RE: [mod-security-users] Wget filter
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
RE: [mod-security-users] Wget filter
|
From: Tkachenko A. <al...@tk...> - 2005-01-29 20:58:31
|
Exactly! Thank you!.. Alexey. -----Original Message----- From: Ivan Ristic [mailto:iv...@we...] Sent: Friday, January 28, 2005 10:34 To: Tkachenko Alexei Cc: 'Oliver Schneider'; mod...@li... Subject: Re: [mod-security-users] Wget filter Tkachenko Alexei wrote: > Thank you, Oliver. > > Still don't understand why my filter block and "wget" also :( Because "wget+" in "SecFilter wget+" is a regular expression. The "+" at the and means "one or more characters". In this case it applies to the letter "t". So it matches "wget", but it would match "wgett" or "wgetttttttttt" too. What do you want to block with that signature? You have to remember that something like: "cd%20.temp22;wget%20http://". looks to mod_security as: "cd .temp22;wget http:/". (read the part in the manual that discusses anti-evasion) Finally, it seems to me you want to use "wget ". Another word of warning: "wget " is *very* broad. Be careful not to block legitimate requests. -- Ivan Ristic (http://www.modsecurity.org) |
