Re: Proposed change to sid:24348 - I don't think it encompasses all the allowed X-Forwarded-For rules

[Scott Savarese <scott.savarese () vitals com>]

On Fri, Jan 9, 2015 at 9:16 PM, waldo kitty <wkitty42 () windstream net> wrote:

> yes, it might need some additional valid data like an IPv6 pcre...
> apparently it
> was written for IPv4 only... then again, it might be best to just disable
> it in
> your environment ;)
Yup. my original post to the list had the new string in it with an IPv6
PCRE, but here it is again:


pcre:!"/X-Forwarded-For\x3a(\s|,|unknown|
(((?=.*(::))(?!.*\3.+\3))\3?|([\dA-F]{1,4}(\3|:\b|$)|\2))(?4){5}((?4){2}|(((2[0-4]|1\d|[1-9])?\d|25[0-5])\.?\b){4})\z
|(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))+/i”

I think it will match the following strings straight from my lots:


X-Forwarded-For: , 1.2.3.4

X-Forwarded-For:

X-Forwarded-For: 10.16.72.23, unknown

X-Forwarded-For: unknown

X-Forwarded-For: 2600:9010:a127:35f6:e557:8aa4:fb56:65ec

X-Forwarded-For: 2600:9010:a127:35f6:e557:8aa4:fb56:65ec, 2.3.4.5

X-FORWARDED-FOR:  3.4.5.6

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!