[Emerging-Sigs] Bug in lots of references - comma
wkitty42 at windstream.net
Thu Oct 14 15:33:09 EDT 2010
On 10/14/2010 15:15, Matthew Jonkman wrote:
> Thanks for the heads up. Changing what we can, but unfortunately m86 gives you a page not found if you encode.
that's weird that they're 404ing on encoded entities... i note that it is the
comma being encoded that they are erroring on... this works...
i wonder if their redirect stuff is not looking for an encoded comma in addition
to a plain comma...
FWIW: i only found 16 entries with this problem using the published grep line...
> I'll shoot them an email and see what we can work out. Anyone know someone over there?
> On Oct 14, 2010, at 1:21 PM, elof at sentor.se wrote:
>> Lots of url references, particularily the ones to m86security are faulty
>> since they contain a comma. This screw up some systems since comma is the
>> separator (... reference:<id system>,<id>; ...). Also, the comma
>> character is reserved and not allowed in URLs.
>> Ideally, m86security should modify their URLs (not use comma, and probably
>> also stop using the unsafe tilde character (~)), but I don't know the
>> likelyhood of that happening.
>> ...so instead, perhaps ET could simply encode special characters in url
>> references? (see e.g.
>> http://www.blooberry.com/indexdot/html/topics/urlencoding.htm for a list
>> of chars and their encodings)
>> Then this:
>> will look like this:
>> ...and everything will work fine.
>> Scripts dealing with the *.rules won't see any extra commas.
>> m86security don't need to fix their faulty URLs.
>> The encoded URLs work just fine when browsing the resource,
>> Some examples of sids with comma in the url reference:
>> Please fix these (and more).
>> Oh. Apart from all the m86security references, I found (at least) one
>> other faulty reference:
>> sid:2009103 reference:url,bugtraq,33301;
>> Please fix as well.
>> Run grep -i 'msg:"ET .*reference:url,[^,;]*,' *.rules to find faulty references.
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> Matthew Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> PGP: http://www.jonkmans.com/mattjonkman.asc
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
More information about the Emerging-sigs