[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: Re: [mod-security-users] Question about pcre and how to convert into mod_security rules
From: Jose_Pablo_Valcárcel_Lázaro <pablo.valcarcel1980 () gmail ! com>
Date: 2014-02-03 16:48:06
Message-ID: CABkhgLq9+yYHVv1nJp51Vf2XgqM9X6Gfd4AkWS30nmPbaY1t8Q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
It´s not so easy :p. I´m finding problems with content fields. I have two
hex to ascii parser (bash and python) and I found that there are some
contents wich are hard to parse:
root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/
I guess that content example has hexadecimal values inside ascci normal
characters.
My bash script works with strings like |2E|2F|sogou but still I don´t know
why does not work with example content at the begining of the mail:
#!/bin/bash
# CADENA is string but in spanish :)
#CADENA="|2e|2f|sogou"
#CADENA="|2E|2F|sogou"
CADENA="|2A02|"
# String parsing not working on:
#CADENA="root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"
#CADENA="|00 00 00 04|ftp|3a|//"
ASCII=`echo -n $CADENA | xxd -r -p -u`
# With this variable I would want to get sogou string but finally I
understand that no hexadecimal parts could be mixed through different
string places as:
# root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/
NOHEX=`echo "$CADENA" | rev | cut -d'|' -f1 | rev`
echo "$ASCII$NOHEX"
echo "$NOHEX"
echo "$ASCII"
I´m testing different patterns to check if it right works.
Thanks anyway for your help!!!
2014-02-03 Jose Pablo Valcárcel Lázaro <pablo.valcarcel1980@gmail.com>:
> Thanks Ryan for your help!!
>
> I was looking for perl cpan modules to convert pcre and from that point
> convert to mod_security regular expression.
>
> Now, I should only grep on http directives and tell parser script how to
> act against each http directive (I will ignore length suricata directives)
> and look the phase where the rule should be developed and manage what
> should it happen if I detect several phases due to directives should be
> written in different phases (I guess this never should happen but...)
>
> Kind regards,
>
>
> 2014-01-31 Ryan Barnett <RBarnett@trustwave.com>:
>
> > Jose,
> > ModSecurity uses PCRE with its @rx operator -
> > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-rx
> >
> > Yes, Snort and Suricata IDS also have pcre actions/operators however
> > the format of specifying the actual expression is slightly different. They
> > use the syntax - /REGEX_PATTERN/[optional pcre compilation flag(s)]. The
> > PCRE compilation flags in the example you show below are [si] and mean -
> >
> > http://www.pcre.org/pcre.txt
> >
> > "s" flag - PCRE_DOTALL
> >
> > If this bit is set, a dot metacharacter in the pattern matches a char-
> > acter of any value, including one that indicates a newline. However, it
> > only ever matches one character, even if newlines are coded as CRLF.
> > Without this option, a dot does not match when the current position is
> > at a newline. This option is equivalent to Perl's /s option, and it can
> > be changed within a pattern by a (?s) option setting. A negative class
> > such as [^a] always matches newline characters, independent of the set-
> > ting of this option.
> >
> >
> > "i" flag - PCRE_CASELESS
> >
> > If this bit is set, letters in the pattern match both upper and lower
> > case letters. It is equivalent to Perl's /i option, and it can be
> > changed within a pattern by a (?i) option setting. In UTF-8 mode, PCRE
> > always understands the concept of case for characters whose values are
> > less than 128, so caseless matching is always possible. For characters
> > with higher values, the concept of case is supported if PCRE is com-
> > piled with Unicode property support, but not otherwise. If you want to
> > use caseless matching for characters 128 and above, you must ensure
> > that PCRE is compiled with Unicode property support as well as with
> > UTF-8 support.
> >
> >
> > In ModSecurity, the PCRE expression is defined within the OPERATOR
> > location of the SecRule between double quotes - "@rx REGEX_PATTERN". You
> > can add similar optional compilation flags directly to the beginning of the
> > expression. Example, to add PCRE_CASELESS matching using "@rx
> > (?I)REGEX_PATTERN".
