IDS mailing list archives
Re: Intrusion Detection Evaluation Datasets
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Wed, 18 Mar 2009 18:31:45 +0000
--On Tuesday, March 17, 2009 22:01:48 +0100 Damiano Bolzoni <damiano.bolzoni () utwente nl> wrote:
On 16/03/2009 19.39, Paul Schmehl wrote:Unless you can be more specific, I'm going to call your claim bogus. It is entirely possible to write one snort signature that will detect *every* instance of an attempt to overflow a buffer in a particular applicaiton no matter what the attack "signature" is. You just have to understand the snort logic and syntax and understand packet analysis well enough.I don't see the words "buffer overflow" in my post, so maybe it's possible to write a signature to catch *any* instances exploiting a certain buffer overflow...but I'm more interested in the following. Can you write a *single* signature to detect this: POST / HTTP/1.1 ... Content-Length: N (1000 <= N <= 204800) AAAAAAAAAAAAAAAAAAAA.... or BBBBBBBBBBBBBBBBBBBB.... or 11111111111111111111..... (N times the same byte value, and each request a different byte) I would be really thankful (and I'm not being sarcastic).
I don't know if any IDS could do this. You'd have to capture the value of Content-Length, insert that value into a variable, then compare that variable against the number of bytes of a single value, all while examining the same packet.
Conceptually, the rule would look like this:alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "Web attack - overflow attempt"; flow: to_server, established; content:"POST /"; http-method; content:"Content-Length3A"; nocase; depth:1; content:"This is where you would have to capture the value of Content-Length"; urilen:"value of Content-Length"; pcre:"/\w/"; classtype:web-application-attack; sid:1000001; rev:1;)
-- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* Check the headers before clicking on Reply.
Current thread:
- Re: Intrusion Detection Evaluation Datasets, (continued)
- Re: Intrusion Detection Evaluation Datasets "Zow" Terry Brugger (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Paul Palmer (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Paul Palmer (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 13)
- Message not available
- Re: Intrusion Detection Evaluation Datasets "Zow" Terry Brugger (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Paul Palmer (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 16)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 17)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 17)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stuart Staniford (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 19)