For some reason this didn't come across the list when I sent it the
other night. In case it has to do with the attachments, I'll include
URLs to the files here.
On Mar 18, 2009, at 4:21 PM, Damiano Bolzoni wrote:
I have to admit I have never looked at Bro signatures, although I
know it approaches the problem differently. So, I'm really curious. :)
To be completely up front about it, this script is not in a shape that
I would actually run it on our network traffic. I would likely do
quite a few extra cleanups and additions to it before using it. Links
to the script and are two traces (a matching trace and a non-matching
trace) in a zip file at included at the bottom.
I'll include a short demo of the script here as well.
=====================
$> cp ~/bro_scripts/ids-focus_example.bro ~/bro.trunk/
$> cd ~/bro.trunk/
$> export BROPATH=./policy:.
$> ./src/bro -f"ip" -r ~/http-overflow.trace -C ids-focus_example.bro
Potential HTTP overflow attack 192.168.3.103/54074 > 128.146.216.51/http
URL Path: /
Attempts overflow with 2000 instances of character: "R"
=====================
ftp://ftp.infosec.ohio-state.edu/pub/users/seth/outgoing/ids-focus_example.bro
ftp://ftp.infosec.ohio-state.edu/pub/users/seth/outgoing/example-traces.zip
.Seth
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
