Full Disclosure mailing list archives
Re: Apache Killer
From: Marco Ermini <marco.ermini () gmail com>
Date: Thu, 25 Aug 2011 18:57:44 +0200
On 24 August 2011 16:23, ZOne wrote:
For those using Snort, a local snort rule to alert for incoming attacks might help while waiting for a patch. example: alert tcp $EXTERNAL_NET any -> any 80 (msg:"INBOUND Apache Killer script: Local web server is under attack."; content:"Range:bytes=0-"; classtype: denial-of-service; threshold: type threshold, track by_src, count 5 , seconds 20; sid:3000005;)
For those using Snort, you should take care that this rule is very easy to break: it just detects a string "Range:bytes=0-" inside of TCP packets sent to port 80, sent five times in twenty second by the same IP. That is very easy to avoid, just using a different initial byte than zero, putting a space between "Range:" and "bytes", or changing the threshold. Basically it is violating rule 1 of IDS signature writing, "patch the vulnerability, not the exploit" - as just changing the exploit as little as a single space will not make it work. I did instead the following: alert tcp any any -> any $HTTP_PORTS ( \ content: "Range"; nocase; http_header; \ pcre:"/(\d\,){6,}/xH"; http_header; \ msg:"Apache DOS http://seclists.org/fulldisclosure/2011/Aug/175"; \ reference:cve,2011-3192 ) However this is certainly not the best possible as I am no Snort rules guru. Also I have not tested it. Another one possibly faster, can be something like the following (again I have not tested it): pcre: "/^Range:bytes\s+\d+-\d?,\d+-\d+,\d+-\d+,\d+-\d+,\d+-\d+,\d+-\d+,/xH"; http_header; \ Cheers -- Marco Ermini root@human # mount -t life -o ro /dev/dna /genetic/research http://www.linkedin.com/in/marcoermini "Jesus saves... but Buddha makes incremental back-ups!" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apache Killer, (continued)
- Re: Apache Killer root (Aug 25)
- Re: Apache Killer -= Glowing Sex =- (Aug 23)
- Re: Apache Killer Davide Guerri (Aug 24)
- Re: Apache Killer -= Glowing Sex =- (Aug 24)
- Re: Apache Killer Davide Guerri (Aug 24)
- Re: Apache Killer Jan Gehring (Aug 24)
- Re: Apache Killer Jari Fredriksson (Aug 24)
- Re: Apache Killer Davide Guerri (Aug 24)
- Re: Apache Killer Jari Fredriksson (Aug 24)
- Re: Apache Killer ZOne (Aug 25)
- Re: Apache Killer Marco Ermini (Aug 25)
- Re: Apache Killer David (Aug 25)
- Re: Apache Killer Douglas Huff (Aug 24)
- Re: Apache Killer Douglas Huff (Aug 24)
- Re: Apache Killer Davide Guerri (Aug 24)
- Message not available
- Re: Apache Killer -= Glowing Sex =- (Aug 24)
- Re: Apache Killer -= Glowing Sex =- (Aug 20)
- Re: Apache Killer Sheran Gunasekera (Aug 21)