Edit File: rules.yaml
############################### # # Defines # ############################### signs: 250825 preffix: - e: exec - e: system - e: passthru - e: shell_exec - e: proc_open - e: popen - u: include - u: include_once - u: require - u: require_once - u: curl_init - u: curl_exec - u: curl_multi_exec - f: file_get_contents - f: file_put_contents - f: fopen - f: fwrite - f: symlink - f: move_uploaded_file - f: copy - n: header - s: preg_replace - s: trim - s: str_replace - s: rawurldecode - o: base64_decode - o: gzinflate - o: gzdeflate - o: str_rot13 - g: mail - g: fsockopen - g: socket_connect - g: stream_socket_client - g: pfsockopen - d: pcntl_exec - h: register_shutdown_function - i: register_tick_function - k: mysql_query - l: assert - m: parse_ini_file - m: mysqli_query - p: show_source - q: eval - r: create_function - t: call_user_func - y: set_exception_handler - v: openssl_decrypt - w: strrev - x: gzuncompress # - z: die # - z: exit groups: - obf_ops: o - string_ops: s - exec: e - url: u - file: f - mail: g - sql: m # - diexit: z danger: - include - include_once - require - require_once - curl_init - curl_exec - curl_multi_exec - file_get_contents - file_put_contents - move_uploaded_file - header # - die # - exit - copy - fopen - fwrite - symlink - exec - system - passthru - shell_exec - proc_open - popen - assert - eval - mail - fsockopen - socket_connect - stream_socket_client - pfsockopen - mysqli_query writeloggers: - exec - passthru - shell_exec - proc_open - system fp_rules: ############################### # # False Positives for Blamer # ############################### # # Ai-Bolit # - fp_rule: # Blamer filename: wp-admin/includes/class-wp-filesystem-direct.php detection: f check_right: "f" check_wrong: "v" fp_id: 2 - fp_rule: # Blamer filename: wp-includes/functions.php detection: f check_right: "f" check_wrong: "v" fp_id: 3 - fp_rule: # Blamer filename: backwpup/inc/class-create-archive.php detection: f check_right: "f" check_wrong: "v" fp_id: 4 - fp_rule: # Blamer filename: wordfence/lib/wfUtils.php detection: f check_right: "f" check_wrong: "v" fp_id: 5 - fp_rule: # Blamer filename: wordfence/lib/wordfenceHash.php detection: f check_right: "f" check_wrong: "v" fp_id: 6 - fp_rule: # Blamer filename: wp-includes/class-wp-theme.php detection: f check_right: "f" check_wrong: "v" fp_id: 7 - fp_rule: # Blamer filename: includes/class/template.php detection: f check_right: "f" check_wrong: "v" fp_id: 8 - fp_rule: # Blamer filename: /usr/local/psa/admin/plib/modules/wp-toolkit/vendor/wp-cli/vendor/wp-cli/wp-cli/php/WP_CLI/Runner.php detection: u check_right: "u" check_wrong: "v" fp_id: 10 - fp_rule: # Blamer filename: /usr/local/psa/admin/plib/modules/wp-toolkit/vendor/wp-cli/vendor/wp-cli/wp-config-transformer/src/WPConfigTransformer.php detection: u check_right: "u" check_wrong: "v" fp_id: 11 - fp_rule: # Blamer filename: litespeed-cache/src/file.cls.php detection: f check_right: "f" check_wrong: "v" fp_id: 12 # # WP Plugins # - fp_rule: filename: wp-content/plugins/WPSecurity/load.php detection: f check_right: "f" check_wrong: "v" fp_id: 43 - fp_rule: # Blamer filename: