[Bro] working with MS15-034

Aaron Gee-Clough lists at g-clef.net
Thu Apr 16 09:19:08 PDT 2015

True, but I was hoping to do more than just detect the magic number. I
was hoping to be able to say something along the lines of:

	if (name == "RANGE" && value > 2^64 )

My thinking here is that I don't want to play whack-a-mole with magic
numbers. I would like to flag any request for an offset that big as a
potential problem.


On 04/16/2015 12:11 PM, Josh Liburdi wrote:
> The Range header value in Bro should be a string-- if you're looking
> to detect a specific magic number in this value, then instead of
> converting the values to counts, you could match it like this by
> leaving that magic number as a string:
> if ( name == "RANGE" && "string" in value )
> Josh
> On Thu, Apr 16, 2015 at 4:33 AM, Aaron Gee-Clough <lists at g-clef.net> wrote:
>> All,
>> I'm working on a bro script to detect attempts for the
>> recently-announced IIS attack. I've hit an interesting issue: There's a
>> magic number that gets sent in the HTTP "RANGE" header to trigger the
>> vulnerability, and that number is 2^64. This is right at the edge of
>> what a "count" variable can hold, and it wraps around a regular "int"
>> variable.
>> I'd like to be able to detect anyone sending any number >= 2^64 in a
>> RANGE header, but I don't see how to do that with count variables in
>> bro. Does anyone have any ideas of how I can do this? Right now I'm
>> looking at doing something truly nasty, like comparing the length of the
>> strings holding the Range values. I'm *really* not happy with that,
>> though...it feels like a really ugly hack.
>> aaron
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list