--On Tuesday, March 17, 2009 22:01:48 +0100 Damiano Bolzoni
<[email protected]> wrote:
On 16/03/2009 19.39, Paul Schmehl wrote:
Unless you can be more specific, I'm going to call your claim bogus. It
is entirely possible to write one snort signature that will detect
*every* instance of an attempt to overflow a buffer in a particular
applicaiton no matter what the attack "signature" is. You just have to
understand the snort logic and syntax and understand packet analysis
well enough.
I don't see the words "buffer overflow" in my post, so maybe it's possible to
write a signature to catch *any* instances exploiting a certain buffer
overflow...but I'm more interested in the following. Can you write a *single*
signature to detect this:
POST / HTTP/1.1
...
Content-Length: N (1000 <= N <= 204800)
AAAAAAAAAAAAAAAAAAAA....
or
BBBBBBBBBBBBBBBBBBBB....
or
11111111111111111111.....
(N times the same byte value, and each request a different byte)
I would be really thankful (and I'm not being sarcastic).
I don't know if any IDS could do this. You'd have to capture the value of
Content-Length, insert that value into a variable, then compare that variable
against the number of bytes of a single value, all while examining the same
packet.
Conceptually, the rule would look like this:
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "Web attack - overflow
attempt"; flow: to_server, established; content:"POST /"; http-method;
content:"Content-Length3A"; nocase; depth:1; content:"This is where you would
have to capture the value of Content-Length"; urilen:"value of Content-Length";
pcre:"/\w/"; classtype:web-application-attack; sid:1000001; rev:1;)
--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
Check the headers before clicking on Reply.
