On Fri, 21 Aug 2015 17:51:20 -0700 Kevin P Dyer kpdyer@gmail.com wrote:
On Wed, Aug 19, 2015 at 11:58 AM, Yawning Angel yawning@schwanenlied.me wrote:
[snip]
The FTE semantic attack they presented isn't the easiest one I know of (the GET request as defined by the regex is pathologically malformed).
Very interesting! This is news to me. I'm assuming I did something silly. (Even though I tested it against bro, wireshark, etc.)
Huh. I brought it up in conversation with a few people and was under the impression it was passed on. I probably should have e-mailed you about it or something.
How is it pathologically malformed?
"manual-http-request": { "regex": "^GET\ \/([a-zA-Z0-9\.\/]*) HTTP/1\.1\r\n\r\n$" },
No "Host" header. All complaint requests MUST include one per RFC 2616, and all compliant servers MUST respond with a 400 if it is missing.
Since requests of that sort should invoke the error path on RFC compliant servers it's a really good distinguisher since legitimate clients will not do such a thing. Existing realistic adversaries already have "identify 'suspicious behavior', call back to confirm" style filtering in production, so false positive rate can be reduce to 0 if needed.
Regards,