IPS http custom sig

Unanswered Question
Jan 22nd, 2009

I'm not sure if this is possible, but I have a situation where I'm trying to identify an attacker who is constantly screen scraping my website. The challenge is that the attacker's traffic is first sent to a CDM so the source IP is modified before it gets to me. The CDM inserts a response header (X-Client-IP) into the HTTP request containg the the source address of the attacker.

attacker <-> CDM <-> my web server

How would I (or is it even possible) create a custom sig to look at the incoming response header "X-Client-IP" to identify 20 hits from the same attacker in 1 minute? The attackers address could change at any time, so I can't hard code his IP in the signature's "request regex" variable. I need the system to keep track of all incoming request headers and identify anyone who trips the 20 hit limit.

Thanks in advance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andrgrif Mon, 01/26/2009 - 15:49

Hello,

To answer your first question, you could create a service-http signature on header-regex of:

^X-Client-IP:

(with perhaps [0-9]+\x2e[0-9]+\x2e[0-9]+\x2e[0-9] for IPv4 addresses).

As for the changing IP addresses, I don't know of any way to handle that within the regex. However, if the X-Client-IP address is within a certain range (ie, class C/B), you could include that in the regex above).

You might be able to do a suitable alert with event management software, however, I don't know of any way of doing exactly what you want with a single signature (though I may be wrong and it may be possible).

I have some questions which may help with writing a suitable signature though:

How different is the IP addresses used in X-Client-IP?

Have you tested if the CDM passes on the clients X-Client-IP header (if specified), or if it replaces the header completely (or possibly inserts an additional header).

If the client's X-Client-IP header is honoured, then the client might be inserting random IP addresses to try and trick software using X-Client-IP.

Actions

This Discussion