On Thu, Oct 21, 2010 at 8:15 PM, Jason 'XenoPhage' Frisvold <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I find myself struggling with how to handle directory traversal false > positives. The following happily triggers rule 31104 and active response > blocks the IP. > > 204.41.5.50 - - [21/Oct/2010:08:43:53 -0400] "GET /../index.html HTTP/1.1" > 400 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > > The problem is that, unfortunately, this is actually legit.. While I wish I > could control poor web coding, I cannot.. *sigh* > > I can put an ignore in, but that would hamper detecting an actual traversal > attack. I can think of a few ways to alter it so it detects two or more > directories being traversed, but I can think of a few ways to defeat that > too.. So, how do I handle this? > > Thanks, > > - --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > - --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - - Niven's Inverse of Clarke's Third Law > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.14 (Darwin) > > iEYEARECAAYFAkzA17kACgkQ8CjzPZyTUTQW9gCeNB5GVSD/wU7C/JgWzNk9kc6B > BlUAoKSI2wfIw9aIH8v1Gz1yrBHO0TH3 > =73u2 > -----END PGP SIGNATURE----- >
The only thing I can think of is to watch the logs and implement ignore rules for the legitimate stuff you come across. Be as specific as possible.
