Prelude detection rules for Apache leak (OptionsBleed)
On september 18, 2017, journalist Hanno Böck discovered a new vulnerability in the Apache Foundation’s HTTP server. This affects both the current 2.4 series as well as the old 2.2 series.
If you’re using the HTTP protocol in everday Internet use you are usually only using two of its methods: GET and POST. However HTTP has a number of other methods, so I wondered what you can do with them and if there are any vulnerabilities.
One HTTP method is called OPTIONS. It simply allows asking a server which other HTTP methods it supports. The server answers with the “Allow” header and gives us a comma separated list of supported methods.
A scan of the Alexa Top 1 Million revealed something strange: Plenty of servers sent out an “Allow” header with what looked like corrupted data.
To detect an attacker trying to retrieve information using this vulnerability, the Prelude team developed the following rules that can be used together :
- Correlation rule to detect active attacks