Snort mailing list archives
UNSUBSCRIBE
From: Alistair Thomson <alistair () i-technique com>
Date: Mon, 28 Jan 2013 10:25:07 +0000
UNSUBSCRIBE On 25 Jan 2013, at 18:00, Lukas Matt <lukas.matt () sophos com> wrote:
Hello @all, I have following setup: DNAT rule to make an internal webserver reachable by using the external IP address. command from client to server: curl -v -s 'http://[hostname]/rss.php?pathToFiles=https' triggered rule: 2931/finished_pullpork_rules/plain.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP miniBB rss.php pathToFiles remote file include attempt"; flow:to_server,established; content:"rss.php"; nocase; http_uri; content:"pathToFiles="; nocase; http_uri; pcre:"/pathToFiles=(ftp|https?)/Ui"; metadata:policy security-ips drop, service http; reference:url,osvdb.org/show/osvdb/51460; classtype:web-application-attack; sid:18479; rev:7;) So from my view the incoming GET request from my IP should be rejected (or maybe dropped). But in the tcpdump I can see that this GET request routed to the internal webserver. It worked fine after I removed the perl regex from the rule and the content-modifier http_uri. What exactly could be wrong with the regex/modifier? Regards, Lukas Matt -- Lukas Matt | lukas.matt () sophos com | Deep Packet Inspection Researcher Astaro GmbH & Co. KG – a Sophos company | www.astaro.com | www.sophos.com Phone +49-721-25516-322 | Fax +49-721-25516-200 Amalienbadstr. 41, Bau 52 | 76227 Karlsruhe | Germany Astaro GmbH & Co. KG – a Sophos company, Commercial Register: Mannheim HRA 702710, Headquarter Location: Karlsruhe, Represented by the General Partner Astaro Verwaltungs GmbH Commercial Register: Mannheim HRB 708248 Amalienbadstr. 41, Bau 52 | 76227 Karlsruhe | Germany Executive Board: Richard Walford, Gert Hansen, Günter Junk, Dr. Frank Nellissen ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- IPS packet reject handling doesn't work as expected Lukas Matt (Jan 26)
- Re: IPS packet reject handling doesn't work as expected Joel Esler (Jan 26)
- Re: IPS packet reject handling doesn't work as expected Jamie Riden (Jan 26)
- UNSUBSCRIBE Alistair Thomson (Jan 28)
- Re: UNSUBSCRIBE Jamie Riden (Jan 28)