/usr/share/skipfish/signatures/files.sigs is in skipfish 2.10b-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 | ####################################
# INTERESTING PAGES / FILES
# Detect private keys
id:31001; sev:2; memo:"DSA private key"; \
mime:"text/plain"; \
content:"-----BEGIN DSA PRIVATE KEY-----"; depth:100;
id:31002; sev:2; memo:"RSA private key"; \
mime:"text/plain"; \
content:"-----BEGIN RSA PRIVATE KEY-----"; depth:100;
# SQL credentials
id:31003; sev:3; memo:"SQL configuration or logs"; \
content:'ADDRESS=(PROTOCOL=';
id:31004; sev:3; memo:"ODBC connect string"; \
content:";pwd="; \
content:";database="; depth:512;
id:31005; sev:3; memo:"ODBC connect string"; \
content:"Data Source="; \
content:";Password="; depth:512;
id:31006; sev:3; memo:"ODBC connect string"; \
content:"Provider="; \
content:";Password="; depth:512;
id:31007; sev:3; memo:"ODBC connect string"; \
content:"Driver="; \
content:";Pwd="; depth:512;
# Crossdomain & access policy files
id:31008; sev:2; memo:"Flash cross-domain policy with wildcard"; \
content:"<cross-domain-policy>"; depth:512; \
content:'<allow-access-from domain="*"'; depth:50;
id:31009; sev:4; memo:"Silverlight cross-domain policy with wildcard"; \
content:"<access-policy>"; depth:512; \
content:'<domain uri="*"/>'; depth:512;
# Web.xml config file
id:31010; sev:3; memo:"web.xml config file"; \
content:"<web-app"; depth:512;
# SVN RCS data
id:31011; sev:3; memo:"SVN RCS data"; \
mime:"text/plain"; \
content:"svn:special svn"; depth:256;
id:31012; sev:3; memo:"SVN RCS data"; \
mime:"text/plain"; \
content:"SVN RCS data"; depth:256;
id:31018; sev:3; memo:"SVN entries file"; \
mime:"text/plain"; \
content:"10"; depth:1; \
content:"dir"; depth:4;
# Log files
id:31013; sev:3; memo:"Apache access log"; \
content:"0] \"GET /"; depth:1024;
id:31014; sev:3; memo:"Apache error log"; \
content:"[error] [client "; depth:1024;
id:31015; sev:3; memo:"Microsoft IIS access log"; \
content:"0, GET, /"; depth:1024;
# Generic robots.txt file
id:31016; sev:4; memo:"robots.txt file"; \
content:"User-agent:"; depth:100; \
content:"Disallow: /";
# Libcurl cookie files are created by some PHP apps (e.g. wordpress plugins)
id:31017; sev:3; memo:"libcurl cookie jar"; \
mime:"text/plain"; \
content:"# Netscape HTTP Cookie File"; depth:10; \
content:"# This file was generated by libcurl"; depth:200;
# Signatures to detect SQL dumps
id:31101; sev:2; memo:"MySQL dump database file"; \
mime:"text/plain"; \
content:"-- MySQL dump"; depth:1; \
content:"-- Host"; depth:256; \
content:"-- Server version";
id:31103; sev:2; memo:"phpMyAdmin database dump file"; \
mime:"text/plain"; \
content:" phpMyAdmin SQL Dump"; depth:3; \
content:" version"; \
content:"CREATE TABLE";
id:31104; sev:2; memo:"SQL script detected"; \
mime:"text/plain"; \
content:"DECLARE @"; \
content:"SET @"; \
content:"(SELECT|INSERT|DELETE|BACKUP|CREATE)"; type:"regex"; depth:1024;
# Source code and scripts
id:32001; sev:3; memo:"Java source"; \
content:"\nimport java."; depth:512;
id:32002; sev:3; memo:"C/C++ source"; \
content:"\n#include"; depth:512;
id:32003; sev:3; memo:"Shell script"; \
content:"#!/"; depth:1;
id:32004; sev:3; memo:"PHP source"; \
content:!"# ?>"; \
content:!"<?import"; \
content:"<?"; \
content:!"xml"; depth:1; \
content:"?>";
id:32005; sev:3; memo:"JSP source"; \
content:"<%@"; \
content:"%>";
id:32006; sev:3; memo:"ASP source"; \
content:"<%"; \
content:"%>";
# These two need to be improved!
id:32007; sev:3; memo:"DOS batch script"; \
content:"@echo "; depth:256;
id:32008; sev:3; memo:"Windows shell script"; \
content:"(\"Wscript."; depth:256;
|