-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I find myself struggling with how to handle directory traversal false positives. The following happily triggers rule 31104 and active response blocks the IP.
204.41.5.50 - - [21/Oct/2010:08:43:53 -0400] "GET /../index.html HTTP/1.1" 400 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" The problem is that, unfortunately, this is actually legit.. While I wish I could control poor web coding, I cannot.. *sigh* I can put an ignore in, but that would hamper detecting an actual traversal attack. I can think of a few ways to alter it so it detects two or more directories being traversed, but I can think of a few ways to defeat that too.. So, how do I handle this? Thanks, - --------------------------- Jason 'XenoPhage' Frisvold [email protected] - --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkzA17kACgkQ8CjzPZyTUTQW9gCeNB5GVSD/wU7C/JgWzNk9kc6B BlUAoKSI2wfIw9aIH8v1Gz1yrBHO0TH3 =73u2 -----END PGP SIGNATURE-----
