Suricata can already detect QUANTUMINSERT
like attacks out of the box, using the stream-event
called reassembly_overlap_different_data
.
Combining the stream-event
with a signature detecing a HTTP 302
redirect one could easily detect malicious HTTP redirects.
Ofcourse the payload could also contain other content, such as malicious javascript.
Victor Julien shared the following signatures for detecting QUANTUMINSERT
:
alert tcp any any -> any any (msg:"SURICATA STREAM reassembly overlap with different data"; stream-event:reassembly_overlap_different_data; classtype:protocol-command-decode; sid:2210050; rev:2;)
alert tcp any any -> any any (msg:"LOCAL QI 302 and possible inject"; stream-event:reassembly_overlap_different_data; content:"302"; http_stat_code; classtype:protocol-command-decode; sid:12345; rev:2;)