############################################################################
#the definition of arirang 1.77 scan rule
#by pilot
#http://www.monkey.org/~pilot
#
#
#if you make a new scan rule , send to e-mail pilot@monkey.org
#############################################################################

###############################################################################
#                  <space>         <space>             <space>
#Type   : (recv flags) Response_Data-> HTTP_Request_Method :URI^explain;information;
#Type   :        (NOT) Response_Data-> HTTP_Request_Method :URI^explain;information;
#comment #
#
# recv flags are OOB,PEEK,ALL.
# OOB is MSG_OOB(process out-of-band data)  
# PEEK is MSG_PEEK(peek at incoming message)
# ALL is  MSG_WAITALL(wait for full request or error) 
#
# NOT is not matching URI. (nottest.uxe)
#
# Response_Data able to HTTP_Status_Code or response contents.
#
# Response_Data maximum size is a 50 bytes.
# HTTP_Request_Method maximum size is a 50 bytes.
# URI maximum size is a 2500 bytes.
# explain maximum size is a 100 bytes.
# information maximum size is a 400 bytes.
#
# 
#############################################################################

#
#HTTP_Status_Code (HTTP 1.0)
#                       "200"   ; OK
#                     | "201"   ; Created
#                     | "202"   ; Accepted
#                     | "204"   ; No Content
#                     | "301"   ; Moved Permanently
#                     | "302"   ; Moved Temporarily
#                     | "304"   ; Not Modified
#                     | "400"   ; Bad Request
#                     | "401"   ; Unauthorized
#                     | "403"   ; Forbidden
#                     | "404"   ; Not Found
#                     | "500"   ; Internal Server Error
#                     | "501"   ; Not Implemented
#                     | "502"   ; Bad Gateway
#                     | "503"   ; Service Unavailable
#                     | extension-code                 
#notice 200 -> 200 OK  

#
#HTTP_Request_Methods (HTTP 1.0)
#      Method         =  "GET"                    
#                      | "HEAD"                   
#                      | "POST"                   
#                     


#
# HTTP 1.1 Request_Methods
#     OPTIONS 
#     GET 
#     HEAD
#     POST
#     PUT 
#     DELETE
#     TRACE 
   
# HTTP 1.1 Status code
#          Status-Code    = "100"   ; Continue
#                         | "101"   ; Switching Protocols
#                         | "200"   ; OK
#                         | "201"   ; Created
#                         | "202"   ; Accepted
#                         | "203"   ; Non-Authoritative Information
#                         | "204"   ; No Content
#                         | "205"   ; Reset Content
#                         | "206"   ; Partial Content
#                         | "300"   ; Multiple Choices
#                         | "301"   ; Moved Permanently
#                         | "302"   ; Moved Temporarily

#                         | "303"   ; See Other
#                         | "304"   ; Not Modified
#                         | "305"   ; Use Proxy
#                         | "400"   ; Bad Request
#                         | "401"   ; Unauthorized
#                         | "402"   ; Payment Required
#                         | "403"   ; Forbidden
#                         | "404"   ; Not Found
#                         | "405"   ; Method Not Allowed
#                         | "406"   ; Not Acceptable
#                         | "407"   ; Proxy Authentication Required
#                         | "408"   ; Request Time-out
#                         | "409"   ; Conflict
#                         | "410"   ; Gone
#                         | "411"   ; Length Required
#                         | "412"   ; Precondition Failed
#                         | "413"   ; Request Entity Too Large
#                         | "414"   ; Request-URI Too Large
#                         | "415"   ; Unsupported Media Type
#                         | "500"   ; Internal Server Error
#                         | "501"   ; Not Implemented
#                         | "502"   ; Bad Gateway
#                         | "503"   ; Service Unavailable
#                         | "504"   ; Gateway Time-out
#                         | "505"   ; HTTP Version not supported
#                         | extension-code


#also IIS Request Methods
#Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
#Allow: OPTIONS, TRACE, GET, HEAD, LOCK, UNLOCK


#Example
#200 OK-> GET :/cgi-bin/Count.cgi^Count.cgi test;;
#403-> HEAD :/cgi-bin/   ^cgi-bin directory test;;
#404-> HEAD :/nofile              ^nofile doesn't exist;;
401-> HEAD :/private/      ^Apache Authorize test;delete this file;
200 OK-> GET :/%63%67%69%2d%62%69%6e/%74%65%73%74%2d%63%67%69 ^/cgi-bin/test.cgi url-encoding;see uri;
500-> GET :/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/^buffer overflow test;cool bof;
web printer-> GET :/NULL.printer^iis 5 .printer mapping test;;
nobody-> GET :/cgi-bin/man.cgi?man=ls;id;pwd;^remote execute man.cgi;;

#Example HTTP request injection.
200 OK-> GET :/cgi-bin/test.cgi HTTP/1.0\r\n\r\n^injection test1;;
200 OK-> GET :/cgi-bin/test.cgi HTTP/1.1\r\n\r\n^injection test2;;

#Example information field(supported \n  and \t)
200 OK-> GET :/cgi-bin/test.cgi^test.cgi;test\t tab test;
200 OK-> GET :/cgi-bin/test.cgi^test.cgi;test\n new line test;

#example recv flags(also see codered.uxe) 
ALL IDQ-> GET :/a.ida^already admin deleted .ida files. server haven't .ida buffer overflow;;

#example NOT keyword - see a nottest.uxe
NOT 404-> GET :/^HTTP GET Request NOT 404;;

########################################################################