summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--config/default.rules83
-rw-r--r--config/default_php8.rules128
-rw-r--r--debian/snuffleupagus.examples1
3 files changed, 66 insertions, 146 deletions
diff --git a/config/default.rules b/config/default.rules
index a3e779b..817e62f 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -40,35 +40,39 @@ sp.disable_function.function("chmod").param("mode").value("438").drop();
40sp.disable_function.function("chmod").param("mode").value("511").drop(); 40sp.disable_function.function("chmod").param("mode").value("511").drop();
41 41
42# Prevent various `mail`-related vulnerabilities 42# Prevent various `mail`-related vulnerabilities
43@condition PHP_VERSION_ID < 80300;
43sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); 44sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
45@condition PHP_VERSION_ID >= 80300;
46sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop();
47@end_condition;
44 48
45# Since it's now burned, me might as well mitigate it publicly 49# Since it's now burned, me might as well mitigate it publicly
46sp.disable_function.function("putenv").param("setting").value_r("LD_").drop() 50sp.disable_function.function("putenv").param("setting").value_r("LD_").drop();
47sp.disable_function.function("putenv").param("setting").value("PATH").drop() 51sp.disable_function.function("putenv").param("setting").value("PATH").drop();
48 52
49# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 53# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
50sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop() 54sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop();
51 55
52# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector 56# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
53sp.disable_function.function("extract").pos("0").value_r("^_").drop() 57sp.disable_function.function("extract").pos("0").value_r("^_").drop();
54sp.disable_function.function("extract").pos("1").value("0").drop() 58sp.disable_function.function("extract").pos("1").value("0").drop();
55 59
56# This is also burned: 60# This is also burned:
57# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd')); 61# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
58# Since we have no way of matching on two parameters at the same time, we're 62# Since we have no way of matching on two parameters at the same time, we're
59# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway. 63# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
60# Moreover, there are non-public bypasses that are also using this vector ;) 64# Moreover, there are non-public bypasses that are also using this vector ;)
61sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop() 65sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop();
62 66
63# Prevent various `include`-related vulnerabilities 67# Prevent various `include`-related vulnerabilities
64sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow(); 68sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
65sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow(); 69sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
66sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow(); 70sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
67sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow(); 71sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow();
68sp.disable_function.function("require_once").drop() 72sp.disable_function.function("require_once").drop();
69sp.disable_function.function("include_once").drop() 73sp.disable_function.function("include_once").drop();
70sp.disable_function.function("require").drop() 74sp.disable_function.function("require").drop();
71sp.disable_function.function("include").drop() 75sp.disable_function.function("include").drop();
72 76
73# Prevent `system`-related injections 77# Prevent `system`-related injections
74sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); 78sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
@@ -77,13 +81,22 @@ sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\
77sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); 81sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
78 82
79# Prevent runtime modification of interesting things 83# Prevent runtime modification of interesting things
84@condition PHP_VERSION_ID < 80000;
80sp.disable_function.function("ini_set").param("varname").value("assert.active").drop(); 85sp.disable_function.function("ini_set").param("varname").value("assert.active").drop();
81sp.disable_function.function("ini_set").param("varname").value("zend.assertions").drop(); 86sp.disable_function.function("ini_set").param("varname").value("zend.assertions").drop();
82sp.disable_function.function("ini_set").param("varname").value("memory_limit").drop(); 87sp.disable_function.function("ini_set").param("varname").value("memory_limit").drop();
83sp.disable_function.function("ini_set").param("varname").value("include_path").drop(); 88sp.disable_function.function("ini_set").param("varname").value("include_path").drop();
84sp.disable_function.function("ini_set").param("varname").value("open_basedir").drop(); 89sp.disable_function.function("ini_set").param("varname").value("open_basedir").drop();
90@condition PHP_VERSION_ID >= 80000;
91sp.disable_function.function("ini_set").param("option").value("assert.active").drop();
92sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop();
93sp.disable_function.function("ini_set").param("option").value("memory_limit").drop();
94sp.disable_function.function("ini_set").param("option").value("include_path").drop();
95sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();
96@end_condition;
85 97
86# Detect some backdoors via environment recon 98# Detect some backdoors via environment recon
99@condition PHP_VERSION_ID < 80000;
87sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop(); 100sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop();
88sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop(); 101sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop();
89sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop(); 102sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop();
@@ -99,6 +112,24 @@ sp.disable_function.function("is_callable").param("var").value("system").drop();
99sp.disable_function.function("is_callable").param("var").value("shell_exec").drop(); 112sp.disable_function.function("is_callable").param("var").value("shell_exec").drop();
100sp.disable_function.function("is_callable").param("var").value("proc_open").drop(); 113sp.disable_function.function("is_callable").param("var").value("proc_open").drop();
101sp.disable_function.function("is_callable").param("var").value("passthru").drop(); 114sp.disable_function.function("is_callable").param("var").value("passthru").drop();
115@condition PHP_VERSION_ID >= 80000;
116sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop();
117sp.disable_function.function("ini_get").param("option").value("open_basedir").drop();
118sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop();
119sp.disable_function.function("function_exists").param("function").value("eval").drop();
120sp.disable_function.function("function_exists").param("function").value("exec").drop();
121sp.disable_function.function("function_exists").param("function").value("system").drop();
122sp.disable_function.function("function_exists").param("function").value("shell_exec").drop();
123sp.disable_function.function("function_exists").param("function").value("proc_open").drop();
124sp.disable_function.function("function_exists").param("function").value("passthru").drop();
125sp.disable_function.function("is_callable").param("value").value("eval").drop();
126sp.disable_function.function("is_callable").param("value").value("exec").drop();
127sp.disable_function.function("is_callable").param("value").value("system").drop();
128sp.disable_function.function("is_callable").param("value").value("shell_exec").drop();
129sp.disable_function.function("is_callable").param("value").value("proc_open").drop();
130sp.disable_function.function("is_callable").param("value").value("passthru").drop();
131@end_condition;
132
102 133
103# Ghetto error-based sqli detection 134# Ghetto error-based sqli detection
104# sp.disable_function.function("mysql_query").ret("FALSE").drop(); 135# sp.disable_function.function("mysql_query").ret("FALSE").drop();
@@ -117,14 +148,32 @@ sp.disable_function.function("curl_setopt").param("value").value_r("file://").dr
117sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled"); 148sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled");
118 149
119# File upload 150# File upload
120# On old PHP7 versions 151@condition PHP_VERSION_ID >= 80000;
121#sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); 152sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop();
122#sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); 153sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();
123# On PHP7.4+ 154@condition PHP_VERSION_ID >= 70400;
124sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ph").drop(); 155sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ph").drop();
125sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ht").drop(); 156sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ht").drop();
157@condition PHP_VERSION_ID >= 70000;
158sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
159sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
160@end_condition;
126 161
127# Logging lockdown 162# Logging lockdown
128sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop() 163@condition PHP_VERSION_ID >= 70000;
129sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop() 164sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop();
130sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop() 165sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop();
166sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop();
167@condition PHP_VERSION_ID >= 80000;
168sp.disable_function.function("ini_set").param("option").value_r("error_log").drop();
169sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop();
170sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop();
171@end_condition;
172
173# Classic webshells patterns
174sp.disable_function.function("system>base64_decode").drop();
175sp.disable_function.function("shell_exec>base64_decode").drop();
176sp.disable_function.function("exec>base64_decode").drop();
177sp.disable_function.function("passthru>base64_decode").drop();
178sp.disable_function.function("proc_open>base64_decode").drop();
179sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open");
diff --git a/config/default_php8.rules b/config/default_php8.rules
deleted file mode 100644
index 0490654..0000000
--- a/config/default_php8.rules
+++ /dev/null
@@ -1,128 +0,0 @@
1# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io),
2# for php8.
3# It contains "reasonable" defaults that won't break your websites,
4# and a lot of commented directives that you can enable if you want to
5# have a better protection.
6
7# Harden the PRNG
8sp.harden_random.enable();
9
10# Disabled XXE
11sp.xxe_protection.enable();
12
13# Global configuration variables
14# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
15
16# Globally activate strict mode
17# https://www.php.net/manual/en/language.types.declarations.php#language.types.declarations.strict
18# sp.global_strict.enable();
19
20# Prevent unserialize-related exploits
21# sp.unserialize_hmac.enable();
22
23# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
24# sp.readonly_exec.enable();
25
26# PHP has a lot of wrappers, most of them aren't usually useful, you should
27# only enable the ones you're using.
