Re: UNSUBSCRIBE

[Jamie Riden <jamie.riden () gmail com>]

Unsubscribe instructions are here:
https://lists.sourceforge.net/lists/listinfo/snort-sigs

On 28 January 2013 10:25, Alistair Thomson <alistair () i-technique com> wrote:
> UNSUBSCRIBE
> On 25 Jan 2013, at 18:00, Lukas Matt <lukas.matt () sophos com> wrote:
>
> Hello @all,
>
> I have following setup:
>
> DNAT rule to make an internal webserver reachable by using the external IP
> address.
>
> command from client to server:
> curl -v -s 'http://[hostname]/rss.php?pathToFiles=https&apos;
>
> triggered rule:
> 2931/finished_pullpork_rules/plain.rules:alert tcp $EXTERNAL_NET any ->
> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP miniBB rss.php pathToFiles remote
> file include attempt"; flow:to_server,established; content:"rss.php";
> nocase; http_uri; content:"pathToFiles="; nocase; http_uri;
> pcre:"/pathToFiles=(ftp|https?)/Ui"; metadata:policy security-ips drop,
> service http; reference:url,osvdb.org/show/osvdb/51460;
> classtype:web-application-attack; sid:18479; rev:7;)
>
> So from my view the incoming GET request from my IP should be rejected (or
> maybe dropped).
> But in the tcpdump I can see that this GET request routed to the internal
> webserver.
>
> It worked fine after I removed the perl regex from the rule and the
> content-modifier http_uri.
>
> What exactly  could be wrong with the regex/modifier?
>
> Regards,
> Lukas Matt
>
>
> --
> Lukas Matt | lukas.matt () sophos com | Deep Packet Inspection Researcher
> Astaro GmbH & Co. KG – a Sophos company | www.astaro.com | www.sophos.com
> Phone +49-721-25516-322 | Fax +49-721-25516-200
> Amalienbadstr. 41, Bau 52 | 76227 Karlsruhe | Germany
>
> Astaro GmbH & Co. KG – a Sophos company,
> Commercial Register: Mannheim HRA 702710,
> Headquarter Location: Karlsruhe,
>
> Represented by the General Partner Astaro Verwaltungs GmbH
> Commercial Register: Mannheim HRB 708248 Amalienbadstr. 41, Bau 52 | 76227
> Karlsruhe | Germany
> Executive Board: Richard Walford, Gert Hansen, Günter Junk, Dr. Frank
> Nellissen
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d_______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!