[Bro] working with MS15-034
Aaron Gee-Clough
lists at g-clef.net
Thu Apr 16 04:33:36 PDT 2015
All,
I'm working on a bro script to detect attempts for the
recently-announced IIS attack. I've hit an interesting issue: There's a
magic number that gets sent in the HTTP "RANGE" header to trigger the
vulnerability, and that number is 2^64. This is right at the edge of
what a "count" variable can hold, and it wraps around a regular "int"
variable.
I'd like to be able to detect anyone sending any number >= 2^64 in a
RANGE header, but I don't see how to do that with count variables in
bro. Does anyone have any ideas of how I can do this? Right now I'm
looking at doing something truly nasty, like comparing the length of the
strings holding the Range values. I'm *really* not happy with that,
though...it feels like a really ugly hack.
aaron
More information about the Bro
mailing list