Hi, I'm experiencing false positive matches for the web attack 31104 rule in my systems, most specifically line feed character (%0A) matches for some web applications that send it in forms.
Looking at the rule (id 31104), I noticed it matches line feed and carriage return characters separately, and I wonder if the original intent was to capture HTTP response splitting, which would be a CR+LF sequence (%0D%0A). In other words, this is the current rule, at web_rules.xml line 57: <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|</url> And this is what I would expect, if my assumptions are correct: <url>%027|%00|%01|%7f|%2E%2E|%0D%0A|../..|..\..|echo;|</url> Would you please confirm if the original rule is correct and I'm missing something? Otherwise I'll patch my rules file to match only the CR+LF sequence. Thanks in advance -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
