Sorry for my ignorance! What the purpose of '..' in the url: '/sample-folder/news/global-report..?page=91' ?
Rule 31104 tries to catch directory traversal. Would it be still effective to remove the final '|..|' from the following line? <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..|</url> On Tuesday, October 16, 2012 7:37:39 AM UTC-7, dan (ddpbsd) wrote: > > On Tue, Oct 16, 2012 at 10:32 AM, Leonardo Bacha Abrantes > <[email protected] <javascript:>> wrote: > > hey guys, > > > > > > I received an alert about sucess on attack. > > looking in my access.log I found the log that started this alert: > > > > 1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET > > /sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694 > > > > > > > > > > **Phase 1: Completed pre-decoding. > > full event: '1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET > > /sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694' > > hostname: 'megatron' > > program_name: '(null)' > > log: '1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET > > /sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694' > > > > **Phase 2: Completed decoding. > > decoder: 'web-accesslog' > > srcip: '1.2.3.4' > > url: '/sample-folder/news/global-report..?page=91' > > id: '200' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '31106' > > Level: '6' > > Description: 'A web attack returned code 200 (success).' > > **Alert to be generated. > > > > > > > > The active response blocked the source ip. I checked Integrity > > Checking database and it didn't show any changes on files, so, it was > > a false positive. > > Had anyone the same issue ? > > > > many thanks! > > It looks like the ".." in the url might have triggered 31104? The web > rules are unreliable, there's just too many ways for them to be wrong. >
