Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve java attack detection rules #1287

Closed
wants to merge 2 commits into
base: v3.2/dev
from

Conversation

Projects
None yet
2 participants
@fgsch
Copy link
Collaborator

fgsch commented Jan 14, 2019

These can also be exploited in the URL path.
Ref. https://github.com/hook-s3c/CVE-2018-11776-Python-PoC.

@fgsch fgsch changed the title These can also be exploited in the URL path Improve java attack detection rules Jan 14, 2019

fgsch added some commits Jan 14, 2019

@fgsch fgsch force-pushed the fgsch:request-uri-raw branch from 4e3b938 to 10ed3e9 Jan 14, 2019

@dune73

This comment has been minimized.

Copy link
Collaborator

dune73 commented Jan 14, 2019

Thank you @fgs.

Two things:

  • Would you mind citing the CVE the way @franbuehler has done in this file?
  • You are using REQUEST_URI_RAW. So far, we have a single use of this variable. Do you happen to know if ModSec3 is supporting it by now?
@fgsch

This comment has been minimized.

Copy link
Collaborator Author

fgsch commented Jan 14, 2019

@dune73 Will do/check and update this PR with the outcome.

@dune73

This comment has been minimized.

Copy link
Collaborator

dune73 commented Jan 14, 2019

Thank you man.

@fgsch

This comment has been minimized.

Copy link
Collaborator Author

fgsch commented Jan 15, 2019

You are using REQUEST_URI_RAW. So far, we have a single use of this variable. Do you happen to know if ModSec3 is supporting it by now?

I had a look at the code and I can confirm this is still supported in v3.

@dune73

This comment has been minimized.

Copy link
Collaborator

dune73 commented Jan 15, 2019

Cool. Thank you for checking.

Please add the comments as proposed above and I'll merge.

@fgsch

This comment has been minimized.

Copy link
Collaborator Author

fgsch commented Jan 16, 2019

Sure, I will try to add it this week and let you know.

@fgsch

This comment has been minimized.

Copy link
Collaborator Author

fgsch commented Mar 7, 2019

Closing for now. Will reopen when I have an update.

@fgsch fgsch closed this Mar 7, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.