[Bro] Fwd: working with MS15-034

Josh Liburdi liburdi.joshua at gmail.com
Thu Apr 16 09:12:58 PDT 2015


Forwarding to the rest of the Bro list ...


---------- Forwarded message ----------
From: Josh Liburdi <liburdi.joshua at gmail.com>
Date: Thu, Apr 16, 2015 at 9:11 AM
Subject: Re: [Bro] working with MS15-034
To: Aaron Gee-Clough <lists at g-clef.net>


The Range header value in Bro should be a string-- if you're looking
to detect a specific magic number in this value, then instead of
converting the values to counts, you could match it like this by
leaving that magic number as a string:

if ( name == "RANGE" && "string" in value )

Josh

On Thu, Apr 16, 2015 at 4:33 AM, Aaron Gee-Clough <lists at g-clef.net> wrote:
>
> All,
>
> I'm working on a bro script to detect attempts for the
> recently-announced IIS attack. I've hit an interesting issue: There's a
> magic number that gets sent in the HTTP "RANGE" header to trigger the
> vulnerability, and that number is 2^64. This is right at the edge of
> what a "count" variable can hold, and it wraps around a regular "int"
> variable.
>
> I'd like to be able to detect anyone sending any number >= 2^64 in a
> RANGE header, but I don't see how to do that with count variables in
> bro. Does anyone have any ideas of how I can do this? Right now I'm
> looking at doing something truly nasty, like comparing the length of the
> strings holding the Range values. I'm *really* not happy with that,
> though...it feels like a really ugly hack.
>
> aaron
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list