Re: [mod-security-users] Detecting MS15-034 attack
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Detecting MS15-034 attack
|
From: Chaim S. <CSa...@tr...> - 2015-04-22 12:36:16
|
Hey Morris, We added some logic into the Trustwave commercial ruleset for this when it broke. In general we made the rule a bit more general then how you are describing, as suggested by Microsoft. You would probably find the following interesting: http://blog.didierstevens.com/2015/04/17/ms15-034-detection-some-observatio ns/ An example of a regex that takes this into account is available here: http://pastebin.com/raw.php?i=3MAEE2Fq. Happy Hunting On 4/16/15, 12:14 AM, "Morris Taylor" <mo...@em...> wrote: >Dear All, > > Has anyone wrote the customized rule for detecting the attacks > focused on MS15-034 vulnerability? It seems to be impossible to > directly compare the first byte with last byte and block the request > when last byte is less than first byte, where the integer overflow > may also occurred inside mod security..Looking for advices for > writing the rule to block the malicious request targeted MS15-034 > vulnerability. Thanks!. > >-- >BR, Morris > >-------------------------------------------------------------------------- >---- >BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >Develop your own process in accordance with the BPMN 2 standard >Learn Process modeling best practices with Bonita BPM through live >exercises >http://scanmail.trustwave.com/?c=4062&d=tbiv1aMuK9vu0_qZg0a1K9UE7SI5mAIMcx >iG9KlisA&s=5&u=http%3a%2f%2fwww%2ebonitasoft%2ecom%2fbe-part-of-it%2fevent >s%2fbpm-camp-virtual- event?utm_ >source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >_______________________________________________ >mod-security-users mailing list >mod...@li... >http://scanmail.trustwave.com/?c=4062&d=tbiv1aMuK9vu0_qZg0a1K9UE7SI5mAIMcx >_W-PpjsQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo% >2fmod-security-users >Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >http://scanmail.trustwave.com/?c=4062&d=tbiv1aMuK9vu0_qZg0a1K9UE7SI5mAIMc0 >2ErKM3tQ&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercia >l%2frules%2f >http://scanmail.trustwave.com/?c=4062&d=tbiv1aMuK9vu0_qZg0a1K9UE7SI5mAIMc0 >yA_q9j4A&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercia >l%2fsupport%2f ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |