Create rfi.json

2025-12-23 22:27:46 -05:00 · 2025-01-13 12:53:01 +01:00
parent 18a6fba48f
commit e9c61cf6fc
1 changed files with 175 additions and 0 deletions
--- a/rules/rfi.json
+++ b/rules/rfi.json
@@ -0,0 +1,175 @@
+[
+  {
+        "id": "rfi-http-url",
+        "phase": 2,
+        "pattern": "(?i)https?:\\/\\/[^\\s]+",
+        "targets": ["URI", "ARGS", "HEADERS"],
+        "severity": "HIGH",
+        "action": "block",
+        "score": 8,
+        "description": "Block direct use of HTTP or HTTPS URLs for inclusion."
+    },
+    {
+        "id": "rfi-ftp-url",
+        "phase": 2,
+        "pattern": "(?i)ftp:\\/\\/[^\\s]+",
+       "targets": ["URI", "ARGS", "HEADERS"],
+        "severity": "HIGH",
+        "action": "block",
+        "score": 7,
+        "description":"Block FTP URLs for RFI"
+    },
+    {
+        "id": "rfi-smb-url",
+        "phase": 2,
+       "pattern": "(?i)\\\\\\\\[^\\s]+",
+      "targets": ["URI", "ARGS", "HEADERS"],
+        "severity": "MEDIUM",
+        "action": "log",
+        "score": 5,
+        "description": "Log attempts to include files via SMB paths."
+    },
+   {
+      "id":"rfi-phar-stream",
+      "phase":2,
+      "pattern":"(?i)phar:\\/\\/[^\\s]+",
+      "targets": ["URI", "ARGS", "HEADERS"],
+      "severity": "HIGH",
+      "action":"block",
+      "score": 8,
+      "description":"Block attempts to use phar stream wrapper"
+  },
+   {
+        "id": "rfi-data-uri",
+        "phase": 2,
+        "pattern": "(?i)data:\\/\\/(?:text|plain|application)\\/.*?base64,.*",
+        "targets": ["URI", "ARGS", "HEADERS"],
+        "severity": "HIGH",
+        "action": "block",
+        "score": 7,
+       "description": "Block data URIs as potential RFI."
+    },
+  {
+        "id":"rfi-expect-stream",
+        "phase":2,
+        "pattern":"(?i)expect:\\/\\/[^\\s]+",
+         "targets": ["URI", "ARGS", "HEADERS"],
+         "severity":"HIGH",
+         "action":"block",
+         "score": 8,
+         "description":"Block attempts to use expect stream wrapper"
+ },
+  {
+        "id": "rfi-file-url",
+        "phase": 2,
+         "pattern": "(?i)file:\\/\\/[^\\s]+",
+        "targets": ["URI", "ARGS", "HEADERS"],
+        "severity": "MEDIUM",
+         "action": "log",
+         "score": 5,
+         "description": "Log attempts to include local file URIs (can be used for local RFI)"
+    },
+   {
+       "id":"rfi-php-input-stream",
+       "phase": 2,
+        "pattern":"(?i)php:\\/\\/input",
+        "targets": ["URI","ARGS", "HEADERS"],
+       "severity":"HIGH",
+       "action":"block",
+        "score": 8,
+        "description":"Block attempts to use PHP input stream"
+   },
+    {
+        "id":"rfi-php-filter-stream",
+        "phase": 2,
+       "pattern":"(?i)php:\\/\\/filter\\/.*",
+        "targets": ["URI", "ARGS", "HEADERS"],
+        "severity": "HIGH",
+        "action": "block",
+       "score": 8,
+         "description": "Block use of PHP filter stream"
+     },
+  {
+       "id":"rfi-compressed-files",
+      "phase": 2,
+      "pattern": "(?i)(?:\\w+\\.zip|\\w+\\.tar\\.gz|\\w+\\.tgz|\\w+\\.rar|\\w+\\.7z|\\w+\\.bz2)",
+       "targets": ["URI", "ARGS", "HEADERS"],
+       "severity":"MEDIUM",
+       "action": "log",
+       "score": 4,
+       "description": "Log inclusion of compressed files from remote locations (can contain malicious code)"
+  },
+ {
+        "id":"rfi-javascript-include",
+         "phase":2,
+         "pattern": "(?i)(?:src\\s*=\\s*['\"]\\s*https?:\\/\\/[^'\"]+\\.js\\s*['\"])",
+         "targets": ["BODY","HEADERS"],
+        "severity":"MEDIUM",
+         "action": "log",
+        "score": 4,
+        "description": "Log inclusion of external Javascript files"
+
+ },
+{
+    "id": "rfi-javascript-import",
+    "phase": 2,
+      "pattern": "(?i)(?:import\\s*\\(*['\"]https?:\\/\\/[^'\"]+\\.js['\"]\\)*)",
+        "targets": ["BODY", "HEADERS"],
+      "severity": "MEDIUM",
+      "action": "log",
+      "score": 4,
+       "description":"Log import of external JavaScript files"
+
+},
+{
+     "id":"rfi-remote-code-inclusion",
+      "phase": 2,
+      "pattern":"(?i)(?:include|require|require_once|include_once|get_file_contents)\\s*\\(\\s*(?:https?:|ftp:|smb:|\\\\\\\\)[^\\)]*\\)",
+    "targets": ["ARGS", "BODY", "HEADERS"],
+    "severity":"HIGH",
+    "action":"block",
+     "score": 8,
+      "description":"Block attempts to remotely include files in interpreted languages"
+},
+  {
+    "id":"rfi-open-basedir-bypass",
+     "phase":2,
+    "pattern":"(?i)(?:file:\/\/|\.\.\\/){5,}",
+    "targets": ["URI","ARGS", "HEADERS"],
+    "severity":"MEDIUM",
+    "action":"log",
+     "score": 5,
+      "description":"Log attempts to bypass php open_basedir restrictions"
+  },
+{
+  "id": "rfi-encoded-remote-urls",
+  "phase": 2,
+   "pattern": "(?i)(?:%68%74%74%70|%66%74%70)(?:%3a|%253a)(?:%2f|%252f)(?:%2f|%252f)",
+    "targets": ["URI", "ARGS", "HEADERS"],
+     "severity": "MEDIUM",
+     "action": "log",
+     "score": 5,
+     "description": "Log use of encoded HTTP/FTP URLs."
+},
+ {
+        "id":"rfi-url-protocol-bypass",
+      "phase": 2,
+        "pattern":"(?i)(?:h\\/\\/|f\\/\\/)",
+      "targets": ["URI","ARGS","HEADERS"],
+      "severity":"MEDIUM",
+     "action":"log",
+     "score": 4,
+       "description":"Log attempts to bypass URL protocols filtering"
+
+  },
+   {
+    "id": "rfi-url-encoded-dots",
+    "phase": 2,
+    "pattern": "(?i)(?:%2e){3,}",
+    "targets": ["URI", "ARGS", "HEADERS"],
+       "severity":"MEDIUM",
+    "action":"log",
+      "score": 4,
+     "description": "Log attempts to use encoded dot path traversals in URL"
+}
+]