[Emerging-Sigs] space at end of filename - bad form POST

Weir, Jason jason.weir at nhrs.org
Fri Oct 28 13:31:42 EDT 2011

Found on FB but would be potentially bad no matter where it's seen


What do you guys think of this

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET Inbound
Bad POST - space at end of filename"; flow:established,to_client;
content:"Content-Disposition|3A| form-data|3b|"; nocase;
content:"filename=|22|"; pcre:"/filename=\x22\S* \x22/i";
ability.html; sid:xxxxxxx; rev:1;)

I wrote this up as an inbound rule looking for potentially malcious
posts to my forms - but could be used outbound as well looking for
clients trying to infect FB users..



Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

More information about the Emerging-sigs mailing list