Hi, I'm experiencing false positive matches for the web attack 31104 rule
in my systems, most specifically line feed character (%0A) matches for some
web applications that send it in forms.
Looking at the rule (id 31104), I noticed it matches line feed and carriage
return characters separately, and I wonder if the original intent was to
capture HTTP response splitting, which would be a CR+LF sequence (%0D%0A).
In other words, this is the current rule, at web_rules.xml line 57:
And this is what I would expect, if my assumptions are correct:
Would you please confirm if the original rule is correct and I'm missing
something? Otherwise I'll patch my rules file to match only the CR+LF
Thanks in advance
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
For more options, visit https://groups.google.com/d/optout.