> >
> > Now, for your specific question below about that Snort/Suricata regex.
> > ModSecurity already uses the PCRE_DOTALL (s) flag when compiling the
> > REGEX_PATTERN so you don't need to convert that. You would need to apply
> > the PCRE_CASELESS flag (I) however. Something like this -
> >
> > SecRule RESPONSE_BODY "@rx
> > (?I)<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted)"
> > "phase:response,t:none,id:2010665,log,deny,msg:'ET ACTIVEX Possible NOS
> > Microsystems Adobe Reader/Acrobat getPlus Get_atlcomHelper ActiveX Control
> > Multiple Stack Overflows Remote Code Execution Attempt'"
> >
> >
> > *Ryan Barnett*
> >
> > Lead Security Researcher, SpiderLabs
> >
> >
> >
> > *Trustwave* | SMART SECURITY ON DEMAND
> >
> > www.trustwave.com
> >
> >
> > From: Jose Pablo Valcárcel Lázaro <pablo.valcarcel1980@gmail.com>
> > Reply-To: "mod-security-users@lists.sourceforge.net" <
> > mod-security-users@lists.sourceforge.net>
> > Date: Wednesday, January 29, 2014 5:38 AM
> > To: "mod-security-users@lists.sourceforge.net" <
> > mod-security-users@lists.sourceforge.net>
> > Subject: Re: [mod-security-users] Question about pcre and how to convert
> > into mod_security rules
> >
> > How is it possible that suricata and mod_security use different values
> > to evaluate insensitive expressions?
> >
> > Within mod_security equivalent pcre for insensitive should be (as we
> > can see on rx directive): "@rx (?i)nikto"
> >
> > while in suricata should be /nikto/i
> >
> > So if both are using pcre software and libraries, how is it possible
> > that insensitive searchs perform in different way for each software?
> >
> > If I want to parse a pcre to match a vulnerability, not exploit, should
> > I parse all the pcre into normal content and finally convert it again into
> > pcre for mod_security?
> >
> > Which pcre does modsecurity uses? Is there any manual reference?
> >
> > Kind regards,
> >
> >
> > 2014-01-29 Jose Pablo Valcárcel Lázaro <pablo.valcarcel1980@gmail.com>
> >
> > > Good morning.
> > >
> > > I was wondering if someone could advice me how to convert regular
> > > expression as
> > >
> > > /<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted)/si
> > >
> > > into mod_security compatible regular expression.
> > >
> > > Looking at the exploit exploit<http://www.exploit-db.com/exploits/11172/> \
> > > vulnerability string is
> > > <objectid=TestObjclassid="CLSID:{E2883E8F-472F-4fb0-9522-AC9BF37916A7}"
> > >
> > > So I understand that using the pcre you should be able to stop any
> > > variation of the exploit?
> > >
> > > Kind regards,
> > >
> >
> >
> > ------------------------------
> >
> > This transmission may contain information that is privileged,
> > confidential, and/or exempt from disclosure under applicable law. If you
> > are not the intended recipient, you are hereby notified that any
> > disclosure, copying, distribution, or use of the information contained
> > herein (including any reliance thereon) is strictly prohibited. If you
> > received this transmission in error, please immediately contact the sender
> > and destroy the material in its entirety, whether in electronic or hard
> > copy format.
> >
> >
> > ------------------------------------------------------------------------------
> > WatchGuard Dimension instantly turns raw network data into actionable
> > security intelligence. It gives you real-time visual feedback on key
> > security issues and trends. Skip the complicated setup - simply import
> > a virtual appliance and go from zero to informed in seconds.
