Re: [mod-security-users] Problem with snort rules
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Problem with snort rules
|
From: Ivan R. <iv...@we...> - 2004-02-04 20:28:47
|
Danny Shurett wrote: > I am working on getting my filters configured for a number of webservers. I > used a few filters I found in the snort filters that were converted. > However, upon further investigation, it didn't yield what I was looking for. > Here is the one I think should be tripped: > > # WEB-ATTACKS wget command attempt > SecFilter "wget\x20" It seems that the filter works fine in Apache 2, but not in Apache 1. The problem is with the escaping syntax; if you replace "\x20" with a simple space it works fine. Behaviors are probably different because two servers use two different regex engines (Apache 1 using something called hsregex, and Apache 2 using http://www.pcre.org). However, looking at the Apache web site, the \xHH syntax should work with Apache 1.x too. I'll try to find some documentation on the subject, or, if I fail, try to work around the problem in mod_security. Thanks for your email. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
