[Bro] working with MS15-034

Vlad Grigorescu vlad at grigorescu.org
Thu Apr 16 09:52:38 PDT 2015 

Well... they're not equal. :-)

magic is 18446744073709551615,
while d is 18446740000000000000

See this:

http://try.bro.org/#/trybro/saved/3786

On Thu, Apr 16, 2015 at 11:47 AM, Josh Liburdi <liburdi.joshua at gmail.com>
wrote:

> Better version here: http://try.bro.org/#/trybro/saved/3782
>
> On Thu, Apr 16, 2015 at 9:45 AM, Josh Liburdi <liburdi.joshua at gmail.com>
> wrote:
> > I agree, I think double's are the way to go ... but the behavior is
> > odd: http://try.bro.org/#/trybro/saved/3780
> >
> > It doesn't recognize the numbers as being equal.
> >
> > Josh
> >
> > On Thu, Apr 16, 2015 at 9:43 AM, Vlad Grigorescu <vlad at grigorescu.org>
> wrote:
> >> You can use to_double:
> >>
> >>> $ bro -e 'print to_double("987654321123456789");'
> >>> 9.876543e+17
> >>
> >>   --Vlad
> >>
> >> On Thu, Apr 16, 2015 at 11:19 AM, Aaron Gee-Clough <lists at g-clef.net>
> wrote:
> >>>
> >>>
> >>> True, but I was hoping to do more than just detect the magic number. I
> >>> was hoping to be able to say something along the lines of:
> >>>
> >>>         if (name == "RANGE" && value > 2^64 )
> >>>
> >>> My thinking here is that I don't want to play whack-a-mole with magic
> >>> numbers. I would like to flag any request for an offset that big as a
> >>> potential problem.
> >>>
> >>> aaron
> >>>
> >>> On 04/16/2015 12:11 PM, Josh Liburdi wrote:
> >>> >
> >>> > The Range header value in Bro should be a string-- if you're looking
> >>> > to detect a specific magic number in this value, then instead of
> >>> > converting the values to counts, you could match it like this by
> >>> > leaving that magic number as a string:
> >>> >
> >>> > if ( name == "RANGE" && "string" in value )
> >>> >
> >>> > Josh
> >>> >
> >>> > On Thu, Apr 16, 2015 at 4:33 AM, Aaron Gee-Clough <lists at g-clef.net>
> >>> > wrote:
> >>> >>
> >>> >> All,
> >>> >>
> >>> >> I'm working on a bro script to detect attempts for the
> >>> >> recently-announced IIS attack. I've hit an interesting issue:
> There's a
> >>> >> magic number that gets sent in the HTTP "RANGE" header to trigger
> the
> >>> >> vulnerability, and that number is 2^64. This is right at the edge of
> >>> >> what a "count" variable can hold, and it wraps around a regular
> "int"
> >>> >> variable.
> >>> >>
> >>> >> I'd like to be able to detect anyone sending any number >= 2^64 in a
> >>> >> RANGE header, but I don't see how to do that with count variables in
> >>> >> bro. Does anyone have any ideas of how I can do this? Right now I'm
> >>> >> looking at doing something truly nasty, like comparing the length of
> >>> >> the
> >>> >> strings holding the Range values. I'm *really* not happy with that,
> >>> >> though...it feels like a really ugly hack.
> >>> >>
> >>> >> aaron
> >>> >> _______________________________________________
> >>> >> Bro mailing list
> >>> >> bro at bro-ids.org
> >>> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>> _______________________________________________
> >>> Bro mailing list
> >>> bro at bro-ids.org
> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>
> >>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150416/10d7b776/attachment.html

More information about the Bro mailing list