[Bro] working with MS15-034

Thu Apr 16 10:10:31 PDT 2015

This is what I’ve been playing with: http://try.bro.org/#/trybro/saved/3789.

Not sure how it will run in production.
Tim

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Vlad Grigorescu
Sent: Thursday, April 16, 2015 11:53 AM
To: Josh Liburdi
Cc: bro at bro.org
Subject: Re: [Bro] working with MS15-034

Well... they're not equal. :-)

magic is 18446744073709551615,
while d is 18446740000000000000

See this:

http://try.bro.org/#/trybro/saved/3786

On Thu, Apr 16, 2015 at 11:47 AM, Josh Liburdi <liburdi.joshua at gmail.com<mailto:liburdi.joshua at gmail.com>> wrote:
Better version here: http://try.bro.org/#/trybro/saved/3782

On Thu, Apr 16, 2015 at 9:45 AM, Josh Liburdi <liburdi.joshua at gmail.com<mailto:liburdi.joshua at gmail.com>> wrote:
> I agree, I think double's are the way to go ... but the behavior is
> odd: http://try.bro.org/#/trybro/saved/3780
>
> It doesn't recognize the numbers as being equal.
>
> Josh
>
> On Thu, Apr 16, 2015 at 9:43 AM, Vlad Grigorescu <vlad at grigorescu.org<mailto:vlad at grigorescu.org>> wrote:
>> You can use to_double:
>>
>>> $ bro -e 'print to_double("987654321123456789");'
>>> 9.876543e+17
>>
>>   --Vlad
>>
>> On Thu, Apr 16, 2015 at 11:19 AM, Aaron Gee-Clough <lists at g-clef.net<mailto:lists at g-clef.net>> wrote:
>>>
>>>
>>> True, but I was hoping to do more than just detect the magic number. I
>>> was hoping to be able to say something along the lines of:
>>>
>>>         if (name == "RANGE" && value > 2^64 )
>>>
>>> My thinking here is that I don't want to play whack-a-mole with magic
>>> numbers. I would like to flag any request for an offset that big as a
>>> potential problem.
>>>
>>> aaron
>>>
>>> On 04/16/2015 12:11 PM, Josh Liburdi wrote:
>>> >
>>> > The Range header value in Bro should be a string-- if you're looking
>>> > to detect a specific magic number in this value, then instead of
>>> > converting the values to counts, you could match it like this by
>>> > leaving that magic number as a string:
>>> >
>>> > if ( name == "RANGE" && "string" in value )
>>> >
>>> > Josh
>>> >
>>> > On Thu, Apr 16, 2015 at 4:33 AM, Aaron Gee-Clough <lists at g-clef.net<mailto:lists at g-clef.net>>
>>> > wrote:
>>> >>
>>> >> All,
>>> >>
>>> >> I'm working on a bro script to detect attempts for the
>>> >> recently-announced IIS attack. I've hit an interesting issue: There's a
>>> >> magic number that gets sent in the HTTP "RANGE" header to trigger the
>>> >> vulnerability, and that number is 2^64. This is right at the edge of
>>> >> what a "count" variable can hold, and it wraps around a regular "int"
>>> >> variable.
>>> >>
>>> >> I'd like to be able to detect anyone sending any number >= 2^64 in a
>>> >> RANGE header, but I don't see how to do that with count variables in
>>> >> bro. Does anyone have any ideas of how I can do this? Right now I'm
>>> >> looking at doing something truly nasty, like comparing the length of
>>> >> the
>>> >> strings holding the Range values. I'm *really* not happy with that,
>>> >> though...it feels like a really ugly hack.
>>> >>
>>> >> aaron
>>> >> _______________________________________________
>>> >> Bro mailing list
>>> >> bro at bro-ids.org<mailto:bro at bro-ids.org>
>>> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org<mailto:bro at bro-ids.org>
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150416/c01eeecf/attachment-0001.html 