RE: IDS: Seeking additional information about event

From: Stanislav Illiogovich (stillio@netscape.net)
Date: 08/20/02

Previous message: Benjamin Robson: "Know your enemy, Virtual Honeynets, Yet more information"
Maybe in reply to: Schear, Chris: "IDS: Seeking additional information about event"
Next in thread: Keith Stewart: "RE: IDS: Seeking additional information about event"
Reply: Keith Stewart: "RE: IDS: Seeking additional information about event"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 20 Aug 2002 13:55:38 -0400
From: stillio@netscape.net (Stanislav Illiogovich)
To: Schear.Chris@principal.com (\"Schear, Chris\"), focus-ids@securityfocus.com

Hi Chris,

This sig looks like someone was trying to do a directory traversal. There are a number of older vulns for this whereby using a large number of slashes allowed the perpetrator to read dir information they shouldn't have had access to normally. Example of this can be found at:
http://online.securityfocus.com/archive/1/287722/2002-08-16/2002-08-22/0

Hope this helps

"Schear, Chris" <Schear.Chris@principal.com> wrote:

>Greetings
>
>Our Cisco intrusion detection sensors alerted us to an very large number of events via one particular IDS signature, coming from one source this morning between 05:08:06am-06:07:14am CST. Scouring the web for information about the specifics have not been very successful. I was hoping someone could possibly shed some additional light on the subject. Complete packet information is not available and our details are limited to the inherent "context buffer" information provided by our sensors. Normally, I would not be concerned about such an alarm, especially considering its name does not indicate any severe concern - but in that hour we logged a total of 58,976 events from this one source. That number of events is far outside of "normal", for even the most noisy false positives. If anyone has any information about this event, I would appreciate any comments you may have.
>
>------------------------------------------------------
>SIGNATURE ID: 5262 - "Large number of Slashes in URL"
>SEVERITY: Medium
>
>Source Address: 208.37.113.98
>Resolves to: w098.z208037113.nyc-ny.dsl.cnc.net
>
>CONTEXT BUFFER:
>///////////////////////////main/welcome2.htm HTTP/1.0
>
>Via: 1.0 HAMILTON4
>Host: www.one-of-our-urls.com
>
>User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Fetch API Request
>Connection: Keep-Alive
>If-Modified-Since:Tue, 07 May 2002 20:36:11 GMT
>
>Victim Context:
>x-age=3600
>Expires: Mon, 19 Aug 2002 12:17:26 GMT
>Connection: keep-alive
>Set-Cookie: RANDOM_ID=fc13f8059113422192d0fdecfbdd0bc6; path=/; domain=.ourdomain.com; expires=Thursday, 16-Aug-2012 06:15:19 GMT
>ETag: 0a061c18bf7c11:7f8
>Content-Length: 0
>------------------------------------------------------
>
>The individual's connecting source ports started at 29,223 and increased sequentially to 32,894 Numerous different URLs were within the context buffers, outside of "welcome2.htm". Some additional URLs were:
>///////////////////////solutions/457_gov.htm HTTP/1.0
>////////////////////////solutions/ps_gov.htm HTTP/1.0
>////////////////////////solutions/mp_gov.htm HTTP/1.0
>////////////////////////solutions/db_gov.htm HTTP/1.0
>////////////////////////solutions/pd_gov.htm HTTP/1.0
>///////////////////////solutions/401a_np.htm HTTP/1.0
>///////////////////////solutions/Investment.htm HTTP/1.0
>
>Thoughts?
>
>Chris Schear
>Principal Financial Group
>IS Network Security
>www.principal.com
>
>

__________________________________________________________________
Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

Previous message: Benjamin Robson: "Know your enemy, Virtual Honeynets, Yet more information"
Maybe in reply to: Schear, Chris: "IDS: Seeking additional information about event"
Next in thread: Keith Stewart: "RE: IDS: Seeking additional information about event"
Reply: Keith Stewart: "RE: IDS: Seeking additional information about event"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

IDS: Seeking additional information about event
... CONTEXT BUFFER: ... Connection: Keep-Alive ... Victim Context: ... ETag: 0a061c18bf7c11:7f8 ...
(Focus-IDS)
Re: Cant get internet working in Linux
... It doesn't use the network at all. ... Many people disable/block ping on their servers. ... The first one resolves to pdns01.minnambalam.com and appears to be OK. ... Your connection is working ...
(comp.os.linux.networking)
RE: Seeking additional information about event
... According to the Network Security Database, ... > inherent "context buffer" information provided by our sensors. ... > Connection: Keep-Alive ...
(Focus-IDS)
Re: Private Address Spaces
... An employee within the LAN launches their web ... What will happen is that the connection fails because the DNS A record ... resolves to an IP that's supposed to be within the same LAN! ... would be blocked at the firewall providing the NAT. ...
(alt.computer.security)
Re: [PHP] phpguru.org back up
... Firefox can't establish a connection to the server at www.phpguru.org. ... Looks like it resolves to an IP, which I can ping, but the ...
(php.general)