28# sp.wrappers_whitelist.list("file,php,phar");
29# The "php" wrapper can be further filtered, e.g. to only allow `php://stdout`, `php://stdin` and `php://stderr`:
30# sp.wrappers_whitelist.php_list("stdout,stdin,stderr");
31
32# Prevent sloppy comparisons.
33# sp.sloppy_comparison.enable();
34
35# Use SameSite on session cookie
36# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
37sp.cookie.name("PHPSESSID").samesite("lax");
38
39# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
40sp.disable_function.function("chmod").param("permissions").value("438").drop();
41sp.disable_function.function("chmod").param("permissions").value("511").drop();
42
43# Prevent various `mail`-related vulnerabilities
44# Uncommend the second rule if you're using php8.3+
45#sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
46#sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop();
47
48# Since it's now burned, me might as well mitigate it publicly
49sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop()
50sp.disable_function.function("putenv").param("assignment").value("PATH").drop()
51
52# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
53sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop()
54
55# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
56sp.disable_function.function("extract").param("array").value_r("^_").drop()
57sp.disable_function.function("extract").param("flags").value("0").drop()
58
59# See https://dustri.org/b/ini_set-based-open_basedir-bypass.html
60# Since we have no way of matching on two parameters at the same time, we're
61# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
62# Moreover, there are non-public bypasses that are also using this vector ;)
63sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop()
64
65# Prevent various `include`-related vulnerabilities
66sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
67sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
68sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
69sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow();
70sp.disable_function.function("require_once").drop()
71sp.disable_function.function("include_once").drop()
72sp.disable_function.function("require").drop()
73sp.disable_function.function("include").drop()
74
75# Prevent `system`-related injections
76sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
77sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
78sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
79sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
80
81# Prevent runtime modification of interesting things
82sp.disable_function.function("ini_set").param("option").value("assert.active").drop();
83sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop();
84sp.disable_function.function("ini_set").param("option").value("memory_limit").drop();
85sp.disable_function.function("ini_set").param("option").value("include_path").drop();
86sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();
87
88# Detect some backdoors via environment recon
89sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop();
90sp.disable_function.function("ini_get").param("option").value("open_basedir").drop();
91sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop();
92sp.disable_function.function("function_exists").param("function").value("eval").drop();
93sp.disable_function.function("function_exists").param("function").value("exec").drop();
94sp.disable_function.function("function_exists").param("function").value("system").drop();
95sp.disable_function.function("function_exists").param("function").value("shell_exec").drop();
96sp.disable_function.function("function_exists").param("function").value("proc_open").drop();
97sp.disable_function.function("function_exists").param("function").value("passthru").drop();
98sp.disable_function.function("is_callable").param("value").value("eval").drop();
99sp.disable_function.function("is_callable").param("value").value("exec").drop();
100sp.disable_function.function("is_callable").param("value").value("system").drop();
101sp.disable_function.function("is_callable").param("value").value("shell_exec").drop();
102sp.disable_function.function("is_callable").param("value").value("proc_open").drop();
103sp.disable_function.function("is_callable").param("value").value("passthru").drop();
104
105# Ghetto error-based sqli detection
106# sp.disable_function.function("mysql_query").ret("FALSE").drop();
107# sp.disable_function.function("mysqli_query").ret("FALSE").drop();
108# sp.disable_function.function("PDO::query").ret("FALSE").drop();
109
110# Ensure that certificates are properly verified
111sp.disable_function.function("curl_setopt").param("value").value("1").allow();
112sp.disable_function.function("curl_setopt").param("value").value("2").allow();
113# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER
114sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
115sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
116
117# Ensure that file:// protocol is not allowed in CURL
118sp.disable_function.function("curl_setopt").param("value").value_r("file://").drop().alias("file:// protocol is disabled");
119sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled");
120
121# File upload
122sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop();
123sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();
124
125# Logging lockdown
126sp.disable_function.function("ini_set").param("option").value_r("error_log").drop()
127sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop()
128sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop()
diff --git a/debian/snuffleupagus.examples b/debian/snuffleupagus.examples
index 1ed42a3..0073bab 100644
--- a/debian/snuffleupagus.examples
+++ b/debian/snuffleupagus.examples
@@ -1,2 +1 @@
1config/default.rules config/default.rules
2config/default_php8.rules