NetWitness Community

Mitchell Hanks‌ Thanks for your contribution and collaboration to get this into RSA Live. 

The following content is available on RSA Live.

Parser:  HTTP_lua

Meta:  Service Analysis (analysis.service) = http invalid allow methods

Description:  The meta will be registered when "allow" and "access-control-allow-methods" headers contain characters other than letters, commas, asterisk, and spaces.

If the functionality of the options_bleed.lua parser has been included in the HTTP_lua we don't need the options_bleed.parser. But the options_bleed_apprule triggered on analysis.session='garbled http options allow string' && service = 80 && action = 'options'.

I'm guessing I need to modify the rule to now trigger on analysis.session='http invalid allow methods'. And does the service and action meta still exist in the parsed values?

Alert still on 'ioc'?

Thanks.

You don't need the app rule either. Just the HTTP_lua parser and pivot on

Meta:  Service Analysis (analysis.service) = http invalid allow methods

That gives a lot of information to pivot on if you are in Investigation. But if we want to create an app rule, or esa rule to trigger on this traffic just the analysis.service meta doesn't have any use. Is there any additional specific meta that is triggered within the parser if a pcap of CVE-2017-9798 is pushed through?

The capability as implemented in HTTP_lua is different than as implemented in the parser attached to the original post.  The parser in the original post matched many sessions, and the app rule was necessary to filter those down.

As implemented in HTTP_lua, the detection is significantly more specific.  It looks for HTTP "allow:" and "access-control-allow-methods" headers for the following conditions:

  leading comma    ,GET

  paired comma    GET,,POST

  non-alphanumeric(*, -, and spaces excepted)    GET,?

  doesn't contain at least one alphanumeric     ,   ,

  repetition    GET,POST,GET

If seen, then analysis.service meta "http invalid allow methods" is registered.

Of course that may or not indicate an attempt to specifically exploit the options bleed vulnerability.  Nor, if it was, that the attempt was successful.  Neither did the original parser / rule combination.  It simply means what it says, that invalid allow headers were seen - for whatever reason.

You could, if you wanted, filter that down to only those sessions in which the OPTIONS request method was used.  However you may miss some visibility since that request method may not be the only for which a server may include the header.  An invalid allow header may not be the result of an attempt to exploit the options bleed vulnerability via an options request, but it may still be interesting.

I have some traffic being triggered on analysis.service = 'http invalid allow methods', but the 'access-control-allow-methods' are the following: Access-Control-Allow-Methods: * and nothing with an http response of Allow:
And then I have traffic being triggered with Allow: GET,HEAD,POST,OPTIONS,,HEAD and no Access-Control-Allow-Methods: in the http response.

The traffic with the Allow: GET,HEAD,POST,OPTIONS,,HEAD is from a pcap to trigger the CVE.

I'm guessing the Allow: GET,HEAD,POST,OPTIONS,,HEAD triggers the (doesn't contain at least one alphanumeric , ,) in the parser?

"GET,HEAD,POST,OPTIONS,,HEAD"  would trigger due to the double comma between OPTIONS and HEAD.

A lone asterisk ("*") will trigger due to lack of an alphanumeric.  An exception should probably be carved out for that.

To close the loop:  the latest version of HTTP_lua will not alert for a lone asterisk ("*").