On 19 October 2012 19:05, Ryan Barnett <rbarn...@trustwave.com> wrote: > Hey Jamie, > I agree with your assessment and the need to strengthen the coverage. We > have a script that auto-converts the ET Snort web signatures from here - > http://rules.emergingthreats.net/open/snort-2.8.4/rules/ - into the SLR .. > > #Submitted 2006-06-29 by Frank Knobbe > # > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability"; > flow:established,to_server; uricontent:".php?"; nocase; > uricontent:"_CONF"; nocase; pcre:"/_CONF\[.*\]=(http|ftps?|php)\:\//Ui"; > reference:url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/ex > ploit.html; reference:url,doc.emergingthreats.net/2002996; > classtype:web-application-attack; sid:2002996; rev:6;) > > When we don't get this clean param data, we revert to using the data > provided by the original Snort rule writer. So, your concerns about the > regex are valid but we currently can't do much about it...
No worries; I have flagged this on the ET-list, so hopefully they'll fix soon and the problem will go away for now. cheers, Jamie -- Jamie Riden / ja...@honeynet.org / jamie.ri...@gmail.com http://uk.linkedin.com/in/jamieriden _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
