root root  390 Jun 30 12:52 restricted-upload.data
-rw-rw-r-- 1 root root  216 Jun 30 12:52 scanners-headers.data
-rw-rw-r-- 1 root root  418 Jun 30 12:52 scanners-urls.data
-rw-rw-r-- 1 root root 4.8K Jun 30 12:52 scanners-user-agents.data
-rw-rw-r-- 1 root root  717 Jun 30 12:52 scripting-user-agents.data
-rw-rw-r-- 1 root root 1.9K Jun 30 12:52 sql-errors.data
-rw-rw-r-- 1 root root 1.4K Jun 30 12:52 unix-shell.data
-rw-rw-r-- 1 root root 3.9K Jun 30 12:52 windows-powershell-commands.data


    The ruleset for Nikto located in /usr/local/nginx/coreruleset-3.3.2/rules/scanners-user-agents.data

    Code (Text):
    # Vulnerability scanners, bruteforce password crackers and exploitation tools

# password cracker
# http://sectools.org/tool/hydra/
(hydra)
# vuln scanner
# http://virtualblueness.net/nasl.html
.nasl
# sql injection
# https://sourceforge.net/projects/absinthe/
absinthe
# email harvesting
# dead? 2004
advanced email extractor
# vuln scanner
# http://www.arachni-scanner.com/
arachni/
autogetcontent
# nessus frontend
# http://www.crossley-nilsen.com/Linux/Bilbo_-_Nessus_WEB/bilbo_-_nessus_web.html
# dead? 2003
bilbo
# Backup File Artifacts Checker
# https://github.com/mazen160/bfac
BFAC
# password cracker
# http://sectools.org/tool/brutus/
brutus
brutus/aet
# sql injection
# https://www.notsosecure.com/bsqlbf-v2-blind-sql-injection-brute-forcer/
bsqlbf
# vuln scanner
# http://freecode.com/projects/cgichk dead? 2001
cgichk
# vuln scanner
# https://sourceforge.net/projects/cisco-torch/
cisco-torch
# vuln scanner
# https://github.com/stasinopoulos/commix
commix
# MS FrontPage vuln scanner?
core-project/1.0
# vuln scanner?
crimscanner/
# vuln scanner
datacha0s
# hidden page scanner
# https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
dirbuster
# vuln scanner
# https://sourceforge.net/projects/dominohunter/
domino hunter
# vuln scanner - directory traversal fuzzer
# https://github.com/wireghoul/dotdotpwn
dotdotpwn
email extractor
# vuln scanner
fhscan core 1.
floodgate
# "F-Secure Radar is a turnkey vulnerability scanning and management platform."
F-Secure Radar
get-minimal
# Scanner that looks for existing or hidden web objects
# https://github.com/OJ/gobuster
gobuster
# vuln scanner
gootkit auto-rooter scanner
grabber
# vuln scanner
# https://sourceforge.net/projects/grendel/
grendel-scan
# sql injection
havij
# vuln scanner - path disclosure finder
# http://seclists.org/fulldisclosure/2010/Sep/375
inspath
internet ninja
# vuln scanner
jaascois
# vuln scanner
zmeu
# "Mozilla/5.0 Jorgee", vuln scanner
Jorgee
# port scanner
# https://github.com/robertdavidgraham/masscan
masscan
# vuln scanner
# http://www.severus.org/sacha/metis/
metis
# vuln scanner
morfeus fucking scanner
# sql injection
# https://github.com/dtrip/mysqloit
mysqloit
# vuln scanner
# http://www.nstalker.com/
n-stealth
# vuln scanner
# http://www.tenable.com/products/nessus-vulnerability-scanner
nessus
# vuln scanner
# https://www.netsparker.com/web-vulnerability-scanner/
netsparker
# vuln scanner
# https://cirt.net/Nikto2
nikto
# vuln scanner
nmap nse
nmap scripting engine
nmap-nse
# vuln scanner
# http://www.nsauditor.com/
nsauditor
# vuln scanner
# https://github.com/projectdiscovery/nuclei
Nuclei
# vuln scanner
# http://www.openvas.org/
openvas
# sql injection
# http://www.vealtel.com/software/nosec/pangolin/
pangolin
# web proxy & vuln scanner
# https://sourceforge.net/projects/paros/
paros
# phpmyadmin vuln scanner
# dead 2005?
pmafind
prog.customcrawler
# QQGameHall DoS/Virus/Malware/Adware
# https://twitter.com/bagder/status/1244982556958826496?s=20
QQGameHall
# vuln scanner
# https://www.qualys.com/suite/web-application-scanning/
qualys was
s.t.a.l.k.e.r.
security scan
# vuln scanner
# https://sourceforge.net/projects/springenwerk/
springenwerk
# sql injection
# http://www.sqlpowerinjector.com/
sql power injector
# sql injection
# http://sqlmap.org/
sqlmap
# sql injection
# http://sqlninja.sourceforge.net/
sqlninja
# https://www.cyber.nj.gov/threat-profiles/trojan-variants/sysscan
sysscan
# password cracker
# http://foofus.net/goons/jmk/medusa/medusa.html
teh forest lobster
this is an exploit
# vuln scanner?
toata dragostea
toata dragostea mea pentru diavola
# SQL bot
# http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=22142&signatureSubId=0
uil2pn
# badly scripted UAs (e.g. User-Agent: User-Agent: foo)
user-agent:
# vuln scannr
# https://subgraph.com/vega/
vega/
# vuln scanner
# dead?
voideye
# vuln scanner
# http://w3af.org/
w3af.sf.net
w3af.sourceforge.net
w3af.org
# site scanner (legacy)
# http://www.robotstxt.org/db/webbandit.html
webbandit
# vuln scanner
# http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/
webinspect
# site scanner
# http://www.scrt.ch/en/attack/downloads/webshag
webshag
# vuln scanner
# dead?
webtrends security analyzer
# vuln scanner
# https://github.com/hhucn/webvulnscan
webvulnscan
# vuln scanner
# https://github.com/xmendez/wfuzz
Wfuzz
# vuln scanner
# https://github.com/ffuf/ffuf
Fuzz Faster U Fool
# web technology scanner
# https://www.morningstarsecurity.com/research/whatweb
whatweb
# vuln scanner
whcc/
# exploit poc
wordpress hash grabber
# exploit
xmlrpc exploit
# wordpress vuln scanner
# https://wpscan.org/
WPScan
# vuln scanner
# https://github.com/mazen160/struts-pwn
struts-pwn
# Detectify website vulnerability scanner
# https://detectify.com/
Detectify
# ZGrab scanner (Mozilla/5.0 zgrab/0.x)
# https://zmap.io
zgrab


    Code (Text):
    grep -C5 Nikto /usr/local/nginx/coreruleset-3.3.2/rules/scanners-user-agents.data
nessus
# vuln scanner
# https://www.netsparker.com/web-vulnerability-scanner/
netsparker
# vuln scanner
# https://cirt.net/Nikto2
nikto
# vuln scanner
nmap nse
nmap scripting engine
nmap-nse
     
Previous Thread Next Thread
Loading...

.