|
From: Jose P. V. L. <pab...@gm...> - 2014-01-29 10:39:14
|
How is it possible that suricata and mod_security use different values to evaluate insensitive expressions? Within mod_security equivalent pcre for insensitive should be (as we can see on rx directive): "@rx (?i)nikto" while in suricata should be /nikto/i So if both are using pcre software and libraries, how is it possible that insensitive searchs perform in different way for each software? If I want to parse a pcre to match a vulnerability, not exploit, should I parse all the pcre into normal content and finally convert it again into pcre for mod_security? Which pcre does modsecurity uses? Is there any manual reference? Kind regards, 2014-01-29 Jose Pablo Valcárcel Lázaro <pab...@gm...> > Good morning. > > I was wondering if someone could advice me how to convert regular > expression as > > /<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted)/si > > into mod_security compatible regular expression. > > Looking at the exploit exploit <http://www.exploit-db.com/exploits/11172/> vulnerability > string is > <object id=TestObj classid="CLSID:{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" > > So I understand that using the pcre you should be able to stop any > variation of the exploit? > > Kind regards, > |
