RE: IDS: Seeking additional information about event

From: Keith Stewart (kstewart@cisco.com)
Date: 08/22/02 

Date: Wed, 21 Aug 2002 17:42:16 -0700
To: stillio@netscape.net (Stanislav Illiogovich), Schear.Chris@principal.com (\"Schear, Chris\"), focus-ids@securityfocus.com
From: Keith Stewart <kstewart@cisco.com>

That sig was originally created to match an old Apache DoS vulnerability, but remains useful to see someone doing something with HTTP they shouldn't.

http://www.cert.org/vendor_bulletins/VB-98.02.apache

Given the data you sent, I'd be inclined to go along with some of the thoughts put out to the list: some form of directory transversal attempt, or a bug in a bot of some sort. If the cut and paste worked correctly, it's interesting to note that the number of slashes in the samples you provided are not all the same (vary from 23 to 27).

Keith

At 01:55 PM 8/20/2002 -0400, Stanislav Illiogovich wrote:
>Hi Chris,
>
>This sig looks like someone was trying to do a directory traversal. There are a number of older vulns for this whereby using a large number of slashes allowed the perpetrator to read dir information they shouldn't have had access to normally. Example of this can be found at:
>http://online.securityfocus.com/archive/1/287722/2002-08-16/2002-08-22/0
>
>Hope this helps
>
>"Schear, Chris" <Schear.Chris@principal.com> wrote:
>
>>Greetings
>>
>>Our Cisco intrusion detection sensors alerted us to an very large number of events via one particular IDS signature, coming from one source this morning between 05:08:06am-06:07:14am CST. Scouring the web for information about the specifics have not been very successful. I was hoping someone could possibly shed some additional light on the subject. Complete packet information is not available and our details are limited to the inherent "context buffer" information provided by our sensors. Normally, I would not be concerned about such an alarm, especially considering its name does not indicate any severe concern - but in that hour we logged a total of 58,976 events from this one source. That number of events is far outside of "normal", for even the most noisy false positives. If anyone has any information about this event, I would appreciate any comments you may have.
>>
>>------------------------------------------------------
>>SIGNATURE ID: 5262 - "Large number of Slashes in URL"
>>SEVERITY: Medium
>>
>>Source Address: 208.37.113.98
>>Resolves to: w098.z208037113.nyc-ny.dsl.cnc.net
>>
>>CONTEXT BUFFER:
>>///////////////////////////main/welcome2.htm HTTP/1.0
>>
>>Via: 1.0 HAMILTON4
>>Host: www.one-of-our-urls.com
>>
>>User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Fetch API Request
>>Connection: Keep-Alive
>>If-Modified-Since:Tue, 07 May 2002 20:36:11 GMT
>>
>>Victim Context:
>>x-age=3600
>>Expires: Mon, 19 Aug 2002 12:17:26 GMT
>>Connection: keep-alive
>>Set-Cookie: RANDOM_ID=fc13f8059113422192d0fdecfbdd0bc6; path=/; domain=.ourdomain.com; expires=Thursday, 16-Aug-2012 06:15:19 GMT
>>ETag: 0a061c18bf7c11:7f8
>>Content-Length: 0
>>------------------------------------------------------
>>
>>The individual's connecting source ports started at 29,223 and increased sequentially to 32,894 Numerous different URLs were within the context buffers, outside of "welcome2.htm". Some additional URLs were:
>>///////////////////////solutions/457_gov.htm HTTP/1.0
>>////////////////////////solutions/ps_gov.htm HTTP/1.0
>>////////////////////////solutions/mp_gov.htm HTTP/1.0
>>////////////////////////solutions/db_gov.htm HTTP/1.0
>>////////////////////////solutions/pd_gov.htm HTTP/1.0
>>///////////////////////solutions/401a_np.htm HTTP/1.0
>>///////////////////////solutions/Investment.htm HTTP/1.0
>>
>>Thoughts?
>>
>>Chris Schear
>>Principal Financial Group
>>IS Network Security
>>www.principal.com
>>
>>
>
>
>__________________________________________________________________
>Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/
>
>Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

Relevant Pages

  • Re: Prestige Class for people who cant stand magic
    ... Especial thanks to Keith & Chris for taking the time to write back about it. ... church IMC impose an 11th-level limit upon the Nullodictine Order by dogma - ... it's a not-insignificant ability; ...
    (rec.games.frp.dnd)
  • Re: programming with HTTP connection through GPRS
    ... Thanks Chris! ... I have tested that HTTP works, ... using HTTPto communicate with server. ... Now I want to test it using GPRS connection. ...
    (microsoft.public.pocketpc.developer)
  • Re: What I want to do, cant be done, this article outlines what I needed to do
    ... I finally went with setting a custom error page for HTTP 400 (Request ... Chris ... friendly handler for HTTP 400. ... >>> HttpException when a user tries to send a file that is greater than 2MB ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: [PHP] or return problem
    ... Chris ... My Blog ... HTTP Developer's Handbook ...
    (php.general)
  • Error code: C00D11B3
    ... I've read the other posts and checked out Chris Lanier's blog. ... try to stream audio from Amazon or web-radio, ... Your current Network Settings in Windows Media Player. ... HTTP, MMS, RTSP are set for Autodetect ...
    (microsoft.public.windowsmedia.player)