-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Oct 21, 2010, at 8:15 PM, Jason 'XenoPhage' Frisvold wrote: > I find myself struggling with how to handle directory traversal false > positives. The following happily triggers rule 31104 and active response > blocks the IP. > > 204.41.5.50 - - [21/Oct/2010:08:43:53 -0400] "GET /../index.html HTTP/1.1" > 400 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > > The problem is that, unfortunately, this is actually legit.. While I wish I > could control poor web coding, I cannot.. *sigh* > > I can put an ignore in, but that would hamper detecting an actual traversal > attack. I can think of a few ways to alter it so it detects two or more > directories being traversed, but I can think of a few ways to defeat that > too.. So, how do I handle this? > > Thanks,
One more time.. Anyone have any thoughts on this? I'm not sure where to head with this one... Anyone else having this problem? - --------------------------- Jason 'XenoPhage' Frisvold [email protected] - --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkzGRXoACgkQ8CjzPZyTUTQr6wCdFz7GuioTc4caZQlBZxwoUlMp qyEAn2Lr+SrFHvtlANs5Qh73jkJYVLlB =jOdT -----END PGP SIGNATURE-----
