Re: Intrusion Detection Evaluation Datasets

[Paul Schmehl <pschmehl_lists () tx rr com>]

--On Wednesday, March 18, 2009 15:39:23 -0400 Seth Hall <hall.692 () osu edu> 
wrote:
> > alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "Web attack -
> > overflow attempt"; flow: to_server, established; content:"POST /";
> > http-method; content:"Content-Length3A"; nocase;  depth:1;
> > content:"This is where you would have to capture the value of
> > Content-Length"; urilen:"value of Content-Length"; pcre:"/\w/";
> > classtype:web-application-attack; sid:1000001; rev:1;)
>
> It would actually be easy to identify with Bro.  The problem with your
> signature below is that it doesn't take into account the same byte value
> being repeated for the total Content-Length.

Yes, that's true.

>  It's a little more hacky to
> make Bro identify the repeating character, but still possible.  You're also
> ignoring the bounds Damiano placed on the value of the Content-Length header.

That's because snort doesn't have a way to define the bounds for that value, 
AFAIK.

> If I have some time tonight, I'll write a script to detect this situation and
> post it to the list.

I'll be interested to see that.

--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
Check the headers before clicking on Reply.