exploits listings in http script (was: [Logwatch] ignore.conf entry)

Markus Lude lude at informatik.uni-tuebingen.de
Sat Mar 4 16:44:07 MST 2006


On Tue, Feb 28, 2006 at 06:59:34PM -0800, Mike Tremaine wrote:
> On Tue, 2006-02-28 at 19:38 -0700, Bjorn L. wrote:

[someone had a problem with "null" in his urls, the string "null" is
also in the exploit list]

> > I think the problem is with the "exploits" matching.  The
> > http script matches on strings it considers suspicious,
> > even if the http response code is successful.  One of
> > these matches was incompletely specified.
> 
> Still odd that ignore did not strip these.
> 
> Cameron has this....
> > > GET.*HTTP.*200
> > > HTTP\/1.1"\s200
> 
> The " should be escaped also. But try these instead
> 
> HTTP Response 200
> HTTP\/1\.0\" 200
> 
> 
> > We've talked before about the problems with this exploit
> > detection - what do people think about removing it?
> 
> You know the http is not my favorite :), you should probably push this
> to the devel list.
> 
> -Mike

I added some more to my local installation. It's nice to see some or
most of the common probes, but I'm aware that on some installations it
is confusing if some of the usual scripts mentioned under exploits are
installed. I haven't this problem, cause I don't run any of these common
scripts. If too many other may have this problem, we could drop it or
make it optional.

Regards,
Markus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
Url : http://ip70-176-100-107.ph.ph.cox.net/pipermail/logwatch/attachments/20060304/84c837eb/attachment.bin


More information about the Logwatch mailing list