On Mon, 8 Mar 2010, Ned Slider wrote:
Adam Katz wrote:
> > On 15-May-2009, at 12:46, Adam Katz wrote:
> > > uri URI_HIDDEN /.{7}\/\../
LuKreme wrote:
> > That won't catch
> > http://www.spammer.example.com/.../hidden-malware.asf, it will only
> > catch the relative url form "../path/to/content" which SA improperly
> > prefaces with "http://";
> >
> > uri URI_HIDDEN /.{8}\/\../
Works for me:
$ echo http://www.spammer.example.com/.../hidden-malware.asf |perl -ne
'$_ = "http://$_"; unless m{^[a-z]+://}; print "hits\n" if /.{8}\/\../'
hits
$
$ echo 'href="../not/a/hidden/directory"' |perl -ne '$_ = "http://$_";
unless m{^[a-z]+://}; print "hits\n" if /.{8}\/\../'
$
For some time now I've been running
uri LOCAL_URI_HIDDEN_DIR /.{8}\/\../
as discussed above and it works extremely well with few FPs.
However, today I did notice a FP on this type of URI with multiple relative
paths:
../../../../blah
So I've refined the rule to specifically exclude hitting on the sequence ../.
which stops the rule triggering on multiple relative paths.
uri LOCAL_URI_HIDDEN_DIR /(?!.{6}\.\.\/\..).{8}\/\../
How about:
uri LOCAL_URI_HIDDEN_DIR m;.{8}/\..(?!/);
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Failure to plan ahead on someone else's part does not constitute
an emergency on my part. -- David W. Barts in a.s.r
-----------------------------------------------------------------------
6 days until Daylight Saving Time begins in U.S. - Spring Forward
