Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Authors Mitchell Hanks

UPDATE: The functionality from the custom Lua parser described below is now available within the standard HTTP_lua parser provided from RSA Live.  If you are using this parser in your environment, the custom version attached here (including the app rule) is unnecessary.


Many of you may already be aware of a recent vulnerability known as "Options Bleed".  This vulnerability affects Apache web servers and allows access to the contents of memory via the HTTP Options request method.  This HTTP method is supposed to return the available methods (i.e. GET, POST, PUT, etc) to the browser.  For mis-configured web hosts with this un-patched vulnerability, some of the contents of memory are returned along with the available methods.


See the following post for a good write-up on the details of Options Bleed:

Apache “Optionsbleed” vulnerability – what you need to know – Naked Security 


Attached you will find a custom Lua parser and accompanying Application Rule to detect when this vulnerability is exploited.  The parser detects the response string provided by web server given an OPTIONS request method.  It then will identify whether or not the response is valid.  If not, it will register the following meta key/value:


analysis.service = 'garbled http options allow string'


In addition, I have provided an application rule which will tie in the presence of this garbled string with some other information about the session:


App rule name: 'optoins bleed exploit'

App rule logic:  (analysis.session='garbled http options allow string' && service = 80 && action = 'options')

Alert on:  ioc


NOTE: This is custom content created by RSA Professional Services.  It is not officially supported by the RSA Content Team, so please use at your own risk.

This post will be a series of How-To videos and supporting documents on creating custom content for unsupported log event sources in SA.  This will include writing custom File/ODBC typespecs, SNMP transforms, etc.  The work of producing this content will be on-going, so I will be updating this post with new content as I have it available.  See the attachments to this post for related files.


Video 1:  Creating a Custom ODBC or File Typespec for Log Collection


Video 2:  Extracting Contents of SNMP Traps from a PCAP

Filter Blog

By date: By tag: