Re: [mod-security-users] Question about attack types
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <RBa...@tr...> - 2014-03-12 13:02:21
|
FYI – both the @pm and @pmFromFile operators support Snort/Suricata hex content - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-pm https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-pmFromFile Ryan Barnett Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Jose Pablo Valcárcel Lázaro <pab...@gm...<mailto:pab...@gm...>> Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Date: Wednesday, March 12, 2014 8:38 AM To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: Re: [mod-security-users] Question about attack types So I guess mod_security should be able to detect a feed line character which has been included on a request with transformation function? Thanks for your reference. Kind regards, 2014-03-12 9:36 GMT+01:00 Josh Amishav-Zlatin <jo...@wa...<mailto:jo...@wa...>>: On Tue, Mar 11, 2014 at 04:46:11PM +0100, Jose Pablo Valcárcel Lázaro wrote: > patterns. Some suricata rules has hexadecimal content in field. > > Some of them I'm able to ascii parsing but with some hexadecimal values are > ascii non-printable characters. My question is, should I care or should I > ignore those hexadecimals non printable values? Hi Jose, The ModSecurity way would be to use transformations: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Transformation_functions -- - Josh > > A list of conversions could it be: > > Content: After > conversion: > "|2e 2e 2f|" ../ > "|2e/2e/2f|" ../ > "|2e\2e\2f|" ../ > "|2e|2e|2f|" ../ > "|2e|2e|2f|root" > ../root > "|2e|2e|2f|root.php" > ../root.php > "|2e|2e|root|2f|" > ..root/ > "|2e 2e 2f|" ../ > "|2e 2e 2fe|" ../e > "|2e|2f|sogou" > ./sogou > "2e2f sogou" > ./sogou > "|2E|2F|sogou" ./sogou > "|00 00 00 04|ftp|3a|//" ftp:// > "2A02" * > "|2A02|" * > "/etc/prueba/inetd\.conf" > /etc/prueba/inetd.conf > "|esto es una prueba|" esto > es una prueba > "http|3a|2f|2f" > http:// > "3a|2f|2f|http" > ://http > "http 3a 2f 2f" > http:// > "esto es una prueba" esto > es una prueba > "http 3a 2f 2f" > http:// > "http|3a|2f|2f" > http:// > "Burp proxy error|3A 20|" Burp > proxy error: > "%72%65%70%6c%61%63%65%28" replace( > "Burp proxy error|3A 20|" Burp > proxy error: > > My problem is with some hex patterns wich has values between 00 and 1F. > These values are ascii no printable, so if I try to convert I will get > strange outputs and if I ignore, I will handle content field as string and > it will happen the same for extended ascii codes,. I have seen suricata > content fields as follows: "/%E0%B4%8C%E1%82%AB" > > If I decide to parse as a hexadecimal values to ascii I will get this > response: à´á« > > Should I convert non printable and extended ascii characters from > hexadecimal? > > I have seen too several directives which match with mod_security rules so I > was thinking to read each content field with http directive and create > mod_security rule and chain with following directives until I finally ends > to read that suricata rule. > > I have tried to develop a mod_security rule with random high id and when I > restart apache then I got a id duplicate error. Do you know why is it > happening this? > > Kind regards > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > mod-security-users mailing list > mod...@li...<mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- Josh Amishav-Zlatin CTO | Wafsec The WAF is free, your time isn't ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech_______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |