Snort mailing list archives
Re: Proposed change to sid:24348 - I don't think it encompasses all the allowed X-Forwarded-For rules
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 08 Jan 2015 14:32:56 -0500
On 1/8/2015 7:58 AM, Scott Savarese wrote:
I'm really new to Snort. Now that I have it up and running I'm starting to clean up the rules I have. I found one rule that I want to keep enabled, but is broken: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_rpaf x-forwarded-for header denial of service attempt"; flow:to_server,established; content:"X-Forwarded-For|3A| "; fast_pattern:only; http_header; pcre:!"/X-Forwarded-For\x3a\s(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/i"; metadata:service http; reference:cve,2012-3526; classtype:web-application-attack; sid:24348; rev:3;) It looks like it looks for the X-Forwarded-For header and then a single space and then an IP address.
that's the content but the real work is in the PCRE which looks for x-forwarded-for: followed by anything /other/ than one space... note the '!' negation at the beginning of the PCRE as well as the sole \s after the ':' (\x3a)... anything in an x-forwarded-for that doesn't match the given ip range as well as the format will cause an alert... sounds like you have thousands of playas trying to cause problems with your system(s)... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed change to sid:24348 - I don't think it encompasses all the allowed X-Forwarded-For rules Scott Savarese (Jan 08)
- Re: Proposed change to sid:24348 - I don't think it encompasses all the allowed X-Forwarded-For rules waldo kitty (Jan 08)