wp-content/plugins/sucuri-scanner/src/settings-hardening.php detection: f check_right: "f" check_wrong: "v" fp_id: 48 - fp_rule: # Blamer filename: wp-content/plugins/wp-fastest-cache/inc/cache.php detection: f check_right: "f" check_wrong: "v" fp_id: 49 - fp_rule: # Blamer filename: wp-content/plugins/wp-fastest-cache/wpFastestCache.php detection: f check_right: "f" check_wrong: "v" fp_id: 50 - fp_rule: # Blamer filename: wp-content/plugins/comet-cache/src/includes/traits/Shared/CacheLockUtils.php detection: f check_right: "f" check_wrong: "v" fp_id: 51 - fp_rule: # Blamer filename: wp-content/plugins/w3-total-cache/Cache_File.php detection: f check_right: "f" check_wrong: "v" fp_id: 52 - fp_rule: # Blamer filename: wp-content/plugins/wp-super-cache/wp-cache.php detection: f check_right: "f" check_wrong: "v" fp_id: 53 - fp_rule: # Blamer filename: wp-content/plugins/cache-enabler/inc/cache_enabler_disk.class.php detection: f check_right: "f" check_wrong: "v" fp_id: 54 - fp_rule: # Blamer filename: wp-content/plugins/w3-total-cache/Generic_Environment.php detection: f check_right: "f" check_wrong: "v" fp_id: 55 - fp_rule: # Blamer filename: wp-content/plugins/sucuri-scanner/src/event.lib.php detection: f check_right: "f" check_wrong: "v" fp_id: 56 - fp_rule: # Blamer filename: wp-content/plugins/cache-enabler/inc/cache_enabler.class.php detection: f check_right: "f" check_wrong: "v" fp_id: 57 - fp_rule: # Blamer filename: wp-content/plugins/sucuri-scanner/src/hardening.lib.php detection: f check_right: "f" check_wrong: "v" fp_id: 58 - fp_rule: # Blamer filename: wp-content/plugins/comet-cache/src/includes/traits/Plugin/InstallUtils.php detection: f check_right: "f" check_wrong: "v" fp_id: 59 - fp_rule: # Blamer filename: wp-content/plugins/wp-super-cache/wp-cache-phase2.php detection: f check_right: "f" check_wrong: "v" fp_id: 60 - fp_rule: # Blamer filename: wp-content/plugins/sucuri-scanner/src/cache.lib.php detection: f check_right: "f" check_wrong: "v" fp_id: 61 - fp_rule: # Blamer filename: wp-content/plugins/w3-total-cache/Util_Rule.php detection: f check_right: "f" check_wrong: "v" fp_id: 62 - fp_rule: # Blamer filename: wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php detection: f check_right: "f" check_wrong: "v" fp_id: 63 - fp_rule: # Blamer filename: wp-content/plugins/sucuri-scanner/src/command.lib.php detection: e check_right: "e" check_wrong: "f" fp_id: 64 - fp_rule: # Blamer filename: wp-content/plugins/w3-total-cache/Util_WpFile.php detection: f check_right: "f" check_wrong: "v" fp_id: 65 - fp_rule: # Blamer filename: wp-content/plugins/hyper-cache/plugin.php detection: f check_right: "f" check_wrong: "v" fp_id: 66 - fp_rule: # Blamer filename: wp-content/plugins/w3-total-cache/lib/Minify/Minify/Cache/File.php detection: f check_right: "f" check_wrong: "v" fp_id: 68 - fp_rule: # Blamer filename: wp-content/plugins/sucuri-scanner/src/lastlogins.php detection: f check_right: "f" check_wrong: "v" fp_id: 69 - fp_rule: # Blamer filename: wp-content/plugins/wp-fastest-cache/inc/admin.php detection: f check_right: "f" check_wrong: "v" fp_id: 70 - fp_rule: # Blamer filename: wp-content/plugins/wordfence/lib/wfConfig.php detection: f