[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] add nocase to content negations?
From: Nathan <nathan () packetmail ! net>
Date: 2015-04-20 19:53:46
Message-ID: 5535594A.9090303 () packetmail ! net
[Download RAW message or body]
On 04/20/2015 01:08 PM, Duane Howard wrote:
> I've seen a couple of instances of browsers using lower-case for all headers,
> and thus tripping this alert. Can we make the content negations nocase? Is it
> worth considering doing this for *all* header content negations?
This doesn't happen in real life for legitimate browsers, it does however happen
from time to time in situations where a reverse proxy is in the way and header
re-ordering or header mangling is occurring. If you're seeing lowercase Accept
and Accept-* headers (Accept-Encoding, Accept-Language, etc) and this traffic is
not being reverse proxied then you're looking at poorly constructed forged
headers -- a very strong indicator of abnormal or anomalous behavior especially
if it's purporting to be a major browser.
--
Cheers,
Nathan
-I run a blog over RFC 2822
"Hey you kids, git'off my LAN!"
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic