Hub WAF rule

More info

generic-wordpress-uploads-php WAF Rule

« WordPress Uploads - PHP Execution »
v0.2 by crowdsecurity
WAF rule

Detect php execution in wordpress uploads directory

Installation

cscli appsec-rules install crowdsecurity/generic-wordpress-uploads-php

YAML Configuration

1name: crowdsecurity/generic-wordpress-uploads-php
2description: "Detect php execution in wordpress uploads directory"
3rules:
4  - and:
5    - zones: 
6      - URI
7      transform:
8      - lowercase
9      - urldecode
10      match:
11        type: regex
12        value: '/wp-content/uploads/.*\.(h?ph(p|tm?l?|ar)|module|shtml)'
13
14labels:
15   type: exploit
16   service: http
17   confidence: 2
18   spoofable: 0
19   behavior: "http:exploit"
20   label: "WordPress Uploads - PHP Execution"
21   classification:
22     - attack.T1595
23     - attack.T1190

Hub WAF rule

« WordPress Uploads - PHP Execution »v0.2 by crowdsecurityWAF rule

« WordPress Uploads - PHP Execution »
v0.2 by crowdsecurity
WAF rule