check_right: "f" check_wrong: "v" fp_id: 71 - fp_rule: # Blamer filename: wp-content/plugins/w3-total-cache/Util_File.php detection: f check_right: "f" check_wrong: "v" fp_id: 72 - fp_rule: # Blamer filename: wp-content/plugins/w3-total-cache/Cache_File_Generic.php detection: f check_right: "f" check_wrong: "v" fp_id: 73 - fp_rule: # Blamer filename: wp-content/plugins/sucuri-scanner/src/option.lib.php detection: f check_right: "f" check_wrong: "v" fp_id: 74 - fp_rule: # Blamer filename: wp-content/plugins/sucuri-scanner/src/lastlogins-failed.php detection: f check_right: "f" check_wrong: "v" fp_id: 75 - fp_rule: filename: wp-content/plugins/backup/public/cron/cron.php detection: f check_right: "f" check_wrong: "v" fp_id: 76 - fp_rule: # Wordfence 3rd filename: wp-content/plugins/wordfence/lib/wordfenceScanner.php detection: f|F check_right: "f|F" check_wrong: "v" fp_id: 84 - fp_rule: # Blamer # # Save rules, logs and backups to files # filename: webanalyze/firewall/firewall.class.php detection: f check_right: "f" check_wrong: "v" fp_id: 85 - fp_rule: # Blamer # # Read and write cache data # filename: smarty/sysplugins/smarty_internal_write_file.php detection: f check_right: "f" check_wrong: "v" fp_id: 91 - fp_rule: # Blamer # # Write cache to files # filename: lib/PEAR/Cache_Lite/Lite.php detection: f.*?k check_right: "fk" check_wrong: "gk" fp_id: 93 - fp_rule: # WPCP filename: cloner.php detection: f check_right: "f" check_wrong: "g" fp_id: 110 - fp_rule: # WPCP filename: lib/snaplib/class.snaplib.u.io.php detection: f check_right: "f" check_wrong: "g" fp_id: 111 - fp_rule: # WPCP filename: lib/private/Files/Storage/Local.php detection: f check_right: "f" check_wrong: "g" fp_id: 112 - fp_rule: # WPCP filename: kickstart.php detection: f check_right: "f" check_wrong: "g" fp_id: 114 - fp_rule: # WPCP filename: wp-file-manager/lib/php/elFinderVolumeDriver.class.php detection: f check_right: "f" check_wrong: "g" fp_id: 115 - fp_rule: # WPCP filename: file-manager-advanced/application/library/php/elFinderVolumeDriver.class.php detection: f check_right: "f" check_wrong: "g" fp_id: 116 - fp_rule: # WPCP filename: file-manager-advanced/application/library/php/elFinderVolumeLocalFileSystem.class.php detection: f check_right: "f" check_wrong: "g" fp_id: 117 - fp_rule: # WPCP filename: wordfence/lib/wordfenceClass.php detection: f check_right: "f" check_wrong: "g" fp_id: 118 - fp_rule: # WPCP filename: pclzip.php detection: f check_right: "f" check_wrong: "g" fp_id: 119 - fp_rule: # WPCP filename: bitrix/modules/main/lib/io/file.php detection: f check_right: "f" check_wrong: "g" fp_id: 121 - fp_rule: # WPCP filename: codeigniter/system/helpers/file_helper.php detection: f check_right: "f" check_wrong: "g" fp_id: 122 - fp_rule: # WPCP filename: clone_controller/class-pclzip.php detection: f check_right: "f" check_wrong: "g" fp_id: 124 - fp_rule: # WPCP filename: akeebabackupwp/app/restore.php detection: f check_right: "f" check_wrong: "g" fp_id: 125 - fp_rule: # WPCP filename: admin/includes/class-wp-filesystem-direct.php detection: f check_right: "f" check_wrong: "g" fp_id: 128 - fp_rule: # WPCP filename: classes/softaculous.tar.php