feat: target Unix commands in Referer header explicitly #3300

theseion · 2023-09-09T15:00:50Z

New rules 932205, 932206 to handle the Referer header explicitly.

The regular expression in 932200 leads to false positives against URLs
with query strings (due to the ?). 932205 uses an additional prefix in
the regular expression that matches the first ? so that the following
expressions will only match question marks that are part of the payload.

932206 uses an additional prefix to match only when the Referer value is
not a URL (which is illegal). 932206 is thus equivalent to 932200 but is
required to distinguish the case where the Referer header does actually
contain a URL.

Fixes #3180.

New rules 932205, 932206 to handle the Referer header explicitly. The regular expression in 932200 leads to false positives against URLs with query strings (due to the `?`). 932205 uses an additional prefix in the regular expression that matches the first `?` so that the following expressions will only match question marks that are part of the payload. 932206 uses an additional prefix to match only when the Referer value is not a URL (which is illegal). 932206 is thus equivalent to 932200 but is required to distinguish the case where the Referer header does actually contain a URL. Fixes coreruleset#3180

rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf

franbuehler

LGTM. Thank you!

dune73 · 2023-09-12T13:52:52Z

Thanks for the reviews and the PR @theseion. Merging now.

In coreruleset#3300 a false positive in 932200 was fixed and tests were written to ensure that the FP was fixed but the tests target 932205 and 932206. This commit adds the same FP tests to 932200, the rule that originally exhibited the FPs.

theseion added 2 commits September 8, 2023 19:04

feat: disassemble regex for 932200

15d1cec

theseion requested a review from RedXanadu September 9, 2023 15:01

theseion mentioned this pull request Sep 9, 2023

Rule 932200, now inspecting Referer headers, matches any query string that contains spaces #3180

Closed

Merge branch 'v4.0/dev' into 3180-fix-fps-in-referer

6669a6d

Xhoenix reviewed Sep 10, 2023

View reviewed changes

rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf Show resolved Hide resolved

Xhoenix reviewed Sep 10, 2023

View reviewed changes

rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf Show resolved Hide resolved

Xhoenix reviewed Sep 10, 2023

View reviewed changes

rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf Show resolved Hide resolved

Xhoenix approved these changes Sep 10, 2023

View reviewed changes

RedXanadu mentioned this pull request Sep 11, 2023

feat: Bring CONTRIBUTING.MD back in line w/ HTML version #3301

Merged

franbuehler approved these changes Sep 12, 2023

View reviewed changes

dune73 merged commit 1fe255d into coreruleset:v4.0/dev Sep 12, 2023

theseion mentioned this pull request Sep 17, 2023

chore: add FP tests to 932200 #3309

Merged

dune73 mentioned this pull request Oct 2, 2023

Monthly Chat Agenda October 2023 (2023-10-02 and 2023-10-16) #3280

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

feat: target Unix commands in Referer header explicitly #3300

feat: target Unix commands in Referer header explicitly #3300

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

feat: target Unix commands in Referer header explicitly #3300

feat: target Unix commands in Referer header explicitly #3300

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!