[Emerging-Sigs] space at end of filename - bad form POST
jason.weir at nhrs.org
Fri Oct 28 13:31:42 EDT 2011
Found on FB but would be potentially bad no matter where it's seen
What do you guys think of this
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET Inbound
Bad POST - space at end of filename"; flow:established,to_client;
content:"Content-Disposition|3A| form-data|3b|"; nocase;
content:"filename=|22|"; pcre:"/filename=\x22\S* \x22/i";
ability.html; sid:xxxxxxx; rev:1;)
I wrote this up as an inbound rule looking for potentially malcious
posts to my forms - but could be used outbound as well looking for
clients trying to infect FB users..
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
More information about the Emerging-sigs