[Emerging-Sigs] Apache mod_proxy Reverse Proxy Exposure

Mex mail at mare-system.de
Wed Oct 12 13:03:21 EDT 2011


did not found a sig for that (or did i missed something?),
and i actually dont know how this will
behave on servers that will allow uri-encoded logins,
so maybe this could/should be deactivated by default?



http://www.contextis.com/research/blog/reverseproxybypass/
http://mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Apache mod_proxy Reverse Proxy
Exposure (v2)"; flow:established,to_server; content:"GET"; http_method; content:":@"; depth:"2";
http_uri; classtype:attempted-recon;  reference:url,www.contextis.com/research/blog/reverseproxybypass/;
reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696 at redhat.com%3E;
sid:XXXXXXXX; rev:3;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DT WEB_SERVER Apache mod_proxy Reverse
Proxy Exposure (v1)"; flow:established,to_server; content:"GET"; http_method; content:"@"; depth:"1";
http_uri; classtype:attempted-recon;  reference:url,www.contextis.com/research/blog/reverseproxybypass/;
reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696 at redhat.com%3E;
sid:XXXXXXXX; rev:3;)


More information about the Emerging-sigs mailing list