[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    Re: [Emerging-Sigs] add nocase to content negations?
From:       Nathan <nathan () packetmail ! net>
Date:       2015-04-20 19:53:46
Message-ID: 5535594A.9090303 () packetmail ! net
[Download RAW message or body]

On 04/20/2015 01:08 PM, Duane Howard wrote:
> I've seen a couple of instances of browsers using lower-case for all headers,
> and thus tripping this alert. Can we make the content negations nocase? Is it
> worth considering doing this for *all* header content negations?

This doesn't happen in real life for legitimate browsers, it does however happen
from time to time in situations where a reverse proxy is in the way and header
re-ordering or header mangling is occurring.  If you're seeing lowercase Accept
and Accept-* headers (Accept-Encoding, Accept-Language, etc) and this traffic is
not being reverse proxied then you're looking at poorly constructed forged
headers -- a very strong indicator of abnormal or anomalous behavior especially
if it's purporting to be a major browser.

-- 
Cheers,
Nathan

-I run a blog over RFC 2822
"Hey you kids, git'off my LAN!"
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net

[prev in list] [next in list] [prev in thread] [next in thread]