Comments on: Extracting bad url’s from ModSecurity events in Sguil http://www.inliniac.net/blog/2009/01/15/extracting-bad-urls-from-modsecurity-events-in-sguil.html Everything inline. Mon, 22 Feb 2010 14:26:44 +0100 http://wordpress.org/?v=2.9.2 hourly 1 By: Victor Julien http://www.inliniac.net/blog/2009/01/15/extracting-bad-urls-from-modsecurity-events-in-sguil.html/comment-page-1#comment-14072 Victor Julien Tue, 09 Jun 2009 17:01:41 +0000 http://www.inliniac.net/blog/?p=220#comment-14072 @Adam, see Ryan Barnett's explanation above! @Adam, see Ryan Barnett’s explanation above!

]]> By: Adam Humphreys http://www.inliniac.net/blog/2009/01/15/extracting-bad-urls-from-modsecurity-events-in-sguil.html/comment-page-1#comment-14070 Adam Humphreys Tue, 09 Jun 2009 15:55:59 +0000 http://www.inliniac.net/blog/?p=220#comment-14070 Thanks for the very useful information. Do you know why the URL ends with a “?” Thanks for the very useful information. Do you know why the URL ends with a “?”

]]> By: Victor Julien http://www.inliniac.net/blog/2009/01/15/extracting-bad-urls-from-modsecurity-events-in-sguil.html/comment-page-1#comment-13690 Victor Julien Wed, 13 May 2009 06:39:15 +0000 http://www.inliniac.net/blog/?p=220#comment-13690 Thanks for that explanation Ryan. Do you see any danger for false positives when blocking request URI's ending in a "?". On my Wordpress blog I've not seen any FP so far... Thanks for that explanation Ryan. Do you see any danger for false positives when blocking request URI’s ending in a “?”. On my Wordpress blog I’ve not seen any FP so far…

]]> By: Ryan Barnett http://www.inliniac.net/blog/2009/01/15/extracting-bad-urls-from-modsecurity-events-in-sguil.html/comment-page-1#comment-13652 Ryan Barnett Fri, 08 May 2009 15:17:07 +0000 http://www.inliniac.net/blog/?p=220#comment-13652 Ofer said - Do you known why does the URL ends with a “?” It is a technique somewhat similar to SQL Injection payloads utilizing comment specifiers (-- or ;-- or #) at the end of their payloads. The RFI attackers do not know what the remainder of the PHP code that they are going to be included into is supposed to do. So, by adding the "?" character, the remainder of the local server PHP code is actually treated as a parameter to the RFI included code. The injected RFI PHP code simply ignores the parameter data so it will only execute its own code. Ofer said – Do you known why does the URL ends with a “?”

It is a technique somewhat similar to SQL Injection payloads utilizing comment specifiers (– or ;– or #) at the end of their payloads. The RFI attackers do not know what the remainder of the PHP code that they are going to be included into is supposed to do. So, by adding the “?” character, the remainder of the local server PHP code is actually treated as a parameter to the RFI included code. The injected RFI PHP code simply ignores the parameter data so it will only execute its own code.

]]> By: Ofer Shezaf http://www.inliniac.net/blog/2009/01/15/extracting-bad-urls-from-modsecurity-events-in-sguil.html/comment-page-1#comment-12587 Ofer Shezaf Thu, 15 Jan 2009 12:28:07 +0000 http://www.inliniac.net/blog/?p=220#comment-12587 I have added this to my list of ModSecurity rules at http://www.xiom.com/signatures-modsecurity. Do you known why does the URL ends with a "?" I have added this to my list of ModSecurity rules at http://www.xiom.com/signatures-modsecurity. Do you known why does the URL ends with a “?”

]]> By: Extracting bad url’s from ModSecurity events in Sguil | PHP-Blog.com http://www.inliniac.net/blog/2009/01/15/extracting-bad-urls-from-modsecurity-events-in-sguil.html/comment-page-1#comment-12582 Extracting bad url’s from ModSecurity events in Sguil | PHP-Blog.com Thu, 15 Jan 2009 05:54:30 +0000 http://www.inliniac.net/blog/?p=220#comment-12582 [...] posted here: Extracting bad url’s from ModSecurity events in Sguil Related ArticlesBookmarksTags Premature optimization is bad 63+ best practice to optimize [...] [...] posted here: Extracting bad url’s from ModSecurity events in Sguil Related ArticlesBookmarksTags Premature optimization is bad 63+ best practice to optimize [...]

]]> By: nr http://www.inliniac.net/blog/2009/01/15/extracting-bad-urls-from-modsecurity-events-in-sguil.html/comment-page-1#comment-12580 nr Thu, 15 Jan 2009 01:52:26 +0000 http://www.inliniac.net/blog/?p=220#comment-12580 Nice post, Victor. You can report the sites to Google: http://www.google.com/safebrowsing/report_badware/ OpenDNS has domain tagging, but it does not appear to include malicious sites. The closest thing I see is an 'adware' tag: http://www.opendns.com/community/domaintagging/about/ Nice post, Victor.

You can report the sites to Google: http://www.google.com/safebrowsing/report_badware/

OpenDNS has domain tagging, but it does not appear to include malicious sites. The closest thing I see is an ‘adware’ tag: http://www.opendns.com/community/domaintagging/about/

]]>