UPDATE: The functionality from the custom Lua parser described below is now available within the standard HTTP_lua parser provided from RSA Live. If you are using this parser in your environment, the custom version attached here (including the app rule) is unnecessary.
Many of you may already be aware of a recent vulnerability known as "Options Bleed". This vulnerability affects Apache web servers and allows access to the contents of memory via the HTTP Options request method. This HTTP method is supposed to return the available methods (i.e. GET, POST, PUT, etc) to the browser. For mis-configured web hosts with this un-patched vulnerability, some of the contents of memory are returned along with the available methods.
See the following post for a good write-up on the details of Options Bleed:
Attached you will find a custom Lua parser and accompanying Application Rule to detect when this vulnerability is exploited. The parser detects the response string provided by web server given an OPTIONS request method. It then will identify whether or not the response is valid. If not, it will register the following meta key/value: