Thursday, August 25, 2011

This is why we have nice things

A lot of people have been freaking out about the "Apache Killer" tool released on Full-Disclosure last Friday. While it's an effective way to cause a Denial of Service (DoS) against an Apache web server, and readily accessible to your average malfeasant, the good news is you don't need to let your hair catch fire over it, because the VRT had it covered before the tool was even released.

Specifically, the http_inspect preprocessor has an option to detect overly long header fields. Since the "Range:" header sent by the tool in order to exploit the bug is well over a packet's length in size, it easily triggers GID 119, SID 19 in Snort, which is set to go off for headers over 750 bytes in the standard open source configuration. For those using the Sourcefire corporate product, by default this option is set to 0 (disabled); this can of course easily be turned on, with a value as high as 1,500, and still catch the attack.

Meanwhile, we've included GID 1, SID 19825 in today's release, which looks for "Range:" headers broken in the specific way that this tool exploits. Not only will this make it easy to tell your boss you've got coverage in place for this crazy new tool, it will help anyone who may be in an environment where the long header preprocessor rule generates false positives.

You may now return to your regularly scheduled programming.
Add to Technorati Favorites Digg! This
Post a Comment