Ido_Breger_3805
Aug 31, 2011Historic F5 Account
Latest Apache range headers DOS vulnerability signature suggestion
Hi ,
You probably heard about this latest Apace DOS vulnerability.
http://www.kb.cert.org/vuls/id/405811
Here is a suggestion to add 2 signatures that will block such attack (based on the assumption that no more than 5 range values)
1. headercontent:"Range"; nocase; pcre:"/(?:Request-)?Range:[\t ]*?bytes[\t ]*?=(?:[\t\d-]+?,){5}/Hi";
2. headercontent:"Range"; nocase; pcre:"/(?:Request-)?Range:[^\r\n]{256}/Hi";