[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: EVDL Detect thoughts
I have an idea for Detect part to reuse some parts I developed for Protect. I am posting an example detection recipe below. Thoughts? <detectRecipe maintainSession="false" > <!-- Each message instance represents one HTTP request/response pair. The following is a simple GET request. --> <message name = "m1" method = "GET" uri = "${context.scheme}://${context.hostname}/${context.basedir}/vulnerable.php?p=1&p=2" /> <!-- The following message will be executed 500 ms after the m1 is completed. --> <message name = "m2" method ="GET" uri = "${context.scheme}://${context.hostname}/${context.basedir}/vulnerable.php" version = "HTTP/1.0" waitFor = "m1" delay = "500" > <addParam name="highlight" value="xyz" /> <addHeader ... /> <setCookie ... /> </message> <!-- Example of an POST request with a raw body supplied. The request will be made after m2 completes. --> <message name = "m3" method = "POST" uri = "${context.scheme}://${context.hostname}/${context.basedir}/vulnerable.php" waitFor = "m2"> > <setBody> ... </setBody> </message> <!-- One or more detection rulesets follow here, in a format that is pretty much the same to one of the Detect part. The rules should be able to reference data from all messages specified. For example: m1.response.raw_body. --> </detectRecipe> -- Ivan Ristic (http://www.modsecurity.org)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]