Re: Intrusion Detection Evaluation Datasets

[Seth Hall <hall.692 () osu edu>]

On Mar 17, 2009, at 5:43 PM, Damiano Bolzoni wrote:
> > (N times the same byte value, and each request a different byte)

On Mar 18, 2009, at 2:31 PM, Paul Schmehl wrote:
> I don't know if any IDS could do this.  You'd have to capture the  
> value of Content-Length, insert that value into a variable, then  
> compare that variable against the number of bytes of a single value,  
> all while examining the same packet.


> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "Web attack -  
> overflow attempt"; flow: to_server, established; content:"POST /";  
> http-method; content:"Content-Length3A"; nocase;  depth:1;  
> content:"This is where you would have to capture the value of  
> Content-Length"; urilen:"value of Content-Length"; pcre:"/\w/";  
> classtype:web-application-attack; sid:1000001; rev:1;)

It would actually be easy to identify with Bro.  The problem with your  
signature below is that it doesn't take into account the same byte  
value being repeated for the total Content-Length.  It's a little more  
hacky to make Bro identify the repeating character, but still  
possible.  You're also ignoring the bounds Damiano placed on the value  
of the Content-Length header.  If I have some time tonight, I'll write  
a script to detect this situation and post it to the list.

  .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721