diff options
| author | jvoisin | 2018-07-23 17:56:34 +0200 |
|---|---|---|
| committer | jvoisin | 2018-07-23 17:56:34 +0200 |
| commit | 28d101595adab9dd58676c1fcef34dcc0c753980 (patch) | |
| tree | d155ce318e1a2c0ca73bee24598a6c625a23a6a9 /config | |
| parent | 94fae0f7a5cc1667c1568de775860f7e4f4f403f (diff) | |
Improve a bit the default rules
- Use plain values instead of regexp where possible
- Reduce the number of false positives (*cough* `curl_exec` *cough*)
Diffstat (limited to 'config')
| -rw-r--r-- | config/default.rules | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/config/default.rules b/config/default.rules index 2567f08..2bd3c48 100644 --- a/config/default.rules +++ b/config/default.rules | |||
| @@ -40,9 +40,21 @@ sp.disable_function.function("ini_set").param("var_name").value("include_path"). | |||
| 40 | sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop(); | 40 | sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop(); |
| 41 | 41 | ||
| 42 | # Detect some backdoors via environnement recon | 42 | # Detect some backdoors via environnement recon |
| 43 | sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop(); | 43 | sp.disable_function.function("ini_get").param("var_name").value("allow_url_fopen").drop(); |
| 44 | sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop(); | 44 | sp.disable_function.function("ini_get").param("var_name").value("open_basedir").drop(); |
| 45 | sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop(); | 45 | sp.disable_function.function("ini_get").param("var_name").value_r("suhosin").drop(); |
| 46 | sp.disable_function.function("function_exists").param("function_name").value("eval").drop(); | ||
| 47 | sp.disable_function.function("function_exists").param("function_name").value("exec").drop(); | ||
| 48 | sp.disable_function.function("function_exists").param("function_name").value("system").drop(); | ||
| 49 | sp.disable_function.function("function_exists").param("function_name").value("shell_exec").drop(); | ||
| 50 | sp.disable_function.function("function_exists").param("function_name").value("proc_open").drop(); | ||
| 51 | sp.disable_function.function("function_exists").param("function_name").value("passthru").drop(); | ||
| 52 | sp.disable_function.function("is_callable").param("var").value("eval").drop(); | ||
| 53 | sp.disable_function.function("is_callable").param("var").value("exec").drop(); | ||
| 54 | sp.disable_function.function("is_callable").param("var").value("system").drop(); | ||
| 55 | sp.disable_function.function("is_callable").param("var").value("shell_exec").drop(); | ||
| 56 | sp.disable_function.function("is_callable").param("var").value("proc_open").drop(); | ||
| 57 | sp.disable_function.function("is_callable").param("var").value("passthru").drop(); | ||
| 46 | 58 | ||
| 47 | # Commenting sqli related stuff to improve performance. | 59 | # Commenting sqli related stuff to improve performance. |
| 48 | # TODO figure out why these functions can't be hooked at startup | 60 | # TODO figure out why these functions can't be hooked at startup |