mod-security-users

[mod-security-users] Wget filter

[Tkachenko A. <al...@tk...>]

Peace be with you,

I use the following filters:
********
    SecFilter "wget+"
    SecFilter "wget%"
********

I have 2 questions, please help me with them:
1) My logs always contain "wget+" but no "wget%" even if the following
request was blocked "cd%20.temp22;wget%20http://".
Why so? Why my log does not contain "wget%" at all?

2) Now I have blocked the "GET /rus/sysswgetst.htm HTTP/1.1" requests with
"Pattern match "wget+" at THE_REQUEST" message
Why so? I don't want to block them.


Thank you!



Alexey.

Re: [mod-security-users] Wget filter

[Oliver S. <Bor...@gm...>]

Privet,

> 1) My logs always contain "wget+" but no "wget%" even if the following
> request was blocked "cd%20.temp22;wget%20http://".
> Why so? Why my log does not contain "wget%" at all?

%20 is the escaped version of a blank space. (0x20 is the hexadecimal
representation of the character code 32 which is a blank space).

wget+ represents exactly the same, because blank space has two different
representations in this encoding scheme: + and %20.

Seems that Apache internally decodes %20 but not + which is natural since +
may be a valid filename character. Hence you would find "wget " but not
"wget%".

By the way: this will only filter WGET calls (executing WGET), WGET itself
allows to mimic any browser and cannot be blocked as a client.

Oliver

-- 
---------------------------------------------------
May the source be with you, stranger ;)

ICQ: #281645
URL: http://assarbad.net

RE: [mod-security-users] Wget filter

[Tkachenko A. <al...@tk...>]

Thank you, Oliver.

Still don't understand why my filter block and "wget" also :(


Alexey. 


-----Original Message-----
From: Oliver Schneider [mailto:Bor...@gm...] 
Sent: Friday, January 28, 2005 01:43
To: Tkachenko Alexei
Cc: mod...@li...
Subject: Re: [mod-security-users] Wget filter

Privet,

> 1) My logs always contain "wget+" but no "wget%" even if the following 
> request was blocked "cd%20.temp22;wget%20http://".
> Why so? Why my log does not contain "wget%" at all?

%20 is the escaped version of a blank space. (0x20 is the hexadecimal
representation of the character code 32 which is a blank space).

wget+ represents exactly the same, because blank space has two different
representations in this encoding scheme: + and %20.

Seems that Apache internally decodes %20 but not + which is natural since +
may be a valid filename character. Hence you would find "wget " but not
"wget%".

By the way: this will only filter WGET calls (executing WGET), WGET itself
allows to mimic any browser and cannot be blocked as a client.

Oliver

--
---------------------------------------------------
May the source be with you, stranger ;)

ICQ: #281645
URL: http://assarbad.net

Re: [mod-security-users] Wget filter

[Ivan R. <iv...@we...>]

Tkachenko Alexei wrote:
> Thank you, Oliver.
> 
> Still don't understand why my filter block and "wget" also :(

   Because "wget+" in "SecFilter wget+" is a regular expression.
   The "+" at the and means "one or more characters". In this
   case it applies to the letter "t".

   So it matches "wget", but it would match "wgett" or
   "wgetttttttttt" too.

   What do you want to block with that signature? You have to
   remember that something like:

   "cd%20.temp22;wget%20http://".

   looks to mod_security as:

   "cd .temp22;wget http:/".

   (read the part in the manual that discusses anti-evasion)

   Finally, it seems to me you want to use "wget ".

   Another word of warning: "wget " is *very* broad. Be careful
   not to block legitimate requests.

-- 
Ivan Ristic (http://www.modsecurity.org)

RE: [mod-security-users] Wget filter

[Tkachenko A. <al...@tk...>]

Exactly!
Thank you!..


Alexey.
 

-----Original Message-----
From: Ivan Ristic [mailto:iv...@we...] 
Sent: Friday, January 28, 2005 10:34
To: Tkachenko Alexei
Cc: 'Oliver Schneider'; mod...@li...
Subject: Re: [mod-security-users] Wget filter

Tkachenko Alexei wrote:
> Thank you, Oliver.
> 
> Still don't understand why my filter block and "wget" also :(

   Because "wget+" in "SecFilter wget+" is a regular expression.
   The "+" at the and means "one or more characters". In this
   case it applies to the letter "t".

   So it matches "wget", but it would match "wgett" or
   "wgetttttttttt" too.

   What do you want to block with that signature? You have to
   remember that something like:

   "cd%20.temp22;wget%20http://".

   looks to mod_security as:

   "cd .temp22;wget http:/".

   (read the part in the manual that discusses anti-evasion)

   Finally, it seems to me you want to use "wget ".

   Another word of warning: "wget " is *very* broad. Be careful
   not to block legitimate requests.

--
Ivan Ristic (http://www.modsecurity.org)