detection: f check_right: "f" check_wrong: "g" fp_id: 131 - fp_rule: # WPCP filename: Utility/GeneralUtility.php detection: f check_right: "f" check_wrong: "g" fp_id: 133 - fp_rule: # WPCP filename: lib/Parser.php detection: f check_right: "f" check_wrong: "g" fp_id: 135 - fp_rule: # WPCP filename: archiveLib/pclzip.class.php detection: f check_right: "f" check_wrong: "g" fp_id: 136 - fp_rule: # WPCP filename: Jobs/Files.php detection: f check_right: "f" check_wrong: "g" fp_id: 140 - fp_rule: # WPCP filename: typo3/sysext/core/Classes/Utility/GeneralUtility.php detection: f check_right: "f" check_wrong: "g" fp_id: 145 - fp_rule: # WPCP filename: plugins/faf/filters/image_filters.php detection: f check_right: "f" check_wrong: "g" fp_id: 146 - fp_rule: # WPCP filename: sucuri-cleanup.php detection: f check_right: "f" check_wrong: "g" fp_id: 147 - fp_rule: # WPCP filename: modules/boost/boost.module detection: f check_right: "f" check_wrong: "g" fp_id: 148 - fp_rule: # WPCP filename: libs/Snap/SnapIO.php detection: f check_right: "f" check_wrong: "g" fp_id: 153 - fp_rule: # WPCP filename: /duplicator/classes/package/class.pack.database.php detection: f check_right: "f" check_wrong: "g" fp_id: 158 - fp_rule: # WPCP filename: /duplicator-pro/src/Libs/Snap/SnapIO.php detection: f check_right: "f" check_wrong: "g" fp_id: 159 - fp_rule: # WPCP filename: ctrls/classes/class.ctrl.extraction.php detection: f check_right: "f" check_wrong: "g" fp_id: 162 - fp_rule: # WPCP filename: wp-cli/php/WP_CLI/Runner.php detection: u check_right: "u" check_wrong: "g" fp_id: 163 - fp_rule: # WPCP filename: bulletproof-security/includes/functions.php detection: f check_right: "f" check_wrong: "g" fp_id: 166 - fp_rule: # WPCP filename: wp-includes/SimplePie/Cache/File.php detection: f check_right: "f" check_wrong: "g" fp_id: 167 - fp_rule: # https://cloudlinux.atlassian.net/browse/DEFA-4606 filename: plugins/all-in-one-wp-security-and-firewall/classes/wp-security-backup.php detection: f check_right: "f" check_wrong: "g" fp_id: 168 - fp_rule: # https://cloudlinux.atlassian.net/browse/DEFA-4612 filename: plugins/ewww-image-optimizer/common.php detection: f check_right: "f" check_wrong: "g" fp_id: 169 - fp_rule: filename: all-in-one-wp-security-and-firewall/classes/wp-security-backup.php detection: f check_right: "f" check_wrong: "g" fp_id: 170 - fp_rule: filename: tmp_aps_scripts/configure detection: f check_right: "f" check_wrong: "g" fp_id: 172 - fp_rule: filename: app/sdks/archiveLib/bin/data.bin detection: f check_right: "f" check_wrong: "g" fp_id: 173 rules_group: - group: group_id: 1 group_name: Test rules. Should be disabled for production server app_name_id: 0 enabled: no - group: group_id: 2 group_name: Common rules for all applications app_name_id: 0 enabled: yes rules: ############################### # # Test rules # ############################### - rule: id: 1 description: Test detector 1 detection: e\|((a[0-9],[0-9]\|?)+)?(o\|?)+ check_right: "e|ooo|oo|o|o|ooo|o|oo|oo|ooo|oo|o|oo|o|o|o|o|ooo|o|oo|oooooo|oo|ooo|o|o|oo|oo|o|o|o|o|o|oo|o|" check_wrong: "e|koo|oo|o|o|koo|o|oo|oo|ooo|oo|o|oo|o|o|o|o|ooo|o|oo|oooooo|oo|ooo|o|o|oo|oo|o|o|o|o|o|oo|o|" level: 1 group_id: 1 - rule: id: 2 description: Test detector 2 detection: E\|((a[0-9],[0-9]\|?)