Hello @RNNJ, yes, as you guessed, I also think that the original intention was to capture the CR+LF sequence, but also having in account the possibility of just LF being interpreted as CR+LF, which also would allow the attack to be successful. The same thing happens with some other attacks, like slow HTTP headers (a kind of DoS) which also use CR+LF.
You could modify the rule to avoid those false positives, but keep in mind that, if your system somehow interprets LF as CR+LF, you would not detect any attack if only LF is used. Also, you should keep in mind that you may still have false positives when using HTTP tags as <textarea>, which expects multi-line submission with CR+LF in it. Hope it helps, Best regards, Fran G. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