> >
> > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >
> >
>
[Attachment #5 (text/html)]
<div dir="ltr">It´s not so easy :p. I´m finding problems with content fields. I have \
two hex to ascii parser (bash and python) and I found that there are some contents \
wich are hard to parse:<div>root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/<br>
</div><div><br></div><div>I guess that content example has hexadecimal values inside \
ascci normal characters.</div><div><br></div><div>My bash script works with strings \
like |2E|2F|sogou but still I don´t know why does not work with example content at \
the begining of the mail:</div>
<div><div>#!/bin/bash</div><div><br></div><div># CADENA is string but in spanish \
:)</div><div>#CADENA="|2e|2f|sogou"</div><div>#CADENA="|2E|2F|sogou"</div><div>CADENA="|2A02|"<br></div><div>
<br>
</div><div># String parsing not working \
on:</div><div>#CADENA="root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"<br></div><div>#CADENA="|00 \
00 00 04|ftp|3a|//"<br></div><div><br></div><div>ASCII=`echo -n $CADENA | xxd -r \
-p -u`</div>
<div># With this variable I would want to get sogou string but finally I understand \
that no hexadecimal parts could be mixed through different string places \
as:</div><div># root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/</div> <div>
<br></div><div>NOHEX=`echo "$CADENA" | rev | cut -d'|' -f1 | \
rev`<br></div><div><br></div><div>echo "$ASCII$NOHEX"</div><div>echo \
"$NOHEX"</div><div>echo "$ASCII"</div><div>
<br></div></div><div>I´m testing different patterns to check if it right \
works.</div><div><br></div><div>Thanks anyway for your help!!! </div></div><div \
class="gmail_extra"><br><br><div class="gmail_quote">2014-02-03 Jose Pablo Valcárcel \
Lázaro <span dir="ltr"><<a href="mailto:pablo.valcarcel1980@gmail.com" \
target="_blank">pablo.valcarcel1980@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Thanks Ryan for your \
help!!<div><br></div><div>I was looking for perl cpan modules to convert pcre and \
from that point convert to mod_security regular expression.</div>
<div><br></div><div>Now, I should only grep on http directives and tell parser script \
how to act against each http directive (I will ignore length suricata directives) and \
look the phase where the rule should be developed and manage what should it happen if \
I detect several phases due to directives should be written in different phases (I \
guess this never should happen but...)</div>
<div><br></div><div>Kind regards,</div></div><div class="gmail_extra"><br><br><div \
class="gmail_quote">2014-01-31 Ryan Barnett <span dir="ltr"><<a \
href="mailto:RBarnett@trustwave.com" \
target="_blank">RBarnett@trustwave.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div><div class="h5">
<div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">
<div>
<div>Jose,</div>
<div>ModSecurity uses PCRE with its @rx operator - <a \
href="https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-rx" \
target="_blank">https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-rx</a></div>
<div>
<div><br>
</div>
<div>Yes, Snort and Suricata IDS also have pcre actions/operators however the format \
of specifying the actual expression is slightly different. They use the syntax - \
/REGEX_PATTERN/[optional pcre compilation flag(s)]. The PCRE compilation flags in \
the example you show below are [si] and mean - </div>
<div><br>
</div>
<div><a href="http://www.pcre.org/pcre.txt" \
target="_blank">http://www.pcre.org/pcre.txt</a></div> <div><br>
</div>
<div>
<pre style="word-wrap:break-word;white-space:pre-wrap">"s" flag - \
PCRE_DOTALL
If this bit is set, a dot metacharacter in the pattern matches a char-
acter of any value, including one that indicates a newline. However, it
only ever matches one character, even if newlines are coded as CRLF.
