From 2639eeadefd4e042c7ad1d02e9113bd8f01e711d Mon Sep 17 00:00:00 2001 From: ekultek Date: Mon, 13 Nov 2017 14:35:46 -0600 Subject: [PATCH] updated modsecurity and created a new waf scripts for wordfence --- etc/checksum/md5sum.md5 | 9 +++++---- lib/firewall/modsecurity.py | 5 +++-- lib/firewall/wordfence.py | 16 ++++++++++++++++ 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/etc/checksum/md5sum.md5 b/etc/checksum/md5sum.md5 index ce8fe2f..2f4fda2 100644 --- a/etc/checksum/md5sum.md5 +++ b/etc/checksum/md5sum.md5 @@ -1,4 +1,4 @@ -6b7b3eac4bcb0bf320973a2e5cf5078e ./zeus.py +2f22501746b4af13bc1d6f2dec5a013b ./zeus.py 4b32db388e8acda35570c734d27c950c ./etc/scripts/launch_sqlmap.sh 6ad5f22ec4a6f8324bfb1b01ab6d51ec ./etc/scripts/cleanup.sh 155c9482f690f1482f324a7ffd8b8098 ./etc/scripts/fix_pie.sh @@ -23,11 +23,12 @@ ca6935a72fd0527d15a78a17a35e56e8 ./bin/drivers/geckodriver-v0.19.0-linux64.tar. 07cd383c8aef8ea5ef194a506141afd6 ./bin/drivers/geckodriver-v0.19.0-linux32.tar.gz 6ea65a0160c21e144e92334acc2e3667 ./lib/firewall/anquanbao.py 34b946ab1f9aaac397ba77d5f8c132b1 ./lib/firewall/cloudflare.py -1b5a2a7161db77ba570a629d25cb4055 ./lib/firewall/modsecurity.py +1d65a5d7708a3b365f3a518ae7064304 ./lib/firewall/modsecurity.py 6b370050b40d8c1d2221424f756c7842 ./lib/firewall/paloalto.py 60973a0c2e34108dfb32c89ad46477b6 ./lib/firewall/sucuri.py ea6e622b8eaf83b4f717020b91530e71 ./lib/firewall/webseal.py 783973a4c6af58907f6dbfe1b274c59c ./lib/firewall/generic.py +c3f01fc8ff7dfe7759f63bf16b00f127 ./lib/firewall/wordfence.py 785c28da8b681a7e23964f99118b5aab ./lib/tamper_scripts/obfuscateordinal_encode.py 10bf1bc4ef0287d31633148fab557e8a ./lib/tamper_scripts/uppercase_encode.py 5b68de0ce3a783b870921b09b5222146 ./lib/tamper_scripts/hex_encode.py @@ -50,14 +51,14 @@ d41d8cd98f00b204e9800998ecf8427e ./lib/attacks/__init__.py 7272a7fd0b0c2e9192bc4adb6154d2f0 ./lib/attacks/sqlmap_scan/__init__.py aa7268a8f085734a6c577c86440f7a1b ./lib/attacks/sqlmap_scan/sqlmap_opts.py d41d8cd98f00b204e9800998ecf8427e ./lib/attacks/whois_lookup/__init__.py -d8fab18b15d1546f6585fe926c27868f ./lib/attacks/whois_lookup/whois.py +9b2bd4904ec2385eb38a3b6cd59dbc99 ./lib/attacks/whois_lookup/whois.py 3917cdce61918f3992fc682105367ce8 ./lib/attacks/admin_panel_finder/__init__.py b50e4b7fb9fdef374c00b7ab0ef913e9 ./lib/attacks/xss_scan/__init__.py 27358f26bda30d7356143c3ea1fa99c5 ./lib/attacks/nmap_scan/__init__.py 21faf4679cdeaa731029a48f8963d6e7 ./lib/attacks/nmap_scan/nmap_opts.py 1faa2b5dfad6eb538bbfe42942d2a9da ./lib/core/errors.py d41d8cd98f00b204e9800998ecf8427e ./lib/core/__init__.py -7d0c06f6bcbc8a9e024e433a94426913 ./lib/core/settings.py +11b1a4ae775662b6f40a2d60fec9ffc2 ./lib/core/settings.py e25de81c51e5572d29e3e161dd35f41d ./lib/header_check/__init__.py d41d8cd98f00b204e9800998ecf8427e ./var/google_search/__init__.py 2a7c4285914548b86593e6e000bdab32 ./var/google_search/search.py diff --git a/lib/firewall/modsecurity.py b/lib/firewall/modsecurity.py index b948a16..4126988 100644 --- a/lib/firewall/modsecurity.py +++ b/lib/firewall/modsecurity.py @@ -1,7 +1,7 @@ import re -__item__ = "ModSecurity: Open Source Web Application Firewall (Trustwave)" +__item__ = "ModSecurity: Open Source Web Application Firewall" def detect(content, **kwargs): @@ -9,7 +9,8 @@ def detect(content, **kwargs): detection_schema = ( re.compile(r"ModSecurity|NYOB", re.I), re.compile(r"This error was generated by Mod_Security", re.I), - re.compile(r"Web Server at", re.I) + re.compile(r"Web Server at", re.I), + re.compile(r"page you are (accessing|trying)? (to|is)? (access)? (is|to)? (restricted)?", re.I) ) for detection in detection_schema: if detection.search(content) is not None: diff --git a/lib/firewall/wordfence.py b/lib/firewall/wordfence.py index e69de29..5931c88 100644 --- a/lib/firewall/wordfence.py +++ b/lib/firewall/wordfence.py @@ -0,0 +1,16 @@ +import re + + +__item__ = "Wordfence (Feedjit)" + + +def detect(content, **kwargs): + content = str(content) + detection_schema = ( + re.compile(r"Generated by Wordfence", re.I), + re.compile(r"Your access to this site has been limited", re.I), + re.compile(r"<.+>Wordfence<.+.>", re.I) + ) + for detection in detection_schema: + if detection.search(content) is not None: + return True