IDS: Seeking additional information about event
From: Schear, Chris (Schear.Chris@principal.com)Date: 08/20/02
- Previous message: Pedro Paulo Ferreira Bueno: "RES: IDS Training"
- Next in thread: Stanislav Illiogovich: "RE: IDS: Seeking additional information about event"
- Reply: Stanislav Illiogovich: "RE: IDS: Seeking additional information about event"
- Reply: Gary Halleen: "RE: Seeking additional information about event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 19 Aug 2002 17:07:19 -0500 From: "Schear, Chris" <Schear.Chris@principal.com> To: <focus-ids@securityfocus.com>
Greetings
Our Cisco intrusion detection sensors alerted us to an very large number of events via one particular IDS signature, coming from one source this morning between 05:08:06am-06:07:14am CST. Scouring the web for information about the specifics have not been very successful. I was hoping someone could possibly shed some additional light on the subject. Complete packet information is not available and our details are limited to the inherent "context buffer" information provided by our sensors. Normally, I would not be concerned about such an alarm, especially considering its name does not indicate any severe concern - but in that hour we logged a total of 58,976 events from this one source. That number of events is far outside of "normal", for even the most noisy false positives. If anyone has any information about this event, I would appreciate any comments you may have.
------------------------------------------------------
SIGNATURE ID: 5262 - "Large number of Slashes in URL"
SEVERITY: Medium
Source Address: 208.37.113.98
Resolves to: w098.z208037113.nyc-ny.dsl.cnc.net
CONTEXT BUFFER:
///////////////////////////main/welcome2.htm HTTP/1.0
Via: 1.0 HAMILTON4
Host: www.one-of-our-urls.com
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Fetch API Request
Connection: Keep-Alive
If-Modified-Since:Tue, 07 May 2002 20:36:11 GMT
Victim Context:
x-age=3600
Expires: Mon, 19 Aug 2002 12:17:26 GMT
Connection: keep-alive
Set-Cookie: RANDOM_ID=fc13f8059113422192d0fdecfbdd0bc6; path=/; domain=.ourdomain.com; expires=Thursday, 16-Aug-2012 06:15:19 GMT
ETag: 0a061c18bf7c11:7f8
Content-Length: 0
------------------------------------------------------
The individual's connecting source ports started at 29,223 and increased sequentially to 32,894 Numerous different URLs were within the context buffers, outside of "welcome2.htm". Some additional URLs were:
///////////////////////solutions/457_gov.htm HTTP/1.0
////////////////////////solutions/ps_gov.htm HTTP/1.0
////////////////////////solutions/mp_gov.htm HTTP/1.0
////////////////////////solutions/db_gov.htm HTTP/1.0
////////////////////////solutions/pd_gov.htm HTTP/1.0
///////////////////////solutions/401a_np.htm HTTP/1.0
///////////////////////solutions/Investment.htm HTTP/1.0
Thoughts?
Chris Schear
Principal Financial Group
IS Network Security
www.principal.com
- Previous message: Pedro Paulo Ferreira Bueno: "RES: IDS Training"
- Next in thread: Stanislav Illiogovich: "RE: IDS: Seeking additional information about event"
- Reply: Stanislav Illiogovich: "RE: IDS: Seeking additional information about event"
- Reply: Gary Halleen: "RE: Seeking additional information about event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
