Worawit-
Good idea regarding the web rules. modifying case is a common IDS
evasion technique.
For example, nikto can use these methods for IDS evasion (excerpt from -help):
IDS Evasion Techniques:
1 Random URI encoding (non-UTF8)
2 Directory self-reference (/./)
3 Premature URL ending
4 Prepend long random string
5 Fake parameter
6 TAB as request spacer
7 Random case sensitivity
8 Use Windows directory separator (\)
9 Session splicing
I could do some testing to see what evasion techniques might get past ossec.
-Chuck (MdMonk)
On 5/4/07, Worawit Wang <worawita@xxxxxxxxx> wrote:
Hi all,
<SNIP>
Also I have a request about web rules. Can you modify OSSEC to matching url rule case insensitively? Because it's very easy to evade detection, such as using "SeLeCt" for doing sql injection Thanks, Worawit