Without this option, a dot does not match when the current position is
at a newline. This option is equivalent to Perl's /s option, and it can
be changed within a pattern by a (?s) option setting. A negative class
such as [^a] always matches newline characters, independent of the set-
ting of this option.</pre>
<pre style="word-wrap:break-word;white-space:pre-wrap"><br></pre>
<pre style="word-wrap:break-word;white-space:pre-wrap">"i" flag - \
PCRE_CASELESS
If this bit is set, letters in the pattern match both upper and lower
case letters. It is equivalent to Perl's /i option, and it can be
changed within a pattern by a (?i) option setting. In UTF-8 mode, PCRE
always understands the concept of case for characters whose values are
less than 128, so caseless matching is always possible. For characters
with higher values, the concept of case is supported if PCRE is com-
piled with Unicode property support, but not otherwise. If you want to
use caseless matching for characters 128 and above, you must ensure
that PCRE is compiled with Unicode property support as well as with
UTF-8 support.</pre>
</div>
<div><br>
</div>
<div>In ModSecurity, the PCRE expression is defined within the OPERATOR location of \
the SecRule between double quotes - "@rx REGEX_PATTERN". You can add \
similar optional compilation flags directly to the beginning of the expression. \
Example, to add PCRE_CASELESS matching using "@rx \
(?I)REGEX_PATTERN".</div> <div><br>
</div>
<div>Now, for your specific question below about that Snort/Suricata regex. \
ModSecurity already uses the PCRE_DOTALL (s) flag when compiling the REGEX_PATTERN so \
you don't need to convert that. You would need to apply the PCRE_CASELESS flag \
(I) however. Something like this -</div>
<div><br>
</div>
<div>SecRule RESPONSE_BODY "@rx \
(?I)<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-4 \
72F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted)" \
"phase:response,t:none,id:<span \
style="white-space:pre-wrap">2010665</span>,log,deny,msg:'<span \
style="white-space:pre-wrap">ET ACTIVEX Possible NOS Microsystems Adobe \
Reader/Acrobat getPlus Get_atlcomHelper ActiveX Control Multiple Stack Overflows \
Remote Code Execution Attempt'"</span></div> <div><br>
</div>
<div><br>
</div>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt"></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt"><b><span \
style="font-family:Arial,sans-serif">Ryan Barnett</span></b></p> <p class="MsoNormal" \
style="margin:0in 0in 0.0001pt;font-size:11pt"><span \
style="font-size:10.5pt;font-family:Arial,sans-serif">Lead Security Researcher, \
SpiderLabs</span></p> <p class="MsoNormal" style="margin:0in 0in \
0.0001pt;font-size:11pt"><span style="font-family:Arial,sans-serif;font-size:10.5pt"> \
</span></p> <p class="MsoNormal" style="margin:0in 0in \
0.0001pt;font-size:11pt"><b><span \
style="font-family:Arial,sans-serif">Trustwave</span></b><span \
style="font-size:10.5pt;font-family:Arial,sans-serif"> | SMART SECURITY ON \
DEMAND</span></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt"><span \
style="font-family:Arial,sans-serif"><a href="http://www.trustwave.com/" \
target="_blank"><span \
style="font-size:10.5pt">www.trustwave.com</span></a></span></p>
<p></p>
</div>
</div>
<div><br>
</div>
<span>
<div style="border-right:medium \
none;padding-right:0in;padding-left:0in;padding-top:3pt;text-align:left;font-size:11pt;border-bottom:medium \
none;font-family:Calibri;border-top:#b5c4df 1pt \
solid;padding-bottom:0in;border-left:medium none">
<span style="font-weight:bold">From: </span>Jose Pablo Valcárcel Lázaro <<a \
href="mailto:pablo.valcarcel1980@gmail.com" \
target="_blank">pablo.valcarcel1980@gmail.com</a>><br> <span \
style="font-weight:bold">Reply-To: </span>"<a \
href="mailto:mod-security-users@lists.sourceforge.net" \
target="_blank">mod-security-users@lists.sourceforge.net</a>" <<a \
href="mailto:mod-security-users@lists.sourceforge.net" \
target="_blank">mod-security-users@lists.sourceforge.net</a>><br>
<span style="font-weight:bold">Date: </span>Wednesday, January 29, 2014 5:38 AM<br>
<span style="font-weight:bold">To: </span>"<a \
href="mailto:mod-security-users@lists.sourceforge.net" \
target="_blank">mod-security-users@lists.sourceforge.net</a>" <<a \
href="mailto:mod-security-users@lists.sourceforge.net" \
