-
Notifications
You must be signed in to change notification settings - Fork 50
/
Copy pathsnuffleupagus-misp.rules
49 lines (38 loc) · 2.43 KB
/
snuffleupagus-misp.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Rules tailored for MISP
# Copyright (C) 2022 National Cyber and Information Security Agency of the Czech Republic
# Disable old PHP version warning
sp.global.show_old_php_warning.disable();
# Prevent the execution of writeable PHP files.
sp.readonly_exec.no_extended_checks().enable();
# Disabling the loading of external entities in the XML parser.
sp.xxe_protection.enable();
# Prevent various `mail`-related vulnerabilities
sp.disable_function.function("mail").drop();
# Since it's now burned, me might as well mitigate it publicly
sp.disable_function.function("putenv").param("setting").value_r("LD_").drop();
# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop();
# Prevent runtime modification of interesting things
sp.disable_function.function("ini_set").param("option").value("assert.active").drop();
sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop();
sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();
# File upload
sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop();
sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();
# Ensure that file:// protocol is not allowed in CURL
sp.disable_function.function("curl_setopt").param("value").value_r("file://").drop().alias("file:// protocol is disabled");
sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled");
# Command executions
sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
sp.disable_function.function("proc_open").filename("/var/www/MISP/app/Lib/Tools/ProcessTool.php").allow();
sp.disable_function.function("proc_open").filename("/var/www/MISP/app/Lib/Tools/BackgroundJobs/BackgroundJob.php").allow();
sp.disable_function.function("proc_open").filename("/var/www/MISP/app/Vendor/pear/crypt_gpg/Crypt/GPG/Engine.php").allow();
sp.disable_function.function("proc_open").drop();
sp.disable_function.function("exec").drop();
sp.disable_function.function("system").drop();
sp.disable_function.function("passthru").drop();
sp.disable_function.function("shell_exec").drop();
sp.disable_function.function("popen").drop();
sp.disable_function.function("pcntl_exec").drop();
# PHP execution
sp.disable_function.function("eval").drop();