(no subject)

[Frederic Lubrano <frederic.lubrano () gmail com>]

Hello,

I have a custom rule that does not work, i want to block a User-agent
without using Directory traversal 119: 18:
User-Agent:
../../../../../../../../../../etc/passwd/./././././././././././././././.

My rule is :

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"1SERVER-WEBAPP";
content:"User-Agent|3A 20|";
pcre:"/User-Agent\x3A\x20([(([.]{1,2}[\/])+([a-zA-Z0-9\/]+)([.]{1,2}[\/])+/";
http_header; classtype:policy-violation; sid:1000002; rev:1;)

My test is :

curl -A "./../../../../../../../../..//etc/passwd/././" http://server

Thanks for the help

Best regards,

fred

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!