target="_blank">mod-security-users@lists.sourceforge.net</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [mod-security-users] Question \
about pcre and how to convert into mod_security rules<br> </div>
<div><br>
</div>
<blockquote style="border-left:#b5c4df 5 solid;padding:0 0 0 5;margin:0 0 0 5">
<div>
<div><div>
<div dir="ltr">How is it possible that suricata and mod_security use different values \
to evaluate insensitive expressions? <div><br>
</div>
<div>Within mod_security equivalent pcre for insensitive should be (as we can see on \
rx directive): <span \
style="background-color:rgb(248,248,248);color:rgb(51,51,51);font-family:Consolas,'Liberation \
Mono',Courier,monospace;font-size:13px;line-height:19px">"@rx \
(?i)nikto"</span></div> <div><span \
style="background-color:rgb(248,248,248);color:rgb(51,51,51);font-family:Consolas,'Liberation \
Mono',Courier,monospace;font-size:13px;line-height:19px"><br> </span></div>
<div>while in suricata should be /nikto/i <br>
</div>
<div><br>
</div>
<div>So if both are using pcre software and libraries, how is it possible that \
insensitive searchs perform in different way for each software?</div> <div><br>
</div>
<div>If I want to parse a pcre to match a vulnerability, not exploit, should I parse \
all the pcre into normal content and finally convert it again into pcre for \
mod_security?</div> <div><br>
</div>
<div>Which pcre does modsecurity uses? Is there any manual reference?</div>
<div><br>
</div>
<div>Kind regards,</div>
</div>
</div><div class="gmail_extra"><br>
<br>
<div class="gmail_quote"><div>2014-01-29 Jose Pablo Valcárcel Lázaro <span \
dir="ltr"><<a href="mailto:pablo.valcarcel1980@gmail.com" \
target="_blank">pablo.valcarcel1980@gmail.com</a>></span><br> </div><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <div dir="ltr"><div>Good morning.
<div><br>
</div>
<div>I was wondering if someone could advice me how to convert regular expression as \
</div> <div>/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E \
2883E8F-472F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted)/si<br>
</div>
<div><br>
</div>
<div>into mod_security compatible regular expression.</div>
<div><br>
</div>
<div>Looking at the exploit <a href="http://www.exploit-db.com/exploits/11172/" \
target="_blank">exploit</a> vulnerability string is </div> </div><div><code \
style="direction:ltr!important;width:auto!important;display:inline!important;padding:0 \
px!important;outline:0px!important;min-height:auto!important;float:none!important;vert \
ical-align:baseline!important;line-height:15.399999618530273px;overflow:visible!important;font-size:14px;white-space:pre-wrap;font-family:Consolas,'Bitstream \
Vera Sans Mono','Courier \
New',Courier,monospace!important;margin:0px!important;border:0px!important"><</code><code \
style="line-height:15.399999618530273px;font-size:14px;white-space:pre-wrap;border:0px \
!important;float:none!important;min-height:auto!important;margin:0px!important;outline \
:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream \
Vera Sans Mono','Courier \
New',Courier,monospace!important;font-weight:bold!important;direction:ltr!important;display:inline!important;color:rgb(0,102,153)!important">object</code><span \
style="line-height:15.399999618530273px;font-size:14px;white-space:pre-wrap;font-family:Consolas,'Bitstream \
Vera Sans Mono','Courier New',Courier,monospace"></span><code \
style="line-height:15.399999618530273px;font-size:14px;white-space:pre-wrap;border:0px \
!important;float:none!important;min-height:auto!important;margin:0px!important;outline \
:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream \
Vera Sans Mono','Courier \
New',Courier,monospace!important;direction:ltr!important;display:inline!important;color:gray!important">id</code><code \
style="direction:ltr!important;width:auto!important;display:inline!important;padding:0 \
px!important;outline:0px!important;min-height:auto!important;float:none!important;vert \
ical-align:baseline!important;line-height:15.399999618530273px;overflow:visible!important;font-size:14px;white-space:pre-wrap;font-family:Consolas,'Bitstream \
Vera Sans Mono','Courier \
New',Courier,monospace!important;margin:0px!important;border:0px!important">=</code><code \
style="line-height:15.399999618530273px;font-size:14px;white-space:pre-wrap;border:0px \
