[Bro] working with MS15-034

Aaron Gee-Clough lists at g-clef.net
Thu Apr 16 10:38:19 PDT 2015

Many thanks for the help, everyone.

In case others are interested, here's where I ended up for the MS15-034
detector script. The reason for all the string splits is that I noticed
some legit "range" requests on my network included multiple ranges,
separated by commas. So, I had to check all of them.


Comments/speed improvements always welcome.


On 04/16/2015 07:33 AM, Aaron Gee-Clough wrote:
> All,
> I'm working on a bro script to detect attempts for the
> recently-announced IIS attack. I've hit an interesting issue: There's a
> magic number that gets sent in the HTTP "RANGE" header to trigger the
> vulnerability, and that number is 2^64. This is right at the edge of
> what a "count" variable can hold, and it wraps around a regular "int"
> variable.
> I'd like to be able to detect anyone sending any number >= 2^64 in a
> RANGE header, but I don't see how to do that with count variables in
> bro. Does anyone have any ideas of how I can do this? Right now I'm
> looking at doing something truly nasty, like comparing the length of the
> strings holding the Range values. I'm *really* not happy with that,
> though...it feels like a really ugly hack.
> aaron
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list