Ok, I will reply to both using this message.
On Mar 18, 2009, at 2:31 PM, Paul Schmehl wrote:
I don't know if any IDS could do this. You'd have to capture the value
of Content-Length, insert that value into a variable, then compare
that variable against the number of bytes of a single value, all while
examining the same packet.
Ok...so, it's not easy to catch any attack variation right? :)
Btw, Snort did detect one attack instance, because a signature for IIS
has something like 100 times the same byte value in it.
The problem is not only in catching the content length and storing it
somewhere, for later comparison...it would be already difficult to
detect that the same byte value is repeated over and over (and everytime
is different). Why? Because Snort (and in general any other
signature-based IDS) use regular expressions...in a regular expression
you can only state that an expression must not occur at all, could
occur, can occur once or more, or it can occur a number of times (but
you cannot say how many times exactly).
That's what I referred to when I said that one should rewrite the
regular expression engine. It's "easy" to match a regular expression (by
building the equivalent finite automaton), but it's more difficult to
validate expressions that contain the same value over and over. You can
read the following Wikipedia's article:
http://en.wikipedia.org/wiki/Formal_grammar
It would actually be easy to identify with Bro. The problem with your
signature below is that it doesn't take into account the same byte value
being repeated for the total Content-Length. It's a little more hacky to
make Bro identify the repeating character, but still possible. You're
also ignoring the bounds Damiano placed on the value of the
Content-Length header. If I have some time tonight, I'll write a script
to detect this situation and post it to the list.
I have to admit I have never looked at Bro signatures, although I know
it approaches the problem differently. So, I'm really curious. :)
Cheers
--
Damiano Bolzoni
[email protected]
Homepage http://dies.ewi.utwente.nl/~bolzonid/
PGP public key http://dies.ewi.utwente.nl/~bolzonid/public_key.asc
Skype ID: [email protected]
Distributed and Embedded Security Group - University of Twente
P.O. Box 217 7500AE Enschede, The Netherlands
Phone +31 53 4892477
Mobile +31 629 008724
ZILVERLING building, room 3013