+)?(s\|?)+ check_right: "E|ss|s|ss|ssss|s|s|s|ss|ss|ss|s|s|" check_wrong: "|vs|s|ss|ssss|s|s|s|ss|ss|ss|s|s|" level: 1 group_id: 1 - rule: id: 3 description: Test detector 3 detection: u\|((a[0-9],[0-9]|s)\|?)+(o\|)+ check_right: "u|a1,8|o|o|o|o|o|" check_wrong: "u|a10,8|o|o|o|o|o|" level: 1 group_id: 1 # file obf_ops string_ops obf_ops file ANYOP(1,1) - rule: id: 4 description: Test detector 4 detection: f\|o\|s\|o\|f\|a1,1 check_right: "f|o|s|o|f|a1,1" check_wrong: "f|o|s|o|f|a2,1" level: 1 group_id: 1 - rule: id: 5 description: Test detector 5 detection: s:f|s|o|s|o|f check_right: "f|s|o|s|o|f" check_wrong: "f|s|o|s|o|d" check_buf: s:<?php level: 1 group_id: 1 - rule: id: 6 description: Test detector 6 detection: s:f|o|s|o|s|o|f check_right: "f|o|s|o|s|o|f" check_wrong: "f|o|s|o|s|o|f" check_fp: 0 level: 1 group_id: 1 - rule: id: 7 description: Test detector 7 detection: s:f|s|o|s|o|s|o|f check_right: "f|s|o|s|o|s|o|f" check_wrong: "f|s|o|s|o|s|o|f" check_buf: s:<?php check_ext: php level: 1 group_id: 1 - rule: id: 8 description: Test detector 8 detection: s:u|q|l|s|q check_right: "u|q|l|s|q" check_wrong: "f|s|o|s|o|s|o|f|a2,1" script_ext: s:.ico level: 1 group_id: 1 - rule: id: 9 description: Test detector 9 detection: c:u check_right: "u" check_wrong: "f" script_ext: r:\.ico([0-9])test$ level: 1 group_id: 1 - rule: id: 10 description: Test detector 10 detection: ^f check_right: "f|q|l|s|a2,2" check_wrong: "u|s|o|s|o|s|o|f|a2,1" danger_files: 0,1 level: 1 group_id: 1 - rule: id: 11 description: Test detector 11 detection: f\|s\|o\|s\|o\|s\|o\|s\|o\|f\|a1,1 check_right: "f|s|o|s|o|s|o|s|o|f|a1,1" check_wrong: "f|s|o|s|o|s|o|f|a2,1" check_buf: s:<?php check_ext: php level: 1 group_id: 1 check_fp_list: 2,3,4,5 ############################### # # Blocking Rules # ############################### # - rule: # id: 10001 # description: # Block including files. Malware scanner report # detection: c:u # check_right: "u" # check_wrong: "e" # check_fp: no # funcname: include,include_once,require,require_once # action: BLOCK # check_block: yes # level: 10 # group_id: 2 - rule: id: 10000 description: Block including ico files detection: c:u check_right: "u" check_wrong: "e" file_op_name: r:\/\.[a-z0-9A-Z]{1,20}\.ico$ check_fp: no funcname: include action: BLOCK level: 10 group_id: 2 - rule: id: 10002 description: Block ico files drop detection: c:f check_right: "f" check_wrong: "g" file_op_name: r:\/\.[a-z0-9A-Z]{1,20}\.ico$ check_fp: no funcname: file_put_contents action: BLOCK level: 10 group_id: 2 - rule: id: 10006 description: Access to shadow file detection: c:f check_right: "f" check_wrong: "g" file_op_name: r:etc\/([^\/]+\/)?