!important;float:none!important;min-height:auto!important;margin:0px!important;outline \
:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream \
Vera Sans Mono','Courier \
New',Courier,monospace!important;direction:ltr!important;display:inline!important;color:blue!important">TestObj</code><span \
style="line-height:15.399999618530273px;font-size:14px;white-space:pre-wrap;font-family:Consolas,'Bitstream \
Vera Sans Mono','Courier New',Courier,monospace"></span><code \
style="line-height:15.399999618530273px;font-size:14px;white-space:pre-wrap;border:0px \
!important;float:none!important;min-height:auto!important;margin:0px!important;outline \
:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream \
Vera Sans Mono','Courier \
New',Courier,monospace!important;direction:ltr!important;display:inline!important;color:gray!important">classid</code><code \
style="direction:ltr!important;width:auto!important;display:inline!important;padding:0 \
px!important;outline:0px!important;min-height:auto!important;float:none!important;vert \
ical-align:baseline!important;line-height:15.399999618530273px;overflow:visible!important;font-size:14px;white-space:pre-wrap;font-family:Consolas,'Bitstream \
Vera Sans Mono','Courier \
New',Courier,monospace!important;margin:0px!important;border:0px!important">=</code><code \
style="line-height:15.399999618530273px;font-size:14px;white-space:pre-wrap;border:0px \
!important;float:none!important;min-height:auto!important;margin:0px!important;outline \
:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream \
Vera Sans Mono','Courier \
New',Courier,monospace!important;direction:ltr!important;display:inline!important; \
color:blue!important">"CLSID:{E2883E8F-472F-4fb0-9522-AC9BF37916A7}"</code><br>
</div><div>
<div><code style="line-height:15.399999618530273px;font-size:14px;white-space:pre-wrap \
;border:0px!important;float:none!important;min-height:auto!important;margin:0px!import \
ant;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream \
Vera Sans Mono','Courier \
New',Courier,monospace!important;direction:ltr!important;display:inline!important;color:blue!important"><br>
</code></div>
<div>So I understand that using the pcre you should be able to stop any variation of \
the exploit?<br> </div>
<div><br>
</div>
<div>Kind regards,</div>
</div></div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</span><br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
This transmission may contain information that is privileged, confidential, and/or \
exempt from disclosure under applicable law. If you are not the intended recipient, \
you are hereby notified that any disclosure, copying, distribution, or use of the \
information contained herein (including any reliance thereon) is strictly \
prohibited. If you received this transmission in error, please immediately contact \
the sender and destroy the material in its entirety, whether in electronic or hard \
copy format.<br>
</font>
</div>
<br></div></div>------------------------------------------------------------------------------<br>
WatchGuard Dimension instantly turns raw network data into actionable<br>
security intelligence. It gives you real-time visual feedback on key<br>
security issues and trends. Skip the complicated setup - simply import<br>
a virtual appliance and go from zero to informed in seconds.<br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk" \
target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk</a><br>_______________________________________________<br>
mod-security-users mailing list<br>
<a href="mailto:mod-security-users@lists.sourceforge.net" \
target="_blank">mod-security-users@lists.sourceforge.net</a><br> <a \
href="https://lists.sourceforge.net/lists/listinfo/mod-security-users" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/mod-security-users</a><br>
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:<br>
<a href="http://www.modsecurity.org/projects/commercial/rules/" \
target="_blank">http://www.modsecurity.org/projects/commercial/rules/</a><br> <a \
href="http://www.modsecurity.org/projects/commercial/support/" \
target="_blank">http://www.modsecurity.org/projects/commercial/support/</a><br> \
<br></blockquote></div><br></div> </blockquote></div><br></div>
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic