[Bro] working with MS15-034

Aaron Gee-Clough lists at g-clef.net
Thu Apr 16 04:33:36 PDT 2015


I'm working on a bro script to detect attempts for the
recently-announced IIS attack. I've hit an interesting issue: There's a
magic number that gets sent in the HTTP "RANGE" header to trigger the
vulnerability, and that number is 2^64. This is right at the edge of
what a "count" variable can hold, and it wraps around a regular "int"

I'd like to be able to detect anyone sending any number >= 2^64 in a
RANGE header, but I don't see how to do that with count variables in
bro. Does anyone have any ideas of how I can do this? Right now I'm
looking at doing something truly nasty, like comparing the length of the
strings holding the Range values. I'm *really* not happy with that,
though...it feels like a really ugly hack.


More information about the Bro mailing list