Hi, I'm experiencing false positive matches for the web attack 31104 rule 
in my systems, most specifically line feed character (%0A) matches for some 
web applications that send it in forms.

Looking at the rule (id 31104), I noticed it matches line feed and carriage 
return characters separately, and I wonder if the original intent was to 
capture HTTP response splitting, which would be a CR+LF sequence (%0D%0A).

In other words, this is the current rule, at web_rules.xml line 57:


And this is what I would expect, if my assumptions are correct: 


Would you please confirm if the original rule is correct and I'm missing 
something? Otherwise I'll patch my rules file to match only the CR+LF 

Thanks in advance


You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to