IDS mailing list archives
Re: Intrusion Detection Evaluation Datasets
From: Seth Hall <hall.692 () osu edu>
Date: Wed, 18 Mar 2009 15:39:23 -0400
On Mar 17, 2009, at 5:43 PM, Damiano Bolzoni wrote:
(N times the same byte value, and each request a different byte)
On Mar 18, 2009, at 2:31 PM, Paul Schmehl wrote:
I don't know if any IDS could do this. You'd have to capture the value of Content-Length, insert that value into a variable, then compare that variable against the number of bytes of a single value, all while examining the same packet.
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "Web attack - overflow attempt"; flow: to_server, established; content:"POST /"; http-method; content:"Content-Length3A"; nocase; depth:1; content:"This is where you would have to capture the value of Content-Length"; urilen:"value of Content-Length"; pcre:"/\w/"; classtype:web-application-attack; sid:1000001; rev:1;)
It would actually be easy to identify with Bro. The problem with your signature below is that it doesn't take into account the same byte value being repeated for the total Content-Length. It's a little more hacky to make Bro identify the repeating character, but still possible. You're also ignoring the bounds Damiano placed on the value of the Content-Length header. If I have some time tonight, I'll write a script to detect this situation and post it to the list.
.Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721
Current thread:
- Re: Intrusion Detection Evaluation Datasets, (continued)
- Re: Intrusion Detection Evaluation Datasets Paul Palmer (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Paul Palmer (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 13)
- Message not available
- Re: Intrusion Detection Evaluation Datasets "Zow" Terry Brugger (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Paul Palmer (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 16)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 17)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 17)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stuart Staniford (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Joel Esler (Mar 19)