IDS mailing list archives
Re: Intrusion Detection Evaluation Datasets
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Wed, 18 Mar 2009 22:08:54 +0000
--On Wednesday, March 18, 2009 15:39:23 -0400 Seth Hall <hall.692 () osu edu> wrote:
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "Web attack - overflow attempt"; flow: to_server, established; content:"POST /"; http-method; content:"Content-Length3A"; nocase; depth:1; content:"This is where you would have to capture the value of Content-Length"; urilen:"value of Content-Length"; pcre:"/\w/"; classtype:web-application-attack; sid:1000001; rev:1;)It would actually be easy to identify with Bro. The problem with your signature below is that it doesn't take into account the same byte value being repeated for the total Content-Length.
Yes, that's true.
It's a little more hacky to make Bro identify the repeating character, but still possible. You're also ignoring the bounds Damiano placed on the value of the Content-Length header.
That's because snort doesn't have a way to define the bounds for that value, AFAIK.
If I have some time tonight, I'll write a script to detect this situation and post it to the list.
I'll be interested to see that. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* Check the headers before clicking on Reply.
Current thread:
- Re: Intrusion Detection Evaluation Datasets, (continued)
- Re: Intrusion Detection Evaluation Datasets Stuart Staniford (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Joel Esler (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Joel Esler (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Martin Roesch (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Jim Sansing (Ritasa LLC) (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Martin Roesch (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 16)