zeek/scripts/policy/protocols/http/detect-webapps.sig
Seth Hall 597a4d6704 Hopefully the last major script reorganization.
- policy/ renamed to scripts/

- By default BROPATH now contains:
	- scripts/
	- scripts/policy
	- scripts/site

- *Nearly* all tests pass.

- All of scripts/base/ is loaded by main.cc
	- Can be disabled by setting $BRO_NO_BASE_SCRIPTS
	- Scripts in scripts/base/ don't use relative path loading to ease use of BRO_NO_BASE_SCRIPTS (to copy and paste that script).

- The scripts in scripts/base/protocols/ only (or soon will only) do logging and state building.

- The scripts in scripts/base/frameworks/ add functionality without causing any additional overhead.

- All "detection" activity happens through scripts in scripts/policy/.

- Communications framework modified temporarily to need an environment variable to actually enable (ENABLE_COMMUNICATION=1)
	- This is so the communications framework can be loaded as part
	  of the base without causing trouble when it's not needed.
	- This will be removed once a resolution to ticket #540 is reached.
2011-08-05 23:09:53 -04:00

85 lines
No EOL
2.4 KiB
Standard ML

signature webapp-wordpress {
http-reply-body /.*(<link rel=(\"|')stylesheet(\"|') [^>]+wp-content|<meta name=(\"|')generator(\"|') [^>]+WordPress[^\"]+)/
event "WordPress"
}
signature webapp-xoops {
http-reply-body /.*<meta name=(\"|')generator(\"|') [^>]+XOOPS/
event "Xoops"
}
signature webapp-phpmyadmin {
http-reply-body /.*(var pma_absolute_uri = '|PMA_sendHeaderLocation\(|<title>phpMyAdmin<\/title>)/
event "phpMyAdmin"
}
signature webapp-phppgadmin {
http-reply-body /.*(<title>phpPgAdmin<\/title>|<span class=(\"|')appname(\"|')>phpPgAdmin)/
event "phpPgAdmin"
}
signature webapp-phpbb {
http-reply-body /.*(Powered by (<a href=(\"|')[^>]+)?phpBB|<meta name=(\"|')copyright(\"|') [^>]+phpBB Group)/
event "phpBB"
}
signature webapp-joomla {
http-reply-body /.*(<meta name=(\"|')generator(\"|') [^>]+Joomla|<!\-\- JoomlaWorks \"K2\")/
http-reply-header /X-Content-Encoded-By: Joomla/
event "Joomla"
}
signature webapp-google-analytics {
http-reply-body /.*(\.google\-analytics\.com\/ga\.js|<script src=(\"|')[^\"]+google\-analytics\.com\/urchin\.js(\"|'))/
event "Google Analytics"
}
signature webapp-cpanel {
http-reply-body /.*<!-- cPanel/
event "cPanel"
}
signature webapp-mediawiki {
http-reply-body /.*(<meta name=(\"|')generator(\"|') [^>]+MediaWiki|<a[^>]+>Powered by MediaWiki<\/a>)/
event "MediaWiki"
}
signature webapp-moodle {
http-reply-body /.*(var moodleConfigFn = function\(me\)|<img[^>]+moodlelogo)/
event "Moodle"
}
signature webapp-oscommerce {
http-reply-body /.*<!-- header_eof \/\/-->/
event "osCommerce"
}
signature webapp-plesk {
http-reply-body /.*<script[^>]* src=(\"|')[^>]*common\.js\?plesk/
event "Plesk"
}
signature webapp-plone {
http-reply-body /.*<meta name=(\"|')generator(\"|') [^>]+Plone/
event "Plone"
}
signature webapp-redmine {
http-reply-body /.*(<meta name=(\"|')description(\"|')Redmine(\"|')|Powered by <a href=(\"|')[^>]+Redmine)/
event "Redmine"
}
signature webapp-trac {
http-reply-body /.*(<a id=(\"|')tracpowered)/
event "Trac"
}
signature webapp-typo3 {
http-reply-body /.*(<meta name=(\"|')generator(\"|') [^>]+TYPO3|<(script[^>]* src|link[^>]* href)=[^>]*fileadmin)/
event "Typo3"
}
signature webapp-drupal {
http-reply-body /.*(<script [^>]+drupal\.js|jQuery\.extend\(Drupal\.settings, \{|Drupal\.extend\(\{ settings: \{|<link[^>]+sites\/(default|all)\/themes\/|<style[^>]+sites\/(default|all)\/(themes|modules)\/)/
event "Drupal"
}