[Owasp-modsecurity-core-rule-set] About file upload with trojan horse detect

Junyong Jiang dreamice.jiang at gmail.com
Fri Aug 14 19:47:07 EDT 2009


Thank you Ryan for your suggestions, I will have a try.

2009/8/15 Ryan Barnett <ryan.barnett at breach.com>

>  On Thursday 13 August 2009 09:42:38 pm Junyong Jiang wrote:
> > Ryan,
> >
> > Thanks for your reply.
> >
> > Yes, the client client uses a file upload interface to upload a file, for
> > example a.asp. Then he access a.asp and excute the code in a.asp. I do
> not
> > know how to prevent the attack. Can we check the upload-file's type when
> > client upload this file? sometimes, the attacker may modify the suffix of
> > the file for cheating de file-suffix checking.
> >
> > Could you give me some advice?
> >
>
>
> The CRS already has backdoor access rules in the
> modsecurity_crs_45_trojans.conf file. These rules will identify if/when a
> client tries to access a backdoor webpage. These rules are important as
> users can possibly upload these files through non-web protocols (FTP,
> etc...). In your case, however, you want to prevent the files from being
> uploaded through the web interface to begin with. What you could possibly do
> is to take the trojan access rules from the 45 file and apply the same
> signatures to the REQUEST_BODY variable instead of RESPONSE_BODY. This may
> work somewhat but it is not foolproof. If you have some examples of the
> backdoor html code, you could create some rules based on it.
>
>
> -Ryan
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20090815/73fef1bb/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list