IPS http custom sig

steadj · ‎01-22-2009

I'm not sure if this is possible, but I have a situation where I'm trying to identify an attacker who is constantly screen scraping my website. The challenge is that the attacker's traffic is first sent to a CDM so the source IP is modified before it gets to me. The CDM inserts a response header (X-Client-IP) into the HTTP request containg the the source address of the attacker.

attacker <-> CDM <-> my web server

How would I (or is it even possible) create a custom sig to look at the incoming response header "X-Client-IP" to identify 20 hits from the same attacker in 1 minute? The attackers address could change at any time, so I can't hard code his IP in the signature's "request regex" variable. I need the system to keep track of all incoming request headers and identify anyone who trips the 20 hit limit.

Thanks in advance!

andrgrif · ‎01-26-2009

Hello,

To answer your first question, you could create a service-http signature on header-regex of:

^X-Client-IP:

(with perhaps [0-9]+\x2e[0-9]+\x2e[0-9]+\x2e[0-9] for IPv4 addresses).

As for the changing IP addresses, I don't know of any way to handle that within the regex. However, if the X-Client-IP address is within a certain range (ie, class C/B), you could include that in the regex above).

You might be able to do a suitable alert with event management software, however, I don't know of any way of doing exactly what you want with a single signature (though I may be wrong and it may be possible).

I have some questions which may help with writing a suitable signature though:

How different is the IP addresses used in X-Client-IP?

Have you tested if the CDM passes on the clients X-Client-IP header (if specified), or if it replaces the header completely (or possibly inserts an additional header).

If the client's X-Client-IP header is honoured, then the client might be inserting random IP addresses to try and trick software using X-Client-IP.