(shadow|passwd)$ funcname: file_put_contents,fopen,fwrite,file_get_contents action: BLOCK level: 10 group_id: 2 # DEFA-2409 rule contactemail/info - rule: id: 10011 description: cpanel hack via contactxxx detection: c:f check_right: "f" check_wrong: "v" file_op_name: r:\.?contact(info|email)$ funcname: file_put_contents,fopen,copy,fwrite action: BLOCK level: 10 group_id: 2 - rule: id: 10043 description: Malicious theme/plugin installation attempt detection: c:f check_right: "f" check_wrong: "g" script_ext: s:class.theme-modules.php check_fp: no funcname: file_get_contents,file_put_contents action: BLOCK level: 10 group_id: 2 - rule: id: 10044 description: Malicious theme/plugin installation attempt detection: c:f check_right: "f" check_wrong: "g" script_ext: s:class.plugin-modules.php check_fp: no funcname: file_get_contents,file_put_contents action: BLOCK level: 10 group_id: 2 - rule: id: 10047 description: malware drop attempt from pic files detection: c:u check_right: "f" check_wrong: "g" script_ext: r:\.(ico|png|jpg|gif)$ funcname: file_get_contents,file_put_contents,fopen,fwrite,curl_init,curl_exec action: BLOCK check_fp: no level: 10 group_id: 2 - rule: id: 10047 description: malware drop attempt from pic files detection: c:f check_right: "f" check_wrong: "g" script_ext: r:\.(ico|png|jpg|gif)$ funcname: file_get_contents,file_put_contents,fopen,fwrite,curl_init,curl_exec action: BLOCK check_fp: no level: 10 group_id: 2 - rule: id: 10048 description: Malware drop/interaction blocked detection: c:U check_right: "U" check_wrong: "e" check_fp: no action: BLOCK funcname: curl_exec level: 10 group_id: 2 - rule: id: 10048 description: Malware drop/interaction blocked detection: c:F check_right: "F" check_wrong: "e" check_fp: no action: BLOCK funcname: file_get_contents level: 10 group_id: 2 - rule: id: 10049 description: Malware drop/interaction blocked detection: c:E check_right: "E" check_wrong: "s" check_fp: no action: BLOCK level: 10 group_id: 2 - rule: id: 10056 description: Malicious theme/plugin installation attempt detection: c:f check_right: "f" check_wrong: "g" script_ext: s:class-wp-filesystem-direct.php danger_files: 10056 check_fp: no funcname: fopen,fwrite action: BLOCK level: 10 group_id: 2 - rule: id: 10064 description: Block malware drop detection: c:f check_right: "f" check_wrong: "g" script_ext: r:\/.+\/([^\/]+)\/\.\1\.php$ check_fp: no funcname: fopen,fwrite action: BLOCK level: 10 group_id: 2 - rule: id: 10066 description: Block malware drop detection: c:f check_right: "f" check_wrong: "g" funcname: fopen,fwrite,file_put_contents,file_get_contents file_op_name: r:alfacgiapi\/(perl|bash|py)\.alfa action: BLOCK level: 10 group_id: 2 - rule: id: 10091 description: CVE-2021-25094 detection: c:f check_right: "f" check_wrong: "g" script_ext: s:class-wp-filesystem-direct.php file_op_name: r:wp-content\/uploads\/typehub\/custom\/[^\/]+\/.+\.(pht|phtml|php\d?)$ check_fp: no funcname: fopen,fwrite action: BLOCK level: 10 group_id: 2 - rule: id: 10099 description: header BLOCK detection: c:N check_right: "N" check_wrong: "g" file_op_name: r:Location\:\shttp check_fp: no funcname: header action: BLOCK level: 10 group_id: 2 # - rule: # id: 10100 # description: # header/die BLOCK # detection: s:z|N # check_right: "z|N" # check_wrong: "g" # check_fp: no # funcname: die,exit # action: BLOCK # level: 10 # group_id: 2 - rule: id: 10101 description: Block malware drop detection: c:f check_right: "f" check_wrong: "g" script_ext: s:hello-element/page.php file_op_name: r:\/tmp\/tmp_php\_ check_fp: no funcname: fopen,fwrite,file_put_contents,file_get_contents