[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: EVDL Detect thoughts
I have an idea for Detect part to reuse some parts I developed for
Protect. I am posting an example detection recipe below. Thoughts?
<detectRecipe
maintainSession="false"
>
<!-- Each message instance represents one
HTTP request/response pair. The following
is a simple GET request. -->
<message
name = "m1"
method = "GET"
uri =
"${context.scheme}://${context.hostname}/${context.basedir}/vulnerable.php?p=1&p=2"
/>
<!-- The following message will be executed 500 ms after the m1
is completed. -->
<message
name = "m2"
method ="GET"
uri =
"${context.scheme}://${context.hostname}/${context.basedir}/vulnerable.php"
version = "HTTP/1.0"
waitFor = "m1"
delay = "500"
>
<addParam name="highlight" value="xyz" />
<addHeader ... />
<setCookie ... />
</message>
<!-- Example of an POST request with a raw body supplied. The
request will be made after m2 completes. -->
<message
name = "m3"
method = "POST"
uri =
"${context.scheme}://${context.hostname}/${context.basedir}/vulnerable.php"
waitFor = "m2">
>
<setBody>
...
</setBody>
</message>
<!-- One or more detection rulesets follow here, in a format that is
pretty much the same to one of the Detect part. The rules
should be able to reference data from all messages specified.
For example: m1.response.raw_body. -->
</detectRecipe>
--
Ivan Ristic (http://www.modsecurity.org)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]