Adam Katz wrote:
On 15-May-2009, at 12:46, Adam Katz wrote:
uri URI_HIDDEN /.{7}\/\../
LuKreme wrote:
That won't catch
http://www.spammer.example.com/.../hidden-malware.asf, it will only
catch the relative url form "../path/to/content" which SA improperly
prefaces with "http://";
uri URI_HIDDEN /.{8}\/\../
Works for me:
$ echo http://www.spammer.example.com/.../hidden-malware.asf |perl -ne
'$_ = "http://$_"; unless m{^[a-z]+://}; print "hits\n" if /.{8}\/\../'
hits
$
$ echo 'href="../not/a/hidden/directory"' |perl -ne '$_ = "http://$_";
unless m{^[a-z]+://}; print "hits\n" if /.{8}\/\../'
$
For some time now I've been running
uri LOCAL_URI_HIDDEN_DIR /.{8}\/\../
as discussed above and it works extremely well with few FPs.
However, today I did notice a FP on this type of URI with multiple
relative paths:
../../../../blah
So I've refined the rule to specifically exclude hitting on the sequence
../. which stops the rule triggering on multiple relative paths.
uri LOCAL_URI_HIDDEN_DIR /(?!.{6}\.\.\/\..).{8}\/\../
Tested, and all seems good so feel free to update if you're using this
rule locally.
Note: I'm still on 3.2.5 so I don't know if this rule ever got
officially picked up in 3.3.x