action: BLOCK level: 10 group_id: 2 - rule: id: 10102 description: Block malware drop detection: c:f check_right: "f" check_wrong: "g" script_ext: r:\/wp-content\/themes\/[^\/]+\/functions.php file_op_name: r:\/tmp\/session_cache\_ check_fp: no funcname: fopen,fwrite,file_put_contents,file_get_contents action: BLOCK level: 10 group_id: 2 - rule: id: 10103 description: Block shell_exec eval detection: c:e check_right: "e" check_wrong: "g" check_buf: r:php\s\-r\s\Seval\(rawurldecode\( check_fp: no funcname: shell_exec action: BLOCK level: 10 group_id: 2 ############################### # https://cloudlinux.atlassian.net/browse/DEFA-2899?focusedCommentId=190227 # Test BLOCK Rule for customers # ############################### - rule: id: 77777 description: Proactive Defence test BLOCK rule detection: c:f check_right: "f" check_wrong: "g" file_op_name: s:https://secure.eicar.org/eicar.com.txt funcname: file_get_contents action: BLOCK level: -10 group_id: 2 ############################### # # KILL Rules # ############################### ############################### # # Logging Rules # ############################### - rule: id: 123591 description: DEF-23591 - non-php drops php detection: c:f check_right: "f" check_wrong: "g" script_ext: r:[\s\S]*\.(?!(php\d?|pht(ml)?|inc|html?)$)([^.]+$) file_op_name: r:[\s\S]*\.(?:php\d?|pht(ml)?)$ funcname: file_put_contents,fopen,fwrite level: 10 group_id: 2 - rule: id: 131315 description: external malware sources lookup detection: c:f check_right: "f" check_wrong: "g" file_op_name: r:^(https?|ftp) funcname: file_get_contents level: 5 group_id: 2 # - rule: # id: 131334 # description: # curl_init/exec test # detection: c:u # check_right: "u" # check_wrong: "g" # funcname: curl_exec,curl_multi_exec # level: 5 # group_id: 2 # - rule: # id: 131388 # description: # Log all invocations of mysqli_query # detection: c:m # check_right: "m" # check_wrong: "f" # funcname: mysqli_query # file_op_content: r:^(?i:INSERT|UPDATE).*\_comments.*(?:<a\s+href=['"]https?:\/\/[^\>]+>[^<\/]{0,49}\b(?:slot|poker|bocoran)\b[^<\/]{0,49}<\/a>\s*(?:<br\s*\/>\s*)?){3,} # check_fp: no # level: 10 # group_id: 2 - rule: id: 131398 description: themes/plugins upload detection: c:f check_right: "f" check_wrong: "g" script_ext: s:/wp-admin/includes/file.php check_buf: r:\.zip$ check_fp: no funcname: move_uploaded_file level: 10 group_id: 2 - rule: id: 141499 description: themes/plugins upload detection: c:f check_right: "f" check_wrong: "g" script_ext: s:/wp-admin/includes/class-wp-filesystem-direct.php file_op_name: r:\/wp-content\/upgrade\/ check_fp: no funcname: copy level: 10 group_id: 2 # - rule: # id: 141500 # description: # Log all events of mail function # detection: c:g # check_right: "g" # check_wrong: "f" # funcname: mail # check_fp: no # level: 10 # group_id: 2 # - rule: # id: 131382 # description: # Log all invocations of shell_exec # detection: c:e # check_right: "e" # check_wrong: "f" # funcname: shell_exec # check_fp: no # level: 10 # group_id: 2 - rule: id: 141501 description: Log all events of mail function detection: c:g check_right: "g" check_wrong: "f" check_fp: no level: 10 group_id: 2