{"id":24,"date":"2011-09-11T23:11:00","date_gmt":"2011-09-11T23:11:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=24"},"modified":"2020-06-29T23:12:52","modified_gmt":"2020-06-29T23:12:52","slug":"detecting-outdated-web-applications-with-ossec","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2011\/09\/detecting-outdated-web-applications-with-ossec\/","title":{"rendered":"Detecting outdated (web) applications with OSSEC"},"content":{"rendered":"\n

For the last few days I started working (again) on the system auditing module for OSSEC and one thing that can make it more useful is to detect outdated applications (specially web apps).<\/p>\n\n\n\n

Things like WordPress, Joomla, Wikis and others that can be easily used to compromise a server if not upgraded.<\/p>\n\n\n\n

To get started, I added a few rules for WordPress, Joomla and osCommerce, so if you try the latest\u00a0snapshot<\/a>\u00a0it will alert you if it finds any of them not updated:<\/p>\n\n\n\n

* Alert 1316458742.1014: mail \u2013 ossec,rootcheck,\n2011 Sep 19 15:59:02 testdev->rootcheck\nRule: 519 (level 7) -> \u2018System Audit: Vulnerable web application found.\u2019\nSystem Audit: Web vulnerability \u2013 Outdated WordPress installation. File: \/var\/www\/mysite.com\/wp-includes\/version.php.<\/code><\/pre>\n\n\n\n
But I really think we can expand it a lot more. What web applications and tools we should check? What other things we can look in the server that are important to be alerted on? I would love more ideas to expand it more.<\/p>\n\n\n\n
Example of the system auditing rule:<\/p>\n\n\n\n
[Web vulnerability - Outdated WordPress installation] [any] []\nd:$web_dirs -> ^version.php$ -> r:^\\.wp_version && >:$wp_version = \u20193.2.1\u2032;\n\n[Web vulnerability - Outdated Joomla (v1.0) installation] [any] []\nd:$web_dirs -> ^version.php$ -> r:var \\.RELEASE && r:\u20191.0\u2032;<\/code><\/pre>\n\n\n\n
I am thinking on things like PHPmyadmin, timthumb, uploadify and other tools that are easy to forget to update and had serious security vulnerabilities in the recent past.<\/p>\n","protected":false},"excerpt":{"rendered":"
For the last few days I started working (again) on the system auditing module for OSSEC and one thing that can make it more useful is to detect outdated applications (specially web apps). Things like WordPress, Joomla, Wikis and others that can be easily used to compromise a server if not upgraded. To get started, […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/24"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=24"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/24\/revisions"}],"predecessor-version":[{"id":25,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/24\/revisions\/25"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=24"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=24"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=24"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}