Re: (no subject)

[James Lay <jlay () slave-tothe-box net>]

On 2016-10-20 08:33, Frederic Lubrano wrote:
> Hello,
>
> I have a custom rule that does not work, i want to block a User-agent
> without using Directory traversal 119: 18:
>
> User-Agent:
> ../../../../../../../../../../etc/passwd/./././././././././././././././.
>
> My rule is :
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
> (msg:"1SERVER-WEBAPP"; content:"User-Agent|3A 20|";
> pcre:"/User-Agent\x3A\x20([(([.]{1,2}[\/])+([a-zA-Z0-9\/]+)([.]{1,2}[\/])+/";
> http_header; classtype:policy-violation; sid:1000002; rev:1;)
>
> My test is :
>
> curl -A "./../../../../../../../../..//etc/passwd/././" http://server
>
> Thanks for the help
>
> Best regards,
>
> fred

When in doubt, for testing, change $EXTERNAL_NET and $HOME_NET to any, 
and add a -k none to your snort command line and try the rule again.  
Also might wanna trim that to just "\x2fetc\x2fpasswd" instead of all 
the other "